Edit tour

Windows Analysis Report
tyPafmiT0t.exe

Overview

General Information

Sample name:	tyPafmiT0t.exe renamed because original name is a hash value
Original sample name:	bc45b7861276839bd565daa9c370722ddaee8969.exe
Analysis ID:	1582807
MD5:	568d4673286ea9b9c70d7a68351f5071
SHA1:	bc45b7861276839bd565daa9c370722ddaee8969
SHA256:	2fe37b360b2266297431b3ca5857efd07ffdfe88630f402a75cf3c3252e03808
Tags:	exeuser-NDA0E
Infos:

Detection

44Caliber Stealer, BlackGuard, Rags Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected 44Caliber Stealer

Yara detected BlackGuard

Yara detected Rags Stealer

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tyPafmiT0t.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\tyPafmiT0t.exe" MD5: 568D4673286EA9B9C70D7A68351F5071)

WerFault.exe (PID: 1660 cmdline: C:\Windows\system32\WerFault.exe -u -p 1216 -s 1680 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackGuard	According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.	No Attribution	https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/ https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer https://cyberint.com/blog/research/blackguard-stealer/ https://ke-la.com/information-stealers-a-new-landscape/ https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Malware Configuration

Threatname: 44Caliber Stealer

{"Discord Webhook": "https://discord.com/api/webhooks/1215365574050320435/Xs0uw6QCOgwmHxgulV8bRwClRHSPZDdcc_n9uVnaO_5U4aAeOP21GI-qx7kxwlSROYeG\u00019900"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
tyPafmiT0t.exe	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
tyPafmiT0t.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
tyPafmiT0t.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
tyPafmiT0t.exe	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
tyPafmiT0t.exe	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
tyPafmiT0t.exe	infostealer_win_44caliber	Finds samples of the 44Caliber stealer	Sekoia.io	0x48906:$str0: 44 CALIBER 0x416d5:$str1: https://api.vimeworld.ru/user/name/ 0x4171d:$str2: https://freegeoip.app/xml/ 0x427ad:$str3: SOFTWARE\Wow6432Node\Valve\Steam 0x4292d:$str4: VPN\NordVPN\\accounts.txt 0x4298f:$str5: OpenVPN Connect\profiles 0x4b8a4:$str6: FuckTheSystem Copyright 0x42017:$str7: lolz.guru 0x43dad:$str7: lolz.guru 0x43ddb:$str8: xss.is 0x3b56a:$str9: Test message recieved successfully! :raised_hands: 0x3b855:$str10: Specify a single character: either D or F
tyPafmiT0t.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x3597d:$str01: set_sUsername 0x35da7:$str02: set_sIsSecure 0x3718d:$str03: set_sExpMonth 0x3925e:$str04: WritePasswords 0x39414:$str05: WriteCookies 0x39a32:$str06: sChromiumPswPaths 0x39a1f:$str07: sGeckoBrowserPaths 0x43c47:$str08: Username: {1} 0x43c63:$str09: Password: {2} 0x44de3:$str10: encrypted_key":"(.*?)"
tyPafmiT0t.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x411b3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
tyPafmiT0t.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x42887:$s1: \VPN\NordVPN 0x4292b:$s1: \VPN\NordVPN 0x429c1:$s2: \VPN\OpenVPN 0x42a2f:$s3: \VPN\ProtonVPN
tyPafmiT0t.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x44133:$s11: \Ethereum\keystore 0x4113c:$v1_5: sharedSecret 0x43255:$v1_6: ":"([^"]+)" 0x3925e:$v1_8: WritePasswords 0x39a1f:$v1_9: sGeckoBrowserPaths 0x34e9d:$v1_10: get_sPassword
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x40fb3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1648680232.000002960003F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
00000000.00000002.1648680232.00000296000C6000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xbff4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xc72c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: tyPafmiT0t.exe PID: 1216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tyPafmiT0t.exe PID: 1216	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
Process Memory Space: tyPafmiT0t.exe PID: 1216	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
Process Memory Space: tyPafmiT0t.exe PID: 1216	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x29e90:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x53a0b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x53af6:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	JoeSecurity_RagsStealer	Yara detected Rags Stealer	Joe Security
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	JoeSecurity_44CaliberStealer	Yara detected 44Caliber Stealer	Joe Security
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	infostealer_win_44caliber	Finds samples of the 44Caliber stealer	Sekoia.io	0x48906:$str0: 44 CALIBER 0x416d5:$str1: https://api.vimeworld.ru/user/name/ 0x4171d:$str2: https://freegeoip.app/xml/ 0x427ad:$str3: SOFTWARE\Wow6432Node\Valve\Steam 0x4292d:$str4: VPN\NordVPN\\accounts.txt 0x4298f:$str5: OpenVPN Connect\profiles 0x4b8a4:$str6: FuckTheSystem Copyright 0x42017:$str7: lolz.guru 0x43dad:$str7: lolz.guru 0x43ddb:$str8: xss.is 0x3b56a:$str9: Test message recieved successfully! :raised_hands: 0x3b855:$str10: Specify a single character: either D or F
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x3597d:$str01: set_sUsername 0x35da7:$str02: set_sIsSecure 0x3718d:$str03: set_sExpMonth 0x3925e:$str04: WritePasswords 0x39414:$str05: WriteCookies 0x39a32:$str06: sChromiumPswPaths 0x39a1f:$str07: sGeckoBrowserPaths 0x43c47:$str08: Username: {1} 0x43c63:$str09: Password: {2} 0x44de3:$str10: encrypted_key":"(.*?)"
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x411b3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x42887:$s1: \VPN\NordVPN 0x4292b:$s1: \VPN\NordVPN 0x429c1:$s2: \VPN\OpenVPN 0x42a2f:$s3: \VPN\ProtonVPN
0.0.tyPafmiT0t.exe.296670a0000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x44133:$s11: \Ethereum\keystore 0x4113c:$v1_5: sharedSecret 0x43255:$v1_6: ":"([^"]+)" 0x3925e:$v1_8: WritePasswords 0x39a1f:$v1_9: sGeckoBrowserPaths 0x34e9d:$v1_10: get_sPassword
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tyPafmiT0t.exe

Avira: detected

Found malware configuration

Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack

Malware Configuration Extractor: 44Caliber Stealer {"Discord Webhook": "https://discord.com/api/webhooks/1215365574050320435/Xs0uw6QCOgwmHxgulV8bRwClRHSPZDdcc_n9uVnaO_5U4aAeOP21GI-qx7kxwlSROYeG\u00019900"}

Multi AV Scanner detection for submitted file

Source: tyPafmiT0t.exe	Virustotal: Detection: 70%			Perma Link
Source: tyPafmiT0t.exe	ReversingLabs: Detection: 75%

Yara detected BlackGuard

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: tyPafmiT0t.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49707 version: TLS 1.2

Source: tyPafmiT0t.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: C:\Users\User\Desktop\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb& source: tyPafmiT0t.exe, 00000000.00000002.1656815634.00000296695A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp, WER193A.tmp.dmp.4.dr
Source:	Binary string: Insidious.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER193A.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: t.PDB> source: tyPafmiT0t.exe, 00000000.00000002.1653772611.0000029667310000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8[ source: WER193A.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb#( source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: C:\Users\User\Desktop\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: tyPafmiT0t.exe
Source:	Binary string: System.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER193A.tmp.dmp.4.dr

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Code function: 4x nop then mov eax, dword ptr [ebp-24h]	0_2_00007FFB4ACDAC50
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Code function: 4x nop then jmp 00007FFB4ACD3D1Fh	0_2_00007FFB4ACD3BCD
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Code function: 4x nop then jmp 00007FFB4ACD853Ah	0_2_00007FFB4ACD8505

Networking

Yara detected Generic Downloader

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: freegeoip.app

Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: cert9.db.0.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.0.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.app
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.0.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.000002960021B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: cert9.db.0.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.0.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: tyPafmiT0t.exe	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tyPafmiT0t.exe	String found in binary or memory: https://discord.com/api/webhooks/1215365574050320435/Xs0uw6QCOgwmHxgulV8bRwClRHSPZDdcc_n9uVnaO_5U4aA
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: tyPafmiT0t.exe, 00000000.00000002.1653772611.000002966730A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/
Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: tyPafmiT0t.exe	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp168A.tmp.tmpdb.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: tyPafmiT0t.exe, Screen.cs

.Net Code: GetScreen

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: Finds samples of the 44Caliber stealer Author: Sekoia.io
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds samples of the 44Caliber stealer Author: Sekoia.io
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1648680232.00000296000C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1216 -s 1680

Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInsidious.exe6 vs tyPafmiT0t.exe
Source: tyPafmiT0t.exe	Binary or memory string: OriginalFilenameInsidious.exe6 vs tyPafmiT0t.exe

Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: infostealer_win_44caliber author = Sekoia.io, description = Finds samples of the 44Caliber stealer, creation_date = 2022-03-08, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/razexgod/44CALIBER, id = 44e5bbc1-f442-47d3-8431-25182f38439d
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: tyPafmiT0t.exe, type: SAMPLE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_44caliber author = Sekoia.io, description = Finds samples of the 44Caliber stealer, creation_date = 2022-03-08, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/razexgod/44CALIBER, id = 44e5bbc1-f442-47d3-8431-25182f38439d
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1648680232.00000296000C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: tyPafmiT0t.exe, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@2/15@1/1

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

File created: C:\Users\user\AppData\Roaming\44

Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1216

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

File created: C:\Users\user\AppData\Local\Temp\tmp168A.tmp

Jump to behavior

Source: tyPafmiT0t.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tyPafmiT0t.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.00000296001F9000.00000004.00000800.00020000.00000000.sdmp, tyPafmiT0t.exe, 00000000.00000002.1648680232.000002960007E000.00000004.00000800.00020000.00000000.sdmp, tmp1719.tmp.dat.0.dr, tmp178B.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tyPafmiT0t.exe	Virustotal: Detection: 70%
Source: tyPafmiT0t.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

File read: C:\Users\user\Desktop\tyPafmiT0t.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tyPafmiT0t.exe "C:\Users\user\Desktop\tyPafmiT0t.exe"
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1216 -s 1680

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: tyPafmiT0t.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tyPafmiT0t.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: tyPafmiT0t.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: C:\Users\User\Desktop\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb& source: tyPafmiT0t.exe, 00000000.00000002.1656815634.00000296695A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp, WER193A.tmp.dmp.4.dr
Source:	Binary string: Insidious.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WER193A.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Core.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: t.PDB> source: tyPafmiT0t.exe, 00000000.00000002.1653772611.0000029667310000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8[ source: WER193A.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb#( source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: C:\Users\User\Desktop\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: tyPafmiT0t.exe
Source:	Binary string: System.ni.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER193A.tmp.dmp.4.dr
Source:	Binary string: System.Core.ni.pdb source: WER193A.tmp.dmp.4.dr

Source: tyPafmiT0t.exe

Static PE information: 0x99D9E225 [Tue Oct 17 22:07:33 2051 UTC]

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Code function: 0_2_00007FFB4ACDA05B push ecx; ret	0_2_00007FFB4ACDA05C
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Code function: 0_2_00007FFB4ACD00BD pushad ; iretd	0_2_00007FFB4ACD00C1
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Code function: 0_2_00007FFB4ACD021D push E95D8C98h; ret	0_2_00007FFB4ACD0259

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Memory allocated: 29667430000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Memory allocated: 29668D40000 memory reserve \| memory write watch			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: tyPafmiT0t.exe, 00000000.00000002.1656815634.0000029669510000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: tyPafmiT0t.exe, 00000000.00000002.1656815634.000002966957E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690O
Source: tmp175B.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Queries volume information: C:\Users\user\Desktop\tyPafmiT0t.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\tyPafmiT0t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected 44Caliber Stealer

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR

Yara detected BlackGuard

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Rags Stealer

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1648680232.000002960003F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum
Source: tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600182000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JaxxDir
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ExodusDir
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: tyPafmiT0t.exe, 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\tyPafmiT0t.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR

Remote Access Functionality

Yara detected 44Caliber Stealer

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR

Yara detected BlackGuard

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Rags Stealer

Source: Yara match	File source: tyPafmiT0t.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tyPafmiT0t.exe.296670a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1648680232.000002960003F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tyPafmiT0t.exe PID: 1216, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tyPafmiT0t.exe	70%	Virustotal		Browse
tyPafmiT0t.exe	76%	ReversingLabs	ByteCode-MSIL.Infostealer.Stealgen
tyPafmiT0t.exe	100%	Avira	HEUR/AGEN.1307065
tyPafmiT0t.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
https://steamcommunity.com/profiles/ASOFTWARE	tyPafmiT0t.exe	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	tmp168A.tmp.tmpdb.0.dr	false		high
https://freegeoip.app/	tyPafmiT0t.exe, 00000000.00000002.1653772611.000002966730A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1215365574050320435/Xs0uw6QCOgwmHxgulV8bRwClRHSPZDdcc_n9uVnaO_5U4aA	tyPafmiT0t.exe	false		high
https://freegeoip.app	tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.0.dr	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.0.dr	false		high
https://www.ecosia.org/newtab/	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp168A.tmp.tmpdb.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
http://x1.c.lencr.org/0	cert9.db.0.dr	false		high
http://x1.i.lencr.org/0	cert9.db.0.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.0.dr	false		high
https://api.vimeworld.ru/user/name/	tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	tyPafmiT0t.exe	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp168A.tmp.tmpdb.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tyPafmiT0t.exe, 00000000.00000002.1648680232.000002960021B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tyPafmiT0t.exe, 00000000.00000002.1649704294.000002961008A000.00000004.00000800.00020000.00000000.sdmp, tmp16BA.tmp.dat.0.dr, tmp172B.tmp.dat.0.dr	false		high
http://freegeoip.app	tyPafmiT0t.exe, 00000000.00000002.1648680232.0000029600076000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	freegeoip.app	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582807
Start date and time:	2024-12-31 15:01:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tyPafmiT0t.exe renamed because original name is a hash value
Original Sample Name:	bc45b7861276839bd565daa9c370722ddaee8969.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@2/15@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 74% Number of executed functions: 71 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.190.159.68, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tyPafmiT0t.exe, PID 1216 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:34	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freegeoip.app	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.97.3
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.73.97
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	188.114.97.3
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.96.3
	Insidious_protected.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	nyen2eabmfb.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	104.21.85.189
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	104.21.96.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.96.3
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	188.114.96.3
	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	188.114.96.3
	re5.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tyPafmiT0t.exe_47803c29e8a60989bb5bcd940187fa4c02d4def_49cefad2_10d69c00-b4b5-4722-a3d6-ded3be10235a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1128708372424232
Encrypted:	false
SSDEEP:	192:751zRg4oeetsr809c0jwaWBTmlSeZBzuiFOZ24lO8I9K:tg4oeetsL9c0jwamUSmBzuiFOY4lO8I
MD5:	C764B103300E05284327ABF78618117C
SHA1:	83BC7B735936C30D0143DC69700888792637B165
SHA-256:	95398FD305D9EB32F8E297322248897ADE68E28079270723063FC41177633223
SHA-512:	42297AD4F6507C722A49B0FA3B31CB4A2D11DD3D3F2211F8B12124C2317E3FA8768EFC5A9CD4BEDA50DFD1F3369E5F0CB155244B76BCAEF040060B0F387E89DF
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.2.7.3.4.8.8.0.7.3.1.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.2.7.3.5.0.2.6.0.4.2.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.d.6.9.c.0.0.-.b.4.b.5.-.4.7.2.2.-.a.3.d.6.-.d.e.d.3.b.e.1.0.2.3.5.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.e.e.5.c.6.b.-.0.a.1.e.-.4.0.d.a.-.a.7.d.5.-.d.9.5.1.c.b.1.b.0.6.5.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.t.y.P.a.f.m.i.T.0.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.i.d.i.o.u.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.c.0.-.0.0.0.1.-.0.0.1.4.-.7.0.8.e.-.3.5.9.e.8.c.5.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.1.8.6.e.c.8.a.7.1.b.7.6.8.8.5.0.a.d.2.d.f.e.6.a.d.f.3.7.6.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.4.5.b.7.8.6.1.2.7.6.8.3.9.b.d.5.6.5.d.a.a.9.c.3.7.0.7.2.2.d.d.a.e.e.8.9.6.9.!.t.y.P.a.f.m.i.T.0.t.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER193A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Dec 31 14:02:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	558577
Entropy (8bit):	3.3532855530501595
Encrypted:	false
SSDEEP:	6144:qqX4pFq9JYO23QEXHXw7wn//rbsZ1QnSpD:qqXEq90QEXHvTNm
MD5:	EF686892CDCBE081EFDF4835EED2CD12
SHA1:	EE18577CFD769AD7CD4D8DFB1AC0765BAB6B4F9E
SHA-256:	953AC37581B9066ADAD2A1901790941057A3876C35BD27971EB37324683AFB99
SHA-512:	2BB801D10D8EDD28F31D964F2080137BB1F62CECDF84AEA41158F86D902714FDAF4D889E54083BC381669C6EA5C831C2040362E033CE273E59782B9A1679A1D3
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......u.sg........................,...$.......<...P$......t....$.......Z..............l.......8...........T...........pE...@...........7...........8..............................................................................eJ.......9......Lw......................T...........p.sg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DEE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8608
Entropy (8bit):	3.689441837566276
Encrypted:	false
SSDEEP:	192:R6l7wVeJLjOj6YSPBJgmfZuiHprH89b7S3fcT2pm:R6lXJ/66YKPgmfMiC7yfct
MD5:	E6CDCB668E41903EB1CFCAEAC5BACE95
SHA1:	7AF50B953843DAEDA86ABCE6105264D0737143CC
SHA-256:	A7085410A8030A26A19C6871735A5C925757DD8E636686F0155E7F09155F1EEF
SHA-512:	125C18C754A4A538D6B1C56A4A42F68E85B195472547932C63665A6CCB8D9864460E0ABC8FCE003E425F5E444946BFA91E95E9975FAC872C19E25B18D4930437
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E1E.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4804
Entropy (8bit):	4.45540588769458
Encrypted:	false
SSDEEP:	48:cvIwWl8zseJg771I9BOWpW8VYHzYm8M4JFASEoFdyq8v7ASEEXCN2cd:uIjfUI7qv7V2mJmYWcEXCN2cd
MD5:	C3A092C128AB4FFD2798FC45350D4359
SHA1:	D727B2B1A8EA8A416FCA8BAABF321DBDB4B2638D
SHA-256:	83B87796E71675CCC7E4DFF3412ADDDE81EC0AE51C0168D867FAB99E8E7644EC
SHA-512:	A51138F439E9E6E02D8ECE0BA62887F438137FB52F93B66130FD480FEBA75F723F0408CF02F2ADB17E2DA0384203F256D9B6842DFA03DCC4BC07EE8BC35E4F96
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="655505" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\Public\24a4ohrz.default-release\cert9.db

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.6434294034339584
Encrypted:	false
SSDEEP:	384:A1zkVmvQhyn+Zoz67wNlvMM4333JCN87/LKX15kuv:AhjMmCqR
MD5:	515AEBFD1A85F4A59C3009D04D95D765
SHA1:	67593344CBEF68DB6F90AD02E4FB658036455FAF
SHA-256:	8FD38413C29B8801CF5C5C13027786907F4D3D2F03CB5ADC25BF43B860D13DF0
SHA-512:	CAFB98EB2573E6898DC00F23B683F576C6852EEB99C135FBF27045932E0DBBF749159EA13876718CAEA7C06960762CEADCF2307F66DFA7CB9A88AB1EA2E1CE8B
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\24a4ohrz.default-release\key4.db

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08432026317203951
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vD:51zkVmvQhyn+Zoz67+
MD5:	C444D5B9503F9CCFA9750AB3D51848E9
SHA1:	FFF755261E04C7502AF2F172DE3752D9458100FE
SHA-256:	66EA7282C9A15E75F5F52CB5D745FD1B4830045EB70D99AB4F07744A67E0879E
SHA-512:	E22CC4F41EC10146718E2767B68DCB20CF02AEC55DA8686988A16350045D6A31B9CDF16B7329EE436E9DBF1795699809819FEC2E7D9D460B046FAEC65BC48334
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp168A.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03708713717387235
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxW/Hy4XJwvnzfXfYf6zfTfN/0DApVJCI:58r54w0VW3xW/bXWzvACzbJ0DApVJ
MD5:	85D6E1D7F82C11DAC40C95C06B7B5DC5
SHA1:	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD
SHA-256:	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
SHA-512:	5DD2B75138EFB9588E14997D84C23C8225F9BFDCEA6A2A1D542AD2C6728484E7E578F06C4BA238853EAD9BE5F9A7CCCF7B2B49A0583FF93D67F072F2C5165B14
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp16BA.tmp.dat

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1719.tmp.dat

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp172A.tmp.tmpdb

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp172B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp175B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp176B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp178B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\tyPafmiT0t.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.37231274209532
Encrypted:	false
SSDEEP:	6144:2FVfpi6ceLP/9skLmb0IyWWSPtaJG8nAge35OlMMhA2AX4WABlguNIiL:WV1WyWWI/glMM6kF7Kq
MD5:	5E759D34918CF6E93859C9039CBC7ADA
SHA1:	508D7AB4D5EC10054FA0859D9B089230DBA1D7C3
SHA-256:	A44A929A2BECB5B027F17DDCDC7F794FFB43CA330087F02B257AB2B9C8783271
SHA-512:	51DCE97E7030F6ACFD049D4A4A1CC3F07540495E40363775BBCF510BF372E3CD605BFECC3B133A2E3B0E02DC99B8E097C8FC8FF883DA72BB77BD8225242F9309
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6....[..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.799344276030763
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	tyPafmiT0t.exe
File size:	310'784 bytes
MD5:	568d4673286ea9b9c70d7a68351f5071
SHA1:	bc45b7861276839bd565daa9c370722ddaee8969
SHA256:	2fe37b360b2266297431b3ca5857efd07ffdfe88630f402a75cf3c3252e03808
SHA512:	8d9eb7572c71bda79111b59bdd0e0fc4cec38d3bc591471269a2bf0655b13e82483d68b9fe4ff357176a36b27d7ae48361d052c0c8122e4572bef318b5acb0e1
SSDEEP:	6144:Y5hxT6MDdbICydeBvQ26i2dVTZy6TmA1D0y6z:Y5dY26i2vT4o1DQz
TLSH:	D664480827F88A65F5BE9BBEC0B551508371B466B83FDB4E1EC160EA2D32350CD49B67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%............."...0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44adb2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x99D9E225 [Tue Oct 17 22:07:33 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
adc byte ptr [ecx], dl
adc al, byte ptr [eax]
or byte ptr [edi], al
or dword ptr [esi], eax
or al, byte ptr [030C040Bh]
or eax, 0F010E02h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], cl
or byte ptr [eax], al
mov word ptr [eax], es
or byte ptr [eax], al
dec esp
add byte ptr [eax], cl
add ah, cl
add byte ptr [eax], cl
add byte ptr [eax+eax], ch
or byte ptr [eax], al
lodsb
add byte ptr [eax], cl
add byte ptr [eax+eax+08h], ch
add ah, ch
add byte ptr [eax], cl
add byte ptr [eax+eax], bl
or byte ptr [eax], al
pushfd
add byte ptr [eax], cl
add byte ptr [eax+eax+08h], bl
add ah, bl
add byte ptr [eax], cl
add byte ptr [eax+eax], bh
or byte ptr [eax], al
mov esp, 7C000800h
add byte ptr [eax], cl
add ah, bh
add byte ptr [eax], cl
add byte ptr [edx], al
add byte ptr [eax], cl
add byte ptr [edx+42000800h], al
add byte ptr [eax], cl
add dl, al
add byte ptr [eax], cl
add byte ptr [edx], ah
add byte ptr [eax], cl
add byte ptr [edx+62000800h], ah
add byte ptr [eax], cl
add dl, ah
add byte ptr [eax], cl
add byte ptr [edx], dl
add byte ptr [eax], cl
add byte ptr [edx+52000800h], dl
add byte ptr [eax], cl
add dl, dl
add byte ptr [eax], cl
add byte ptr [edx], dh
add byte ptr [eax], cl
add byte ptr [edx+72000800h], dh
add byte ptr [eax], cl
add dl, dh
add byte ptr [eax], cl
add byte ptr [edx], cl
add byte ptr [eax], cl
add byte ptr [edx+4A000800h], cl
add byte ptr [eax], cl
add dl, cl
add byte ptr [eax], cl
add byte ptr [edx], ch
add byte ptr [eax], cl
add byte ptr [edx+6A000800h], ch
add byte ptr [eax], cl
add dl, ch
add byte ptr [eax], cl
add byte ptr [edx], bl
add byte ptr [eax], cl
add byte ptr [edx+5A000800h], bl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ad5f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x5f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4acc8	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4b3a8	0x4b400	66d9940299caeb387f06a6fc24de04f9	False	0.4019706447259136	data	5.8123348639315555	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x5f8	0x600	921d375c8efa76f5064b2cab322a95ec	False	0.4381510416666667	data	4.2678145072196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	47f1539ae7064a52cd6c757f4bd1ae1b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x4e090	0x368	data			0.4231651376146789
RT_MANIFEST	0x4e408	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 15:02:29.534868956 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:29.534914970 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:29.534972906 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:29.554894924 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:29.554918051 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:30.020421982 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:30.020495892 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:36.024080992 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:36.024118900 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:36.024460077 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:36.065751076 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:36.105819941 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:36.151335001 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:36.395819902 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:36.395881891 CET	443	49707	188.114.96.3	192.168.2.8
Dec 31, 2024 15:02:36.395935059 CET	49707	443	192.168.2.8	188.114.96.3
Dec 31, 2024 15:02:37.101537943 CET	49707	443	192.168.2.8	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 15:02:29.519993067 CET	49411	53	192.168.2.8	1.1.1.1
Dec 31, 2024 15:02:29.528493881 CET	53	49411	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 15:02:29.519993067 CET	192.168.2.8	1.1.1.1	0x4224	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 15:02:29.528493881 CET	1.1.1.1	192.168.2.8	0x4224	No error (0)	freegeoip.app		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:29.528493881 CET	1.1.1.1	192.168.2.8	0x4224	No error (0)	freegeoip.app		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	188.114.96.3	443	1216	C:\Users\user\Desktop\tyPafmiT0t.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:36 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-12-31 14:02:36 UTC	853	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 31 Dec 2024 14:02:36 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 31 Dec 2024 15:02:36 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IWgZsh6mnfuI5cU29qG4edxpkk9M3G6kDvoPRCOXdkpkKgVleXkfzkTUuIDU8IbyC5%2BP3BQtnq5T6zfrQf7bD4B3S%2B5igI1Bga7VGU3RMm62WYz%2B5BMnPRjWm40mRbhj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8faacee91a4619c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1969&rtt_var=753&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=681&delivery_rate=1439132&cwnd=146&unsent_bytes=0&cid=0dddbad516f2d0a3&ts=6388&x=0"
2024-12-31 14:02:36 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	09:02:24
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\tyPafmiT0t.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\tyPafmiT0t.exe"
Imagebase:	0x296670a0000
File size:	310'784 bytes
MD5 hash:	568D4673286EA9B9C70D7A68351F5071
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_44CaliberStealer, Description: Yara detected 44Caliber Stealer, Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1543581899.00000296670A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000000.00000002.1648680232.000002960003F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1648680232.00000296000C6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:02:28
Start date:	31/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1216 -s 1680
Imagebase:	0x7ff7f95d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFB4ACDAC50 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b129c0cb99356b08b7252d39f4b9239b352aac93ccccdf100165766140f276
Instruction ID: a990f39b5e5712c641b8d9e7e132273c015a3e059b7a34cda4871bf8e1a8cf63
Opcode Fuzzy Hash: 30b129c0cb99356b08b7252d39f4b9239b352aac93ccccdf100165766140f276
Instruction Fuzzy Hash: 04918C7090D55E8FDB91EF68C885AEDBBB5FF89310F5041A9C04DE7692CB38A985CB40

Function 00007FFB4ACD3BCD Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9218dcf9e74e3191c1d6f37f2befdaff9b9b82ffc2605e8958480cafd003de41
Instruction ID: 977b897ee089e9506749d216180bc3dcecf5deb3429c20c8503675a1e701efbe
Opcode Fuzzy Hash: 9218dcf9e74e3191c1d6f37f2befdaff9b9b82ffc2605e8958480cafd003de41
Instruction Fuzzy Hash: C951C57090E69A5FD742EFB8C8A55FDBFB4EF06204F1404EAC4899B5D3DB299406CB81

Function 00007FFB4ACD8505 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a0bc5f4e91a2e762219fa3d9a2b8668b8f434effedde8ca645067c4d1ce538
Instruction ID: c29ef8dc16ce68cdca92d7e1b4db8ffb1d80d909c087bcafb4c4533e115d054d
Opcode Fuzzy Hash: 23a0bc5f4e91a2e762219fa3d9a2b8668b8f434effedde8ca645067c4d1ce538
Instruction Fuzzy Hash: 93111C71D0D6198FEB95EE78D9516FCB3B5EF4A301F6050B8D00DA3692CA39A941CF04

Function 00007FFB4ACD48FA Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

N, xrefs: 00007FFB4ACD4939

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: da652e6fc31d3a60dc9cadac299f5df8204b2d3a4c7f1210052eb9bbe4b67ea0
Instruction ID: 2904a20915865480b8a0c2b324fd498bc450de94e1dc349b9d00a29ffff533f7
Opcode Fuzzy Hash: da652e6fc31d3a60dc9cadac299f5df8204b2d3a4c7f1210052eb9bbe4b67ea0
Instruction Fuzzy Hash: 6721286B70D6664BD312BFBDFD951D9BB64EF82372B1408B7D348CA083D915500A83E1

Function 00007FFB4ACD883D Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

3N_^, xrefs: 00007FFB4ACD888B

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID: 3N_^
API String ID: 0-934244360
Opcode ID: b8e6a176e3d8be33e79daa42f218b7eb708f8b83e79c24f4aa89fa0a2ccda338
Instruction ID: 1b6b95fbd998e9d5d496f8a0ac30a17a48d9f398c81865d75584fc45d546d1c5
Opcode Fuzzy Hash: b8e6a176e3d8be33e79daa42f218b7eb708f8b83e79c24f4aa89fa0a2ccda338
Instruction Fuzzy Hash: 99314570A08A6D8FDBA1EF68C8547EDBBF1EF59300F1445EA804CE3292CA345985CB80

Function 00007FFB4ACD3EF0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8031c4d30811cc771468d410e40f822b37d8c5a2e1e57f88344a5a033bd24fc
Instruction ID: 695f74163be9650de5e6eb100485073845d79899a00d85ec02cdb0c3ca5771de
Opcode Fuzzy Hash: a8031c4d30811cc771468d410e40f822b37d8c5a2e1e57f88344a5a033bd24fc
Instruction Fuzzy Hash: E4C117D3A0EAC20FE356EF7CED651E53FA4DF9222571801FBD0C88E297D918584A8395

Function 00007FFB4ACD64A0 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3c2b5d4cb801542fbf4358519d6b0f77d0605d05c058d2191fec4736e793c4
Instruction ID: ab7220ada993a1cdaeb6a430cc0f8641fdc3345b698c49e6ef5a020782bdff96
Opcode Fuzzy Hash: fb3c2b5d4cb801542fbf4358519d6b0f77d0605d05c058d2191fec4736e793c4
Instruction Fuzzy Hash: 63F14A70E0861DCFDB95EF68C894AEDB7B1FF58304F2041A9D409E7696CA35A982CF50

Function 00007FFB4ACD3F08 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ba50f5a707d04dd512b93e6532a4982311a27ea5301a5442e6269634fb7234
Instruction ID: 16f4af7ca71c5379231ec98bb0340e55d1748fd38248ca1bf1ef4b051cd5dd73
Opcode Fuzzy Hash: 06ba50f5a707d04dd512b93e6532a4982311a27ea5301a5442e6269634fb7234
Instruction Fuzzy Hash: AFC117D3A0EAC20FE356EF7CED651E53FA4DF9222471801FBD0C88E297D918584A8395

Function 00007FFB4ACD3F28 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a37c2462d6089db10c46cebac89efcc31f840965e06b1f5ebb5df38dafe199
Instruction ID: 740b259733ce3a1bb28e92787c94a28fa90a7bc7d1677bd649104ff2dbb27608
Opcode Fuzzy Hash: c7a37c2462d6089db10c46cebac89efcc31f840965e06b1f5ebb5df38dafe199
Instruction Fuzzy Hash: AAC106D3A0EAC20FE356EF7CED651E93FA4DF9222471801FBD0C88E197D918584A8395

Function 00007FFB4ACD3F48 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27af871d789da7a599d685e3fb3b1b5db118f3a81c59f00c2ca5ee47f25a0c1
Instruction ID: d56c0597ff62e0e3e92fc806a74c83872361d08234db383c583c3972c1378419
Opcode Fuzzy Hash: c27af871d789da7a599d685e3fb3b1b5db118f3a81c59f00c2ca5ee47f25a0c1
Instruction Fuzzy Hash: 2DB117D3A0EAC20FE356EF7CED651E93FA4DF9222471801FBD0C88E197D918584A8395

Function 00007FFB4ACD3F60 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c236c4da7fc174315f9abb43088f29fe9eb4caa69c1ae9cb037eb2b85344790a
Instruction ID: 4f3c6e3f93d8bf0235fd36b144bfe7e5cfff5404453c2904319147505a7cb8e1
Opcode Fuzzy Hash: c236c4da7fc174315f9abb43088f29fe9eb4caa69c1ae9cb037eb2b85344790a
Instruction Fuzzy Hash: 87B106D3A0E6C20BE356EF7CED651E97FA4DF8222471801FBD0C88E197D918584A8395

Function 00007FFB4ACD1350 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07808dde8a03a6be31f9d93981ff7a73f9a8d33b1c6d9a099183948da5dab335
Instruction ID: 6311c4d4692b226872381809d2e07d5dec8608d0bd3eeb89b3f0abfad036658d
Opcode Fuzzy Hash: 07808dde8a03a6be31f9d93981ff7a73f9a8d33b1c6d9a099183948da5dab335
Instruction Fuzzy Hash: 38C1E8B0D0DA5D8FEBA5EF68C8557E8BBB1EF59301F5000EAD04DE3692DA349981CB40

Function 00007FFB4ACD7D35 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc54d2252514d4189f2e22ff74d6b2e96f9d5fcaf6dc2e527366547aa0afcd18
Instruction ID: 5e345c30fc7687efdd4b5c49c4962dfa92f31d4771a57b221844e8623c9ecde9
Opcode Fuzzy Hash: dc54d2252514d4189f2e22ff74d6b2e96f9d5fcaf6dc2e527366547aa0afcd18
Instruction Fuzzy Hash: FDC1E2B0D1861D8FDBA4EF68D941BEDB7B5EF59301F2001BAD40DE3692DA3469858B80

Function 00007FFB4ACD3F80 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6d336262eaa50318583b481727912d9ddcfc9dd59e7d7ceb9d3ace8f15ddbd
Instruction ID: b7e9076e247913e6794f60ac0cdc4ee918cef03009f3e168d4adf82ec3a5fc2e
Opcode Fuzzy Hash: 0e6d336262eaa50318583b481727912d9ddcfc9dd59e7d7ceb9d3ace8f15ddbd
Instruction Fuzzy Hash: 79B12693A0E6C20FE356EF7CED651E97FA4DF8222472801FBD0C88E197DD18594A8395

Function 00007FFB4ACD3FA0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3adff724ea670738512551adf20b806bb871dc6acd85b4e5d50bef3478b2a51
Instruction ID: b62f9c123891ee765fbc557628fce0498ab30d09e0821978d4f15b50638089ca
Opcode Fuzzy Hash: e3adff724ea670738512551adf20b806bb871dc6acd85b4e5d50bef3478b2a51
Instruction Fuzzy Hash: AAA12793A0E6C21FE356EF7CED651E97FA4DF8222072841FBD0C88A1D7DC18594A8395

Function 00007FFB4ACD3FC0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c72026d4bba19fdeb414316ea1195e1fa238597f59f921d2c2686a29d2bb766
Instruction ID: c87b5062d9f0d62dfd468433be90601d7777c1e6936367447a31e8c76caf76c0
Opcode Fuzzy Hash: 0c72026d4bba19fdeb414316ea1195e1fa238597f59f921d2c2686a29d2bb766
Instruction Fuzzy Hash: 91A12993A0E6C20FE356EF7CED651E97FA4DF8222072801FBD1C88A1D7D818594A83D5

Function 00007FFB4ACD3FE0 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bbdbb04a8cb0ffefde7f696992e0a7c9d3e3d2253e88011468e41fe2e83ac3
Instruction ID: 4efec9e80b452bbb808f1f2c4b08084153b6c34cb7e64dc8c2e292af857923ec
Opcode Fuzzy Hash: 22bbdbb04a8cb0ffefde7f696992e0a7c9d3e3d2253e88011468e41fe2e83ac3
Instruction Fuzzy Hash: 1F910A93A0E6C20FE356EF7CED551E97FA4DF9222072801FBD1C88A1D7D818594A83D1

Function 00007FFB4ACD8919 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaa83600ef43cc080646cc29d6f51a864253c160b45ca2cbe12e507e31309e4
Instruction ID: fced8bc05d4e053d1e5e895d31c6ec873f5e0ec1612d728518d09dc71278e329
Opcode Fuzzy Hash: edaa83600ef43cc080646cc29d6f51a864253c160b45ca2cbe12e507e31309e4
Instruction Fuzzy Hash: 3BA17CB0D0D65D8FDB95EFA8C8946EDBBB4FF19300F5401AAD04DE7692CA346886CB40

Function 00007FFB4ACD4010 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb5992c46db0a3d35862da2bf8798d3f6f39a32d898a5c490b28aefd13d2ed4
Instruction ID: d5cdc5a8b22841f1b020442a353f075037d356cde10c478dd95b635ceea2f0f6
Opcode Fuzzy Hash: 0cb5992c46db0a3d35862da2bf8798d3f6f39a32d898a5c490b28aefd13d2ed4
Instruction Fuzzy Hash: 9D810993A0E6C20FE356EF7CED552E97FA4DF92250B2801FBD1C88A1D7D818594A8391

Function 00007FFB4ACD81A9 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2992df153d49d7aab24de1846830b00f657529aca77b135445682cbd87e5b1de
Instruction ID: bd7ee90f9aff9231c307c5f6cadf6a721966382cb8ffd560863df565dd5c5f3c
Opcode Fuzzy Hash: 2992df153d49d7aab24de1846830b00f657529aca77b135445682cbd87e5b1de
Instruction Fuzzy Hash: 8A81E7B1D0991D8FEBA4EF68C9557FCB6B5EF59301F6000A9D04DE3692DA38A981CB40

Function 00007FFB4ACD14A1 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017725a8365c71952d0d5e9d73de32159ce59217e7bd110740ac65f3054487c2
Instruction ID: 9f4206a603e2ffd74de8caf18fd1ff3fd00537293631d1c97f9af56be7c81b10
Opcode Fuzzy Hash: 017725a8365c71952d0d5e9d73de32159ce59217e7bd110740ac65f3054487c2
Instruction Fuzzy Hash: 0081E56054DAD95FE746E7BC8869AEEBFE0EF46200F4804EED0C9DB5D3DE1864068741

Function 00007FFB4ACD2481 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f09ee7004d7173f0d39ad294a0b03bba46640dfe6f17267f565daea0f3bcc7
Instruction ID: e47d934b8c05a072a65cd32ad12ce14a6b97f6618f8982ed2f4c54926922d6fd
Opcode Fuzzy Hash: 38f09ee7004d7173f0d39ad294a0b03bba46640dfe6f17267f565daea0f3bcc7
Instruction Fuzzy Hash: 2B71C07090D6999FEB96EF78C8696E9BBB4EF16300F5001E9D08D97293CE385946CB40

Function 00007FFB4ACD1348 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09a0b5a4e16f12a0626f1b044bd97f1bc35f9e5a47b1d6a2713f40968edb3ea
Instruction ID: 77da76babcd77cefd47af7379c51ea18c99754fd6fd3e671d63aca5b174f5468
Opcode Fuzzy Hash: f09a0b5a4e16f12a0626f1b044bd97f1bc35f9e5a47b1d6a2713f40968edb3ea
Instruction Fuzzy Hash: 5C5109B5D0CA5D8FEB94EF68CC557AC7AF5FB69300F1440A9D04EE3692CA349985CB40

Function 00007FFB4ACD8D35 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bbbddd3ef95668b4967b592bfe67b1a45d05033a979516c037c17a61e79199
Instruction ID: d99943756244583f3495c5ca8a62b34d735080df4515a9b0ab1cdd80feeae121
Opcode Fuzzy Hash: 22bbbddd3ef95668b4967b592bfe67b1a45d05033a979516c037c17a61e79199
Instruction Fuzzy Hash: 0D517BB0D0D55D8FDB91EFA8C8946EDBBF1FF58300F1441AAD449E7696CA385881CB40

Function 00007FFB4ACD4539 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4498de714f56616f8f69db16fa55a7e0392fc59f958adcb288f7c1f26ce038cf
Instruction ID: a949e6bde773bf03111a179faac115197cfd387b27fedeabece0b8d16bc9cfb9
Opcode Fuzzy Hash: 4498de714f56616f8f69db16fa55a7e0392fc59f958adcb288f7c1f26ce038cf
Instruction Fuzzy Hash: 2E51937090DA9D8FDF95EF68C854AEDBBB1FF59310F1401AAC049E7296DB349842CB41

Function 00007FFB4ACD779E Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc2e2bd3d034d11707aab35adf886bc4669098788b9dd8870e4d7943f0bf0cd
Instruction ID: 5b2432046bef483579e12796d6764796df11ccffa84ceddcd81625e25cb4f9e4
Opcode Fuzzy Hash: 8bc2e2bd3d034d11707aab35adf886bc4669098788b9dd8870e4d7943f0bf0cd
Instruction Fuzzy Hash: 336195B0D4896E8EDBE8EF68C954BA8B7F5FB28301F1041EAD00DE7691DB7559848F40

Function 00007FFB4ACD75D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bfb46afc3918d3d9e7c6ad6c120388f684318d4a21ede4944c3364d4c711f1
Instruction ID: f92c4e06471aa277d789c1b4cdec43902c15160087e4173c6f2dfd4dedc30fe9
Opcode Fuzzy Hash: c5bfb46afc3918d3d9e7c6ad6c120388f684318d4a21ede4944c3364d4c711f1
Instruction Fuzzy Hash: D05133B0D086598FDB99EFA8C8557EDBBB1FF19300F1401AED44DE7282DA385984CB51

Function 00007FFB4ACD961D Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c36aa85c79f8a0f14d1fa8730ef22f5c3969261e773bf319a8082a4ea547fd6
Instruction ID: 5296987f38dfdd8441e559dc12d3093064f07dff5216238fc88c86d6d8fc46d2
Opcode Fuzzy Hash: 6c36aa85c79f8a0f14d1fa8730ef22f5c3969261e773bf319a8082a4ea547fd6
Instruction Fuzzy Hash: 01415AB4D0865D8FDB85EFA8D8446EDBBF4FF59300F1000BAE449E3692DA789941CB80

Function 00007FFB4ACD6DA2 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed22b3ac8c8c326ae377b3de7c0d255fccfe1bdc07d41b72d4e30732af94d172
Instruction ID: beb40a2e9799ca1692176fb9b6e06e9012efe4f32020100e427ff7cc6bb68d39
Opcode Fuzzy Hash: ed22b3ac8c8c326ae377b3de7c0d255fccfe1bdc07d41b72d4e30732af94d172
Instruction Fuzzy Hash: D8515B7091D9AD8FEB91EB6888997EDBBF1EF59300F1045EAC48DD3162CE3499C18B40

Function 00007FFB4ACD6408 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658ac3deb810b3089524681ea65d5ed6e7d1f744944a9a6d3ce6fb08fc2817dd
Instruction ID: 3b42331bd5e67db71eeb50ea8b85443699345a97f479cd381d5f2a1610594dfd
Opcode Fuzzy Hash: 658ac3deb810b3089524681ea65d5ed6e7d1f744944a9a6d3ce6fb08fc2817dd
Instruction Fuzzy Hash: 13416CB4C0C65D8FDB94EF68D8486EDBBF5EF45310F1001ADD04EA7A92CA386845CB80

Function 00007FFB4ACD7FB9 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43084792037661ae69ecbe1d1f054e442f89105d66cd9a1b388e6f7d31aa3f2a
Instruction ID: 41f80f7a57a9f94765510e51a19ead4740993f1c5d28148f067e64122e67ab28
Opcode Fuzzy Hash: 43084792037661ae69ecbe1d1f054e442f89105d66cd9a1b388e6f7d31aa3f2a
Instruction Fuzzy Hash: EE419CB0D0DA5D8FDB95EF68D8417E97BB1FF59301F1001BAE409D3292CA386885CB81

Function 00007FFB4ACD9155 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80f2fbad59a90738b2315bd4422e3d7d4d8d50d14b951d2b40c380bb9cff673
Instruction ID: 50ec98f15e60300b93fd93060cd43ff71437f4acf6b4741d7f16f0b00f156720
Opcode Fuzzy Hash: d80f2fbad59a90738b2315bd4422e3d7d4d8d50d14b951d2b40c380bb9cff673
Instruction Fuzzy Hash: D1415AB5D0CA5D8FEB94EF68DC553BC7AA9FF59300F1410AAD04ED3A92CA349944CB41

Function 00007FFB4ACD4180 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5906d1e67d082f90ab9378bd79baedabb9f3f9ed16ccc659b6d9ae3b783eb8b6
Instruction ID: ec2237ca85d767f46965826648a7a27ace125ed97f0d251d4500bdb219b5a418
Opcode Fuzzy Hash: 5906d1e67d082f90ab9378bd79baedabb9f3f9ed16ccc659b6d9ae3b783eb8b6
Instruction Fuzzy Hash: 2241E3A690D9C94FE791EF78DE552A97FA0EF46200F1804FED488C7183C9289845C341

Function 00007FFB4ACD1E15 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32390ddc6350008dfab2ab2d5b5de91c32e0823347eb9a51bd669be227c958d6
Instruction ID: fe30dfbb709d8b4e9737730abe7282775431f7a07ad4a1bf8acc5645b90b7176
Opcode Fuzzy Hash: 32390ddc6350008dfab2ab2d5b5de91c32e0823347eb9a51bd669be227c958d6
Instruction Fuzzy Hash: 4541E1B190AA9A8FD796DF28C8582EDBFB0EF06311F4405EEC049DB6D2DB345985CB41

Function 00007FFB4ACD3647 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95625e6365038bbf4f9e4c5c4108abb2229e54cad25f8c3b2c145f37010cb24f
Instruction ID: 0fa843c69637ed366d94ecf4f8d4fa32c16c95fb1295182b7c7f3be5f0a06d24
Opcode Fuzzy Hash: 95625e6365038bbf4f9e4c5c4108abb2229e54cad25f8c3b2c145f37010cb24f
Instruction Fuzzy Hash: 764126B188E6898FD756AF309D124E6BBB8DF02320F1501FBD04CCB993C62D5686CB91

Function 00007FFB4ACD4160 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0bb046c0721890efcd056fe5bf08cb78d5c2f5dc987dc59785a6bced254e2c
Instruction ID: 0d44c1568914ae307db7ed0bad9a222dbdd70c2bd802750b2ad21da3038abacb
Opcode Fuzzy Hash: 5e0bb046c0721890efcd056fe5bf08cb78d5c2f5dc987dc59785a6bced254e2c
Instruction Fuzzy Hash: 8D4125A550D6CA0FE782EF78DD616E97FA0EF56210B1800FFD4C8CB193C928580AC391

Function 00007FFB4ACDAD09 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc312bf636f1a3ec46d8f6b84377912025c5a4ec9de3654cfdff15048c83f8e
Instruction ID: 25c2410deaf6fe7f77a56ca05ed5f950b2748255ace5da77c0557dd78c339419
Opcode Fuzzy Hash: 7dc312bf636f1a3ec46d8f6b84377912025c5a4ec9de3654cfdff15048c83f8e
Instruction Fuzzy Hash: 4E31EE70C0D68D8FDB81EF74C8516EDBBF1EF86300F5440AAD049E7592CA385846CB40

Function 00007FFB4ACD6AE2 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502bc3d3df8703d401f537e77c035ae86d2070ad16e4aa34910a266d0a48a806
Instruction ID: c4b6f5e903017976dc706fb9d6eb0b1593d1bd1ba0eb6530c3163d252d7332b3
Opcode Fuzzy Hash: 502bc3d3df8703d401f537e77c035ae86d2070ad16e4aa34910a266d0a48a806
Instruction Fuzzy Hash: 7B314D6054E6D65FD343D7B84CA96EB7FA4DF0B204B0804EAD4C6CF1A3D658541BC392

Function 00007FFB4ACD6F4A Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fd8a171bc840b37093eeb9354d648502db5ab60ede0e58752b97545b7bec93
Instruction ID: fcf00377d7f0a90a3b1a007e9599a4675cff9c862c2760ba2b97280cbb88cbc1
Opcode Fuzzy Hash: 53fd8a171bc840b37093eeb9354d648502db5ab60ede0e58752b97545b7bec93
Instruction Fuzzy Hash: B2411D709089A98FDB95EF68C8956EDBBB1EF59300F5041EAD04DE76A2CA345A85CF00

Function 00007FFB4ACD6D37 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbeb5eb374e88dcac5fd2cda979a8809ecb8ac9a1a3f06bcc29db955a8423b1
Instruction ID: 1fbfa8819053e6a7cd5035e54cb3409fb53a7b792cc29c1ef33f592ffce1d3a1
Opcode Fuzzy Hash: 5dbeb5eb374e88dcac5fd2cda979a8809ecb8ac9a1a3f06bcc29db955a8423b1
Instruction Fuzzy Hash: 43416D7090D65A8FCB55EFA8C895AEDBBF1EF59300F1045ADC04ADB295C735A845CB40

Function 00007FFB4ACD3958 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17ebccceeaee07ec1f992e91d403a853814506e87c2956ae1bc73b13d7e45f5
Instruction ID: fd02d8fe256bd65b15ab7f46bfe9a178b3108ec3b0929426cd2ee30595de2f8e
Opcode Fuzzy Hash: a17ebccceeaee07ec1f992e91d403a853814506e87c2956ae1bc73b13d7e45f5
Instruction Fuzzy Hash: B721B1B2D0D90E8EEB99EEA4D8412FD77A5FF54700F2011B9D04DA6642DF3DA9468B80

Function 00007FFB4ACD1C2D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb92cb321a694a2a3f93774ad1c32aeada830998a5f60464c63cbc94129590d
Instruction ID: f91a64751baad8448754ea6c6b6bdaec9db9a3dd6c5d6e577871b653cacfb9c4
Opcode Fuzzy Hash: 9cb92cb321a694a2a3f93774ad1c32aeada830998a5f60464c63cbc94129590d
Instruction Fuzzy Hash: 7B21F8D290E7C55EE346EF789D651B97FA4EF86200F5800FBD4C88B493E9185A85C352

Function 00007FFB4ACD435D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7304b522bedab7434829a3ccb9941627a52c429b715727e763d926d0581cf9cc
Instruction ID: 31ee921c5144ce1e69154d24f6092feb182f0370fe3127758ce8d2f055cf9137
Opcode Fuzzy Hash: 7304b522bedab7434829a3ccb9941627a52c429b715727e763d926d0581cf9cc
Instruction Fuzzy Hash: 7521287095E85E8FD785FF68DE516FDB7B5EF86200F9118B8D01993AD3CE696C008640

Function 00007FFB4ACD5C08 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6098c7e117ace6d6428e06e4f6038959b33fb817a29c2664e5de2eaa1f90a21a
Instruction ID: 9b97156288b57cc80bd85cef59843c22cc9c4fbc13ffa9382c01985f705d05f7
Opcode Fuzzy Hash: 6098c7e117ace6d6428e06e4f6038959b33fb817a29c2664e5de2eaa1f90a21a
Instruction Fuzzy Hash: 3B21387050D5455FDB96EF38C8C5AA67BD4EF55310B2482F9D4488F59BD928E892C380

Function 00007FFB4ACDAF55 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac6fbddcc5b8f5e39a45941d578ab6d0512cc90ccefd95592eec19bee1b2b26
Instruction ID: 9684f37b8b55d64c24717655a261b987af313b3c9c4a62529700e526823ef1ef
Opcode Fuzzy Hash: fac6fbddcc5b8f5e39a45941d578ab6d0512cc90ccefd95592eec19bee1b2b26
Instruction Fuzzy Hash: 4B2182B4D0D61A8AEBE5FE24CE017FDB2A4EF84300F6045F9D45D92983DE3869458B81

Function 00007FFB4ACD94F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d2abda0cf34ea477eaf07e90016d8788deef77250056e65c8294e7b52a827e
Instruction ID: 8d789bb8f261ee6ef639568cf9bc469a3ef37ac95e561001b020baab2919361a
Opcode Fuzzy Hash: 49d2abda0cf34ea477eaf07e90016d8788deef77250056e65c8294e7b52a827e
Instruction Fuzzy Hash: 90218E75A0895D8FDB85EFA8D8146FEBBF0FF58301F00057AE408D3692DA385945CB80

Function 00007FFB4ACD36E5 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46909f4e6263920aa896acecc26f05779edb05b7c841b186ae3f3ade14db576c
Instruction ID: 5d70404c7f5e3ce347b2853ebee5b0e9b2c398ed6db128ab024c77804e63132f
Opcode Fuzzy Hash: 46909f4e6263920aa896acecc26f05779edb05b7c841b186ae3f3ade14db576c
Instruction Fuzzy Hash: B221D8B188E6C19FD7575B306D634E27F789F03224B1A01F7E0988AC93C50D1297C3A2

Function 00007FFB4ACD16F5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c78a9e13a4c9be01b870c4794ae7f8a46d8d49a5bd8b1e5239be883e460d9b9
Instruction ID: 64f7869a072734fdc422c59487d88820c254deaea8c593dad0fbc46b783c4706
Opcode Fuzzy Hash: 5c78a9e13a4c9be01b870c4794ae7f8a46d8d49a5bd8b1e5239be883e460d9b9
Instruction Fuzzy Hash: C621B670A095994FD742EB6CC899AAEBFF1EF4A300B4445E9C489CB197DA249846C780

Function 00007FFB4ACD8AF8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413e9752406ecf3a70f853b79c5ad471650b2da2b11d2e1d4f254587d4592bb5
Instruction ID: e3b0c8eb72068053c4d4cf06b62fba710d85e2d730bd6b8d9fc7d46aaf8c2c6b
Opcode Fuzzy Hash: 413e9752406ecf3a70f853b79c5ad471650b2da2b11d2e1d4f254587d4592bb5
Instruction Fuzzy Hash: 8F21B4B090D94D9FEB81FFA8CC556EEBBB0EF49300F5005F5D089D71A2CA24984587C0

Function 00007FFB4ACDBD60 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c86f6cd3adfdfcb5c31a59d6d13be25e88bf768827181a59994dd702f310f8
Instruction ID: b6ae02740e2b3b3e3b03baf489bb5430d2478fd3f5246c5178ca8051b581cfd2
Opcode Fuzzy Hash: f1c86f6cd3adfdfcb5c31a59d6d13be25e88bf768827181a59994dd702f310f8
Instruction Fuzzy Hash: 23214FB190C55C8FDB85EFA8C895AEDBBF1FF58304F5400A9C04AEB692CB396845CB54

Function 00007FFB4ACD6C49 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492999c00d18dac12351084379217762c648d2ad295a75b4aa6f78c61163d9f0
Instruction ID: 529bae121fd427da75debcf3f3788b11052685374da013e0ba0d36a412431590
Opcode Fuzzy Hash: 492999c00d18dac12351084379217762c648d2ad295a75b4aa6f78c61163d9f0
Instruction Fuzzy Hash: 4321D37080D79A5FC716DFB8C8A96EEFFB0EF06340B5445DEC8859B196C239A406CB40

Function 00007FFB4ACD976D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99affaa8106d70171b754e9ed717a46dd0a2bf684e4113bd88a606ed62bd44b
Instruction ID: 772f6cb15f8049bcf6a7319e7385c4d2ddf93059e1830a9f3a933b1bd902e0a7
Opcode Fuzzy Hash: b99affaa8106d70171b754e9ed717a46dd0a2bf684e4113bd88a606ed62bd44b
Instruction Fuzzy Hash: 7E11047580DA8E8FE792EE68CC543E97BE5EF45300F0400FAC049D3592DE6859458781

Function 00007FFB4ACD1C58 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55fb2b840acf8d8a1841cf421a012c714f2cf493b2bb5ef8c829fedcb8cb1e9
Instruction ID: b460a5f9f21ec75ef0387459ea835981b24f1edae4aa7295c112c33554d664e0
Opcode Fuzzy Hash: d55fb2b840acf8d8a1841cf421a012c714f2cf493b2bb5ef8c829fedcb8cb1e9
Instruction Fuzzy Hash: AB11E9E290E7C95EE342EF789D551F97FA4EF86200F1804FAD4C9874D3E9185985C391

Function 00007FFB4ACD4730 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b574e6c986c800ef1a964732a947a37543a317e96d100f0ffac95eb4a2e54cf2
Instruction ID: 632da418dfb34824098e5868e42d6d362b794898a173a4971d4e4fdc1da62c14
Opcode Fuzzy Hash: b574e6c986c800ef1a964732a947a37543a317e96d100f0ffac95eb4a2e54cf2
Instruction Fuzzy Hash: E201268250E9D25FE7AAAB7C2D691E4AFD1CF8615070D01FAC0C88B5C7E54818864381

Function 00007FFB4ACDAEB2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff735aa3f88e273be3ac97d1340812b313ac9b9edc5b2f5fbbdf0501f852111
Instruction ID: 630e876de63c1c25b4a9521450b8bd12a26865cc53b6dc2e4fdd315bd711beb7
Opcode Fuzzy Hash: cff735aa3f88e273be3ac97d1340812b313ac9b9edc5b2f5fbbdf0501f852111
Instruction Fuzzy Hash: 9B11C17080E38A4FE7A6EF30CC012E57BE5EF86300F0500FAE448C7192DA794955CB91

Function 00007FFB4ACD3D51 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fb93cfd72e72e6b162753f8eab32ab942d74a82a9881050ee0ccb95c783a8d
Instruction ID: d8d13d1d69a3f2f5e418cc330bc785cbd1b5695c20bd5e968c23ffc7b71d68fd
Opcode Fuzzy Hash: 66fb93cfd72e72e6b162753f8eab32ab942d74a82a9881050ee0ccb95c783a8d
Instruction Fuzzy Hash: E011217040E2C94FD753EF38CD146E63FB4EF1A200B1801EAD499CB293C62C850ACB91

Function 00007FFB4ACD1C68 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543b7a16e5f8b3d66c797b120df8a9ef27a7e68040577847a067c698e7900a4f
Instruction ID: 12d43e8ca29a84277006d2809246fcc8b7801f438ce4dd586efafd2905243b31
Opcode Fuzzy Hash: 543b7a16e5f8b3d66c797b120df8a9ef27a7e68040577847a067c698e7900a4f
Instruction Fuzzy Hash: 6811E9A290E6C95EE346FF789D551B9BFE4EF85200F1404FAD4C9CB0D3E9285985C392

Function 00007FFB4ACD959D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564f2f318ee3f13816e04f3b3537804362231feb1884675112af72a736620678
Instruction ID: 29b94a9c26c72d086b078461b02b08a916c30d7958a4fed6cfce836bd2cac106
Opcode Fuzzy Hash: 564f2f318ee3f13816e04f3b3537804362231feb1884675112af72a736620678
Instruction Fuzzy Hash: A811D6B5D1851DCFDF84EFA8D844AEDBBB4EF58301F60047AE009E2692DB355981CB40

Function 00007FFB4ACD72B8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabe78f14a9aaef8008c011e84266e386c2afc9b95b005399a03d08667f1546d
Instruction ID: d44572cdfad80a9d9ec98b563314266dc82db09c0e3f487c453c88bac9595f2b
Opcode Fuzzy Hash: dabe78f14a9aaef8008c011e84266e386c2afc9b95b005399a03d08667f1546d
Instruction Fuzzy Hash: F111D3B0D08A5C8FDB94EF68C8597A9BBF1EF59301F5041EA804EE7266CB345881CB01

Function 00007FFB4ACDAF94 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8940a9553d1b1f3def691c4d1b33838916d486ae96cfbc7f883b1f47ed1dc03
Instruction ID: 98c916026079fc80ebe466ae487eb7e0a07191eb3f380f95c570ae578bc496b5
Opcode Fuzzy Hash: a8940a9553d1b1f3def691c4d1b33838916d486ae96cfbc7f883b1f47ed1dc03
Instruction Fuzzy Hash: BA01C0B1D0D25A8EEB92EF20CC127ED7BB4AF12300F6540F6D05D97983D93828498B91

Function 00007FFB4ACD640D Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b3f24d071cfd31349c916164e60522bfe96b0a0ff0054363af5811a0cd6cf
Instruction ID: b6c17e2188cf0755367b5c922f15660eb5d9ef0f10f364959043fb25dc591cfd
Opcode Fuzzy Hash: 194b3f24d071cfd31349c916164e60522bfe96b0a0ff0054363af5811a0cd6cf
Instruction Fuzzy Hash: 17015E9270E6C14FD742EF3D9D762E57FA4EF0251476C41F7C8C98B497EA04A01A8258

Function 00007FFB4ACD8975 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba4c2abae82bbce8c1f7a96c4a54f0adccfcddd653b0742a244bb55b45be897
Instruction ID: d417823e31a15426e34036587d1e19e9a592a7b2552a540d47ef1e69a419147c
Opcode Fuzzy Hash: 6ba4c2abae82bbce8c1f7a96c4a54f0adccfcddd653b0742a244bb55b45be897
Instruction Fuzzy Hash: 4901A5709196598FEB95EF68CC94BA9BBB5FF49304F1041E9D44DE3262DE386982CF00

Function 00007FFB4ACD8A76 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f992b85779533f1ecfcede7b83408e0f083d8213465b70d8860838b782a7fba
Instruction ID: 96473c0e3dabf1caebf3d4e1861aca15b36831735d4ddc16fea78d9d1b5effa7
Opcode Fuzzy Hash: 5f992b85779533f1ecfcede7b83408e0f083d8213465b70d8860838b782a7fba
Instruction Fuzzy Hash: CB019271D0821D8FCB94DFA8D880AEDB7B5FF49311F50406AE019A7641DB34A885CF40

Function 00007FFB4ACD8C9D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3feff3f59b653d309285feaa4e009a2a11e3609ba3e6501558acf62f8e844d
Instruction ID: 06af29b55040d679b0c30bcfb5363f101fd7f063c481638a38a8a1358adbf231
Opcode Fuzzy Hash: 3c3feff3f59b653d309285feaa4e009a2a11e3609ba3e6501558acf62f8e844d
Instruction Fuzzy Hash: BDF0279340DAD60FE3A59A6D2DAA1947FD0CF8A15034C01EFC0848B197E48958474381

Function 00007FFB4ACDAFC4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf83de2124ae892ad06e9614e95317cacfff03be6933de129fafcd171cae133
Instruction ID: 7a4fd5f33787c36761e2a2fb431fd68bb614e2b507f8bb9f7b91d5f69dff9fc8
Opcode Fuzzy Hash: 4cf83de2124ae892ad06e9614e95317cacfff03be6933de129fafcd171cae133
Instruction Fuzzy Hash: 06F0FFB1D1D5298ADBA0FF24D9517FDB374AF14300F5055F5D01EA2583DE3469858F80

Function 00007FFB4ACD430D Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1832819d1d2d8d534afba9a3072c1bf3f036f5aa8c92f6db9abf83a79328feae
Instruction ID: 03abf12d799aded45916bc2b17506097f0725137e5b093e297f340f1d7c6bd2c
Opcode Fuzzy Hash: 1832819d1d2d8d534afba9a3072c1bf3f036f5aa8c92f6db9abf83a79328feae
Instruction Fuzzy Hash: 3FF082E1C6E24A8BE791BF788F5A1F97E54EF42300F5419F6E54845883DE58A1148641

Function 00007FFB4ACD1818 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cf687f84d8d98a3efd538f75e07b0a019f3919fb9afe3cf602f9fa1aa56ab9
Instruction ID: 53fb2f41fd4596538b661e2102050fea3c201e33dd671ef894614024eefdde19
Opcode Fuzzy Hash: c5cf687f84d8d98a3efd538f75e07b0a019f3919fb9afe3cf602f9fa1aa56ab9
Instruction Fuzzy Hash: B5F0A0A161D6D20FE356DB7C8CA56EABF92EF87190B8805EAC0C5CF1EBDA1418078741

Function 00007FFB4ACD3B81 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ff7ff48f7d9a9ba1c0afbfb4d6569b3c4d912f966874ce28fac82bc92a752b
Instruction ID: f443d150791ee7d5950acf199602e7c55253743d63fb441ec5b590b83ef2c682
Opcode Fuzzy Hash: 69ff7ff48f7d9a9ba1c0afbfb4d6569b3c4d912f966874ce28fac82bc92a752b
Instruction Fuzzy Hash: A1E092B2C0D6898FDB66EE648E152E87F64AF05310F0401EAE5488A583EB689218C791

Function 00007FFB4ACD4271 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5e7a4cf92d795aa59c5377f618986c901cee9d173334f1326c4049ee5e14b4
Instruction ID: dca0d30631820f6839e4bef502d7e5ee6e1bcfaffe169bbb44d6e9ab7b3da337
Opcode Fuzzy Hash: 6f5e7a4cf92d795aa59c5377f618986c901cee9d173334f1326c4049ee5e14b4
Instruction Fuzzy Hash: 1EE022F6C0D28C8FD752AF608E022E87F20AF05300F0501EAE54886083DA68D1148781

Function 00007FFB4ACD42BD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dd99487ef42610adda8ed47d17e5c934f7e90c8521bfc04edeff7db3274281
Instruction ID: f92901f2cac1c1695c81bfa60b2d1b28b71145184c782e16cd7905d5166630a4
Opcode Fuzzy Hash: b7dd99487ef42610adda8ed47d17e5c934f7e90c8521bfc04edeff7db3274281
Instruction Fuzzy Hash: 0DF082B5C5E28E4AE755FF34CF9A1F97A54EF02300F541AFAD508829C3DA18A5148641

Function 00007FFB4ACD709B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49baa8d1e24d5c28fa1aadad7f5de7a0270d3cb132c5d2e40bf96ee4505240cd
Instruction ID: f07d913a0018c3bbcd0c73719dae6808d782ac3c2d0cbfb3a20f39c04fd8c7c4
Opcode Fuzzy Hash: 49baa8d1e24d5c28fa1aadad7f5de7a0270d3cb132c5d2e40bf96ee4505240cd
Instruction Fuzzy Hash: 36E092B09099AC4FCB91EF5C88507DABBF1DF5A300F5040D5C08D87112CA345D41CB40

Non-executed Functions

Function 00007FFB4ACD0B58 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

";9, xrefs: 00007FFB4ACD0B7E
#C9, xrefs: 00007FFB4ACD0B76
$K9, xrefs: 00007FFB4ACD0B6E
!39, xrefs: 00007FFB4ACD0B86

Memory Dump Source

Source File: 00000000.00000002.1657631225.00007FFB4ACD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4acd0000_tyPafmiT0t.jbxd

Similarity

API ID:
String ID: !39$";9$#C9$$K9
API String ID: 0-1489306562
Opcode ID: 46c8e3df1ba81b52dba728a0a1063a2cef267841aeb99a2aceecf2e3ccec39b8
Instruction ID: 80f53f408c8ab33c77d58154fcfdfaac8928705da31db2fa6c0acc4e11b9984c
Opcode Fuzzy Hash: 46c8e3df1ba81b52dba728a0a1063a2cef267841aeb99a2aceecf2e3ccec39b8
Instruction Fuzzy Hash: 9EE0464FB2A8214294063BBFF0002C8039CDADA1373954AB7EB59CF29394407C8F82F8

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tyPafmiT0t.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: 44Caliber Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tyPafmiT0t.exe_47803c29e8a60989bb5bcd940187fa4c02d4def_49cefad2_10d69c00-b4b5-4722-a3d6-ded3be10235a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER193A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DEE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E1E.tmp.xml

C:\Users\Public\24a4ohrz.default-release\cert9.db

C:\Users\Public\24a4ohrz.default-release\key4.db

C:\Users\user\AppData\Local\Temp\tmp168A.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmp16BA.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp1719.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp172A.tmp.tmpdb

C:\Users\user\AppData\Local\Temp\tmp172B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp175B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp176B.tmp.dat

Windows Analysis Report
tyPafmiT0t.exe